The Importance of Privacy and Security in Product Design
Chris Handman is the Co-founder and COO of TerraTrue, a data privacy platform and management software. He was previously the General Counsel at Snap, where he built the company’s legal compliance, public policy, and law enforcement team while also developing a transformative privacy program. Chris is a Homeland Security Project Fellow at Harvard’s Belfer Center for Science and International Affairs.
Jad Boutros is the Co-founder and CEO of TerraTrue. As a leader in security, privacy, spam, and abuse, he spent nine years on Google’s information security team, leading security for social products. Before founding TerraTrue, Jad was the Chief Security Officer at Snap, where he managed an organization of 100 engineers. He has 21 years of technical experience, 16 of which are in the privacy and security space.
Here’s a glimpse of what you’ll learn:
- Chris Handman and Jad Boutros’ career background and how they created TerraTrue
- What privacy challenges do companies face?
- How TerraTrue helps companies integrate privacy into their product designs
- Advice for collaborating with privacy and security teams during product development
- What is shifting left in privacy?
- Chris addresses the possibility of federal privacy law
- Chris and Jad share their best privacy and security tip
In this episode…
During the product development stage, organizations often only consider privacy and security from a compliance perspective, and as a result, neglect potential risks. So, how can you collaborate with internal teams to prioritize these concerns and ensure a seamless product design?
Chris Handman and Jad Boutros believe privacy and security should be incorporated into company culture to disseminate information and encourage diverse ideas. To streamline the process, organizations should acquire a platform that codifies each privacy and security component. TerraTrue is a privacy management software that creates secure workflows to conform to your product design and mitigate threats.
In today’s episode of She Said Privacy/He Said Security, Jodi and Justin Daniels welcome Chris Handman and Jad Boutros of TerraTrue to discuss prioritizing privacy and security. Together, they share the privacy challenges businesses face, how TerraTrue helps companies integrate privacy into their product design, and advice for collaborating with privacy and security teams during product development.
Resources Mentioned in this episode
- Jodi Daniels on LinkedIn
- Justin Daniels on LinkedIn
- Red Clover Advisors’ website
- Red Clover Advisors on LinkedIn
- Red Clover Advisors on Facebook
- Red Clover Advisors’ email: email@example.com
- Chris Handman on LinkedIn
- Jad Boutros on LinkedIn
- Snap, Inc.
Sponsor for this episode…
This episode is brought to you by Red Clover Advisors.
Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.
Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.
You can get a copy of their free guide, “Privacy Resource Pack,” through this link.
You can also learn more about Red Clover Advisors by visiting their website or sending an email to firstname.lastname@example.org.
Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.
Jodi Daniels 0:21
I am Jodi Daniels here. I'm the founder and CEO of Red Clover Advisors, a certified women's privacy consultancy. I'm a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.
Justin Daniels 0:35
Hi, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping companies design and implement cyber plans as well as help them manage and recover from data breaches.
Jodi Daniels 0:52
This episode is brought to you by like at the symbol Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e commerce, media and professional services. In short, we use data privacy to transform the way companies do business. Together, we're creating a future where there's greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. Today is going to be super fun. We have two guests.
Justin Daniels 1:27
But shouldn't we comment that even though it's Thursday, it seems like our time in Montana was decades.
Jodi Daniels 1:33
Oh, yeah, we had a lovely vacation, let's seems like 400 years ago, and it really was actually only five days. We need another vacation.
Justin Daniels 1:44
Yes, the first week of school makes for
Jodi Daniels 1:46
it does to all the parents out there. stay sane. But we're gonna dive into privacy today and talk to some really cool people. So we are talking to the co founders of Tara true. So Chris Handman was the first general counsel at Snap before he co founded TerraTrue. And at Snap he built the company's legal compliance public policy and law enforcement team. And during his time there, he helped transform or actually develop a transformative privacy program. That coupled rigorous review with tools and systems that were nimble enough not to restrain the relentless pace of execution. Chris is a Homeland Security Project Fellow at Harvard's Belfer Center for Science and International Affairs. And this is super fun fact, he's constructed not one, but two crossword puzzles that have been published in the New York Times, one of which was featured on The Colbert Report, and he graduated from Yale Law School, my home state actually. And now who are you helping to introduce your turn?
Justin Daniels 2:54
Jad is a seasoned leader in software development, security and privacy. He spent nine years on Google's information security team and lead security for social products. From there, he became Snap's first chief security officer creating programs for security, privacy, engineering, and spam and abuse from the ground up. He and Chris partner to launch TerraTrue. He holds a Bachelor's degree in Computer Engineering from McGill University and a master's in computer science from Have you ever heard of Stanford? I did. But you know what, before we start, I have to I have to ask my co host. You know that Colbert Report? Who's the guy who did the Colbert Report? Calloway?
Jodi Daniels 3:37
Yeah, go away. Answer go away. That's all I'm giving you. Are you done? For the moment?
Justin Daniels 3:47
Are we ready to dive in, and I'm excited to talk to our guests.
Jodi Daniels 3:50
Okay, so the two of you are gonna have to decide who gets to go first and share the love. But we always like to understand we did give some background to where you all started and how you got to TerraTrue but we like to dive a little bit deeper. So Chris, I'm gonna give you the softball. Can you start and help us understand how your career evolved, from where it started to privacy and finally, founding TerraTrue? Sure.
Chris Handman 4:17
So unlike Jad, I took the less orthodox path into the tech world. I went to law school, as you mentioned, I was doing initially Supreme Court and appellate litigation in Washington DC for years, and a nun among the issues that kind of percolated to that level. Increasingly, were around privacy issues, whether those are Fourth Amendment issues or emerging questions around kind of novel applications of old laws to new tech and trying to suss out how companies and really how policymakers can think about the new ways in which these antiquated laws which never anticipated new tech, Read on to that and I think that put me on the map when Snapchat then still call it Snapchat and early 2014 was looking for a general counsel to build out their legal team. And I was employee 55 at snap when I joined. And part of the reasons why they were looking for a GC so early in their tenure was because they did land themselves into a few outsize legal difficulties for a company of that size. And I think the most important one was they did get crosswise with the FTC over some privacy pitfalls. And that landed them under a consent decree that lasted 20 years that was going to require the company on pain of regular audits, to basically build what we now think of as a privacy by design program, something that they were going to have to demonstrate that they could show they understood before any feature went out the door, they knew the data that was going to be used and how it was going to be used and where it was going to go and on and on and on a process that could be bureaucratic at the best of institutions, but it could be particularly strangling at a company that was accustomed to shipping software at the speed of light and being really innovative. So at that time, there was no privacy software, the only solutions for sort of large consultancies that had played books for 10,000 person companies and not suited for your agile modern company. And fortunately, Jad Boutros my co founder now at TerraTrue, I had joined a maybe a week or a month before I did at snap to be the first CISO. And we joined forces to literally rewrite the playbook around how privacy can be done so that we can harmonize the need for that rigor that we are going to have to do. So we didn't get put under existential fines, but also not restrained those kind of animal spirits that were driving a snap to do so many innovative things. And so, together, we did that and did something so well, the audits went off without a hitch and efficiencies, but teams came to raise the product and development teams. And so we saw from there, after the snap IPO, we both left shortly after an opportunity to really build a platform that no one had done before and take advantage of our unique experiences there. And so I'll let Jad say more about what we ended up doing. But TerraTrue is really the natural consequence of those unique experiences we had at snap, and how we understand that what was missing in the market was really that focus on a platform that can unify the way teams build and deploy and understand the risks before those products ever go
Jodi Daniels 7:20
out the door. And love hearing people's stories. I say it every single podcast because I think it's so cool, how everyone just kind of evolves and moves with the different opportunities. Jad, we'd love to hear a little bit about your story and how and what you were doing before you found your way to snap.
Jad Boutros 7:38
Absolutely. First, it's great to be on your podcast, super excited to talk about privacy and security. And also, as I just mentioned to you earlier, first time that Chris and I are on the same paths cat podcast, we're excited about that as well. The, you know, I, I, I studied engineering. And I started my career developing first, on very, very large mainframe systems for cellular telephony, cellular databases, and then sort of found my way into security, when I worked at a startup that really had was delivering services that were very security sensitive. So they stored all end users passwords across all sorts of different sites, just to be able to pull in the data for you and show it to you in one single place. And as a result of that sensitivity around storing passwords, social security numbers and other information, they recognized that they needed to focus more and more on security. And I sort of got into that space, developing defenses against security problems and protecting better data. And from there, I was able to get to Google enjoined the security team there in about 2004, when the security team was still very, very small, under 10 engineers working on security. And as a result of that, I had the chance to co found the InfoSec team at Google that was tasked with building defenses for security across all of Googles codebase, but also conduct reviews at scale for security to help all the products launch safely without any problems. I got involved a lot with m&a work on security, vendor reviews, penetration testing, those sorts of things. Which I guess I was lucky because I sort of joined before that field exploded as much as it currently does. And so I had the chance to take on a number of different roles. And from there, took on more leadership roles became responsible for building security for all the new social products at Google and how they integrated with the rest of, of Google and In one day, sort of, just in a similar story to to Chris, snap, Snapchat was in the news for a security issue. And they recognized that it was time to start building a strong security program. And I left Google to join snap, and literally start from scratch, a security probe program across all the dimensions of security, but also privacy, engineering, and spam and abuse. sort of built organizations for these over a number of years, grew to over 100, worked very closely with Chris, as he said, on privacy. And then when it was time to leave sort of after IPO, I started to think about sort of what's next for me. And I interviewed at a number of companies to do a similar seaso role. And I realized, a lot of companies are still struggling with security and privacy, there is a lot of work to do just to get them to, to a level that feels comfortable that feels right, by, by users, by employees, by everyone. And I decided instead, to tackle the problem in a different way and sort of start a company that helps make security and privacy easier to integrate into the way you develop and build software, so that a lot of other companies can leverage that thinking that approach, get the tooling that they need, so that they don't feel that starting in those spaces is as hard as it's been for us at snap and other places. And we've been very, very excited sort of taking a novel approach to how to integrate privacy and security better into the way you build products, giving organizations much higher ROI, enabling the business to innovate at a faster, in a faster way, but also do that more safely, with a much better understanding of privacy and security. And we've been very, very excited, continuing to work on that. So very happy to be in those fields.
Jodi Daniels 12:08
Well, there's no shortage of companies who are still getting started, I see it every day, we have a long way to go.
Justin Daniels 12:18
Let's dive in. So the base level thought, what are the privacy challenges that you see companies facing today? Now we have a proliferation of what we have five state laws, data privacy, us, our friends at GDPR? What are these challenges they have?
Jad Boutros 12:39
You know, I'll start first and then add Chris's thoughts as well. You know, the, the privacy field is growing significantly, it's still somewhat younger, certainly when you compare it to the security field, where there it had a chance over decades now to mature and become more integrated into the way organizations function and innovate and execute. There are a lot of challenges with, as you said, new laws, new requirements on enterprises. But really, to me, it boils down to a few core aspects. One of them is because this field has been growing so fast, and so quickly. Its privacy experts are in high demand, whether those are privacy lawyers, who are helping organizations understand their requirements by all these growing privacy laws, and pushing towards complying and, and addressing those considerations into the way they develop. For privacy engineers who are building defenses in products in the code base to mitigate a lot of the different risks. All these fields are in high demand, which really means that organizations tend to understand those teams. And those teams are constantly overwhelmed. And it's not because they want it to be this way, it's just very difficult to hire very, very expensive to do that. And as a result of that. organizations face difficult choices, either they have to sort of lower the bar in a number of cases, or they, they have to slow down just to incorporate all the privacy reviews and privacy considerations into what they're building. And that context is very frustrating to organizations, feeling that they're not able to move at the speed that they want to do and do so reliably and confidently and safely. And it's a challenge that's going to persist. We've seen it in security as those fields have evolved. And now we're seeing it in privacy. And this is why we're also super excited about helping organizations tackle privacy better, more gracefully, more meaningfully with fewer resources, more consistency and more automation so that they can focus better on the risks that are important to them, and still maintain that rate of innovation and rate of execution. The other aspect is, and we see this in smaller companies more than anywhere else, there is that will to do right by privacy, but they don't know how to get started. And it's overwhelming, that field has grown so much, the number of things you have to think about has grown so significantly, that it is daunting to know where to even start. And we've seen that through previous employments where we were doing m&a audits, and we realize that organizations are struggling, what they say in terms of privacy doesn't necessarily match what they actually do. They're overwhelmed. They don't know, what's the first thing they should do to raise the bar. And those are a lot of the inspirations that helped us think about how Thera two can provide better value and achieve better internet safety and privacy for all for all organizations. And as a result of that, their end users. I'll I'll also hand it over to Chris to see what he'd like to add to that.
Chris Handman 16:14
Yeah, I mean, I think Jad nailed a lot of the the core dimensions, I think, what the gloss that I come out with that that question is, you look at these laws, in addition to kind of just like the complexity that emerges anytime you have this kind of balkanized legal framework of different states coming down, is really, if you look at the substance, what that is driving companies to have to do, practically. And that is a sudden reversal of the way companies have historically thought of data and privacy right up until just a few years ago. Privacy is really just like draft as broad a privacy policies, you possibly can get consumers to click an accept button. And then it's kind of like, you're off to the races. And there was a bit of a bit of a open season on user data, and now with these laws are increasingly forcing companies to do is to think about prescriptive standards that they have to address with respect to specific types of data, sensitive types of data, use sensitive uses of data, things that are forcing them to necessarily think about the footprint and the risk profile of the features before they ship those products out the door. And that I think is the fundamental mindset that these laws are seeing at a macro level. And that's that's the thing, we're kind of we've been, again, I think, in this happy position to take advantage of that. Because as companies increasingly feel this drive to understand from their development teams and their product teams can What do you plan to do with this data, because we need to understand this and you guys need to understand the rationale, we want to help you shape and make great user experiences in a ways that are going to satisfy not just the letter of these laws, but also the broader spirit that we're starting to see in this kind of broader privacy side guys right now, that is something that that's a unique with challenge for companies as they begin to develop their products. And that I think, is one of the most important ways and that we've been a kind of witness to it firsthand.
Jodi Daniels 18:10
So as we've been talking about, and you alluded to, it's not just a legal issue. It's not one legal departments job to go solve for privacy and read a lot and figure out what to do. Can you share in more detail? How does TerraTrue help bring together all of these different teams to help understand what to do and make it more manageable?
Chris Handman 18:32
Sure, I mean, I, again, I'm I'm in the spirit of equity, I'll go ahead and kick this one off. And I know Jad will have since he's the product genius. So the way we approached this is we think about privacy being posing a number of different challenges for an organization, as you said, this, if you think of privacy as this kind of siloed compliance function that kind of sits off in the corner and is consulted at the whim of your teams, you're never going to really get privacy, right. So our theory is that privacy has to be kind of woven into the fabric of that product development lifecycle. Which means you need to develop a platform that can harmonize all the different constituencies in ways that feels like a natural extension of the way they work, not imposing on efficiency minded engineers and product persons, the sense that they're going to have to like jump through 16 different hoops to kind of just satisfy the bow tie wearing compliance folks in the legal team, you have to have something that that is a graceful extension. And I think this gets back to the experience we had at snap, where again, I personally probably would have been fired if I'd come up with a heavy handed system that slowed down the way they had to develop, we had to come up by necessity was something that was going to work for them. And so what TerraTrue does is starts with that premise of like, let's have a platform that can gracefully pull in two TerraTrue's a single source of truth, the world work that your teams are already doing. So often teams are working inside of JIRA, for example. We have a very robust integration that can, with different sorts of rules identify the types of initiatives in JIRA that warrant a review in privacy or warrant a review in security, and then trigger all sorts of different smart workflows that will be tailored to whatever you are happy to build. And so without interrupting the way those teams are built, and just continue to file their tickets, we can make sure that the work that needs to be occurring downstream is being done. And then those teams can work with the privacy teams, security teams, others can work inside of TerraTrue, do their analysis, have a two way sync back with those teams. And so what we're really trying to do is create a hub where the work of prior product development and product review can all take place in one seamless ecosystem. And ensure that that work is as a natural extension of the way product feels that privacy should be a part of the price of the product design at the heart of it. And that is what we're really trying to do.
Justin Daniels 21:03
We're going to add something Oh, because I have a follow up specifically for you Jad. Oh, there are other figures.
Jad Boutros 21:15
That it perfectly I'll just add in my two cents, and then listen, get your question. The ultimately one of the key tenants of a strong privacy program is privacy by design, this notion that privacy experts are reviewing what features and products you're developing, and helping the organization understand the risks and defend against those risks. And if you think of privacy as a pure compliance function, you're not able to be connected with what developers and product teams are doing, you're not able to review things before they launch. And the way TerraTrue we fundamentally believe that privacy should be part of the culture of the organization should be collaborative, should involve different stakeholders, and approaches and thoughts and dialogue, so that the organization can come up with the most the most intelligent way to mitigate risks before they launch new features. And as so when you want to start being involved in conducting these reviews, first step is what is the overhead? What is the friction involved? Because no matter how well intended different teams are, there is always friction in between starting this program, and maintaining it. How do you communicate what you're working on? How do wait for privacy experts to give you feedback? How do you get them to understand what you've already reviewed previously, what is new and unique about the features you're doing so that work isn't duplicated. All of that adds a lot of overhead to an organization. And our goal is to go for Win Win situations, situations where developers and product teams get more quick feedback about what they're designing. So they don't waste time developing a solution that doesn't reach the goals that are intended for privacy or security, and a win for those privacy experts. So that they can focus on what is important, the real threats, the new the new considerations, and quickly ignore everything that was reviewed and approved previously. And all of that requires agility requires tools that scale to be able to conduct these reviews at high volume. For instance, at our previous job, one year, we had 5000 privacy reviews, that's not one or two or three, when you're dealing with that scale. You want systems that help you get the information disseminated more quickly reviewed, understand recommendations get get the best outcomes and best decisions done very, very quickly. And that's what we've been super excited to build that territory. And with that, Justin, what was your follow up?
Justin Daniels 24:11
So my question specifically for you is when we talk about TerraTrue, we've talked a lot about privacy, but it's broader than that. It's both privacy and security. And for the benefit of our audience, I would like if you could share specifically, kind of your thought process when you're creating a product because when you talk to business people who ultimately make decisions about about privacy and security, they still struggle to understand that well. They are very much related. They are different. But yet you are creating a product product that helps companies really build and design software, bringing both of these concepts into the design not as an afterthought. And just love to get your thoughts about this is what I want to do. But how do I create a software that's a product is user friendly that can handle both of these things when I'm kind of doing this for an audience who doesn't always understand the contours of privacy and security?
Jad Boutros 25:11
Great, great question. Thank you for that. In fact, one of the things we love about what was built at TerraTrue, is that we hear the same story over and over again. And we've experienced that ourselves, developers and product teams want to ship some new feature or new product, they have to go to the security team and say, Can you please review this for security concerns, and then they have to separately go to the privacy team and ask them to review for privacy concerns. And what typically happens within organizations is that the way they approach those teams are different. They're using different tools to relate to the security team, what they're working on, and to collaborate with the security team. And then they're using a completely separate process to connect with the privacy team and get the feedback. And where often we see this. First, it adds a lot of overhead. But more interestingly, often enough, you receive contradictory feedback from the security team and the privacy team, leaving you in a bit of a disarray. Which direction should I go? How do I satisfy the needs of both security and privacy. And it's not because those security and privacy teams are doing wrong, it's because they're focused on their area. And they give recommendations that target specifically that area and forcing the developers to take a step back and try to see how we can come up with solutions that address all of these needs. We TerraTrue, we make that a lot simpler and a lot more powerful, because it's one tool that you use to connect with the security team and the privacy team to collaborate with them on common threads, and come up with solutions that are unified and consistent. And just really remove a lot of the friction and hassle of trying to figure out how to combine different solutions. The way I sort of look at privacy and security, you're absolutely right, they're often two sides of the same coin. You can't have privacy without security, security is about how to best protect the way an organization's built its infrastructures, its servers, its applications, make sure that those can be hacked into data exfiltrated and sort of accessed in ways that are unauthorized? And that's a very, very simplified view. But for privacy, it's more about how do you meet users expectations? How do you adhere to the different requirements that are there by the law? How do you protect the confidentiality of your data and make sure that when you are using user data, you're using it in manners that are consistent with the ways you've advertised and communicated. And so if you don't have security, there's no way you can have privacy because any, any organization will be subject to someone accessing their systems, their data in unauthorized manners, and then they can do anything they want with user data at that point. So you need to have a strong foundation for security, to ensure also the privacy of user data. And but at the same time, the approaches are very, very different. The the work that is entailed for for both is different sort of insecurity, it's much more often the case that it's black or white, right, you're either you build systems that are secure against certain threats, or they're not with privacy, there are a lot more nuances, because it also comes into what are user expectations. And user expectations vary a lot. They vary over time, they vary by that user's background and context and thoughts about how they're using systems and, and as a result of that sort of privacy is also extremely multidisciplinary. And is thinking through those issues in a much more sort of broad, broad lens in a way. And then to make things more interesting there is abuse, and sort of fraud and abuse, tend to be somewhere also between security and privacy. Because if your systems can be abused in certain ways, then you also lose that security and that privacy and, and very often it's trying to think about how to reconcile all those different needs together.
Jodi Daniels 29:43
In this conversation, and Chris, you mentioned in in our little pre show, we hear a lot today about shifting left in the privacy space and not everyone knows what that means. Can you explain what does what does shift left mean in the privacy world?
Chris Handman 30:00
Sure, so if you think about so the shift left is a metaphor that draws its inspiration from thinking about a continuum of a lifecycle and a product. So on the far left of that continuum we can imagine is the germ of good ideas when I first start to take root. And as you go, right, excuse me, the product starts to develop, people start to spec out their details, start to code. And eventually on the far right, you deploy those products. And on traditionally, privacy has occupied this almost off the charts, right, we're tilt, it's been a siloed, function. Consultant, rarely, if at all, before these features go out the door. And it's an inherently reactive position, of course. And getting back to a question that Justin asked, as I said, I think these laws are forcing companies as a matter of both the substantive letter but also the spirit, to shift left to get privacy further entrenched into that development period. So that as developers as product, people start to contemplate the boundaries of what they want to do with a new feature that the concepts around okay, this is data that is going to pose a particular sensitivity, this is a use of data that is going to be unanticipated by our users, or the combination of any of these factors is going to pose greater challenges than we need to, or do we even need all this data that you want to collect you can we accomplish the goals of this feature with 50% of the data you've like thrown in here, and even just beginning to have those conversations around thinking about the data is itself a win in the way you think about product. And so the shift left movement, when it comes to privacy, is really taking what what security had did decades earlier, which was to kind of move the security testing into that fabric of lifecycle. And now privacy is a little late to that game. But it's this is where we see companies increasingly trying to mature into, and where the biggest challenge they face, though, is again, a lack of tooling. It's one thing to say you want to shift left. And so one thing to say, hey, as a matter of first principles, privacy, yes, it should be a part of that, that the challenge is the pragmatic, how do you do that? How do you do that in a way where, as Jad mentioned earlier, privacy of folks in an organization often outnumbered 501 1000 to one, when you think about the engineers and product, folks, that's a difficult question of scale. And so technology necessarily has to bridge that gap. And then you have to think about ways to mediate between these different teams, which again, work in different tools and work in different disciplines at different paces. And so finding technology that can bridge those gaps, automate the feedback, scale and amplify the voices of privacy and security folks who are going to be outnumbered. This is where TerraTrue tries to make the promise of shift left or what is often been thought of as privacy design into something that's a pragmatic, actual reality and not the kind of just like gauzy ambitions of academics.
Justin Daniels 33:11
I can have the TerraTrue T shirt that says shift left. Yeah, I would wear that. It's dry fit, I'll wear it on my mountain. But
Chris Handman 33:21
our head of marketing is a big bike guy as well. So he'll listen to this podcast I'm going to tell right now get let's get that out there.
Justin Daniels 33:31
Just I liked it. Further into the development phase, I just say this because I encounter it. So often. Privacy and security are an afterthought, we're sitting on a zoom call, privacy and security were an afterthought until of course, they got whacked under CCPA. But anyway, be that as it may. Now we're going to ask both of you to take out your crystal, your ball and talk to us a little bit about what happens with privacy in the next three to five years. And Chris, given your background, I'd be interested to hear your two cents on the federal privacy law that's percolating around. So I
Chris Handman 34:07
wouldn't have counted myself. Oh, so you may not discount my prognostications. Because, you know, six months ago, if you'd asked me this question, I would have said there's very little chance that privacy will ever become a reality of federal law. And yet, here we are on the cusp of potentially I doesn't look there'll be in this Congress, but an unprecedented amount of bipartisan agreement, which itself is almost a bit of an anachronism these days. But but a broad set of agreements around not just what a federal privacy bill can be. But But what I was actually really heartened to see is that there's real substance to this. I think there were a number of people out there who have fear that what a federal privacy bill would end up being is a bit of a toothless diluted type of standard, pre empting and a lot of the great progress state laws of data and the whole process might get co opted. And I think what we've seen is actually, this federal bill represents probably the most aggressive push in terms of substantive privacy legislation, even beyond GDPR in really meaningful ways. I think sometimes GDPR is obviously a reticulated privacy regulation that can often feel more process than it does about true substance. And I think the federal bill, whether it's the way if it reconceptualized, as the civil rights of certain types of data, creates private rights of action, meaningfully thinks about true limits around the way types of data can be used and way specific data cannot be used barring certain types of explicit consents. There's a real richness to this. And I think they're still, of course with Senator Cantwell remain a few kinks to be ironed out here. But I'm I do think that this is, it's a bit of a one way ratchet. And it's going to be very difficult to imagine a federal bill, not kind of kind of delivering on what we've seen here today. Maybe there, of course, will might be compromises here and there as they go about, but I think it's been a huge marker. And so if I had to predict, I would say within the next Congress. I mean, who knows what's going to emerge in the next Congress, I think there's actually a legitimately good shot at at seen some federal bill going. And I think, given what we've seen most again, these are all compromises. And I don't think, of course, no one is going to be perfectly happy with the full range of what this bill is. But I think, given where we've been, this is an incredible opportunity. And so I'm hoping that they will act on this.
Jodi Daniels 36:43
So when you're at a cocktail party, and people ask you, what should I be doing from a privacy and security perspective? What is your best personal privacy tip that you would offer? Jad, why don't you go first?
Jad Boutros 36:59
Great question. It's it, maybe I've become soft more recently, because I found myself a number of times saying, You know what, it's not your fault. And I've really recently had a number of conversations where something bad happened, someone's account on some social media or anywhere else that got hijacked. And as a result of that it started to, to spew bad information or to be used to target other other friends and so on the social graph, and people reach out and they're in panic, and like, what do I do? First thing is, it's not your fault. I think there is a sense of guilt, people understand privacy, people understand security, they try to do the right things, but it starts to feel sometimes overwhelming. And it's a reminder that, you know, bad things do happen, there is some amount of hygiene that you should be thinking about and doing. But also, at the same time, organizations can be doing more to help you protect your accounts in in more natural and simple ways. For instance, when you look at all these password complexity requirements, when you want to create an account on a website, they're becoming daunting. And as a result of that is just very, very difficult for users to do the right things and feel that they're naturally thinking about security and privacy, as opposed to organisations pushing their problems on to end users. So for me, again, in with the same spirit that you can't have privacy without security, first thinking about your password reuse, a lot of folks just reuse the same password everywhere. And maybe it's difficult to think about password managers and other things. But at the same time, you have to protect some sensitive accounts differently than you do your average website. And so at least having separate separate password for those sensitive accounts, including your email, because if your email is compromised, then it leads to pretty much a lot of other compromises of your accounts, keeping skipping software, you know, up to date, particularly your browser, your operating system, on your on all of your devices, your laptops, your phones, those are very basic hygiene, security hygiene steps that you want to take. In addition to that, I what I find the most compelling about privacy is that it's very, very deeply personal, what what you care about in terms of your privacy is very different than what I care about. And so as a result of that, I never never weigh in on anything until sort of, I understand better what you're worried about. And that's, I think, what makes us very passionate about this field and thinking about it more so. Whether you're worried about being thrown act in real life, whether you're worried about how your facial scans are being used at airports, check ins, whether you're worried about sort of social media and what you post there, having anonymous accounts that could be outed, all of those are privacy, the privacy subject, and they're just fascinating.
Chris Handman 40:19
I have to say that whoever was asking Jad about that, and he's telling them, it's not your fault, they must have caught them a few drinks into that cocktail hour, because it's much softer line I've heard Jad ever take on security before.
Jodi Daniels 40:31
Um, Chris, what would be your your, your best personal tip, any any that you would add to what was already shared?
Chris Handman 40:39
I mean, over a cocktail hour, I think the, you know, when it comes to privacy, right, there's an increasing number of settings in our smartphones, that Apple and Google have allowed users to help control their their data. And so I do think my biggest advice is to go ahead and make sure you plumb the depths of all of those options, some are being triggered by default. And some you actually have to affirmatively use, but those are really empowering ways of, of seizing the autonomy, I think we all want I mean, ultimately, what privacy comes down to is autonomy, the ability to control what data you want to share, and how it's going to be shared. And the more we can empower people to flex that autonomy and use the tools that they have at their disposal, the better they can, it can do that. So yes, there's lots that policymakers can do that go beyond the bounds of the cocktail conversation. And so what consumers can do is to really like make sure you are taking advantage of this broader suite of services.
Justin Daniels 41:42
You only mentioned autonomy, we get into issues of self sovereignty and this other technology that God will soon talk about, which is not doing the blockchain. We always like to ask our guests the same by final is, when you're not building this really cool. Privacy software company, what did the two of you like to do for fun, that's not privacy or security related?
Jad Boutros 42:11
I'll start first, I'll just say that my fun thing for the past year has been really planning with my wife, a destination wedding. And sort of this came about, you know, we've all been locked down in this pandemic. And sort of when we knew we wanted to get married, we floated the idea of a destination wedding with a few friends. And they were so excited about just having a reason to travel and change scenery, and it has more overhead, but we worked on it. And it we just got married two weeks ago in Italy. It's been very, very exciting and just changing scenery and seeing something new and traveling. And all of that has been just incredible. And I look forward to the next steps. But that's been my fun outside of work.
Jodi Daniels 43:03
Well, congratulations. That's very exciting. Chris, what about you?
Chris Handman 43:08
So at the outset, you kind of already outed me, I'm a bit of a word nerd. So yes, crossword puzzles, Wordle things along those lines, the main kind of the, my, my passions outside of the data life, of course, I've now gone one step further and corrupted my own children who are seven and nine and if they have now become condemned, and probably a world of like atomic wedgies from their peers when they get into later schools because they're now word nerds themselves want to do the word with me. They're there, you know, look forward to like the times kids section every month, do the kids crossword puzzle. So I think I've I've gonna have to start with therapy fun really early.
Jodi Daniels 43:53
It's all good. Well, thank you so much to both of you for sharing your vision for privacy and security and helping us understand what territory was doing in this space to help make it easier for companies. We'll be sure to share all the links to how to connect with you in our show notes as well. So we're, we're grateful for your time today. Thank you so much.
Chris Handman 44:14
It's been my pleasure. Thank you.
Jad Boutros 44:15
been a real pleasure. Thank you so much.
Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven't already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.