Join IEEE Digital Privacy
IEEE Digital Privacy

IEEE Digital Privacy Podcast Series: Episode 4

 

Janelle HsiaA Conversation with Janelle Hsia
President, Privacy SWAN Consulting

Listen to Episode 4 (MP3, 14 MB)

 

Part of the IEEE Digital Privacy Podcast Series

 

Episode Transcript:

Brian Walker: Welcome to the IEEE Digital Privacy Podcast Series, an IEEE Digital Studio Production. This podcast series features conversations with industry and academic leaders as well as key stakeholders of digital privacy, in order to help advance solutions and support the privacy needs of individuals. In this episode we're joined by Janelle Hsia, President and Founder of Privacy SWAN Consulting and a member of the Standards sub-group within the IEEE Digital Privacy Initiative. Janelle shares her insights on integrating privacy and security with technology to advance the digital privacy space. Janelle, thank you for taking time to speak with us today. To get started can you share a little detail on your background?

Janelle Hsia: Yeah, absolutely. Thank you, Brian, and I want to thank the IEEE Digital Privacy community for having me on the podcast. I'm very excited to be here. So a little bit about my background, I've been implementing IT systems since the 1990s and I come to privacy from a technical and security background. So, I'm not a lawyer, so I usually bring a different perspective to the privacy conversation, and I'm interested in integrating privacy with security and technology to help companies operationalize their privacy requirements. I don't think that privacy and security silos are very helpful, and my passion is really around privacy and data protection training and awareness, specifically for security and technical engineers

Brian Walker: So, Janelle, at a high level how would you define digital privacy?

Janelle Hsia: Before we define digital privacy, I think we have to talk about whose data it is, because I think sometimes engineers jump right into defining the solution in the system and forget about the people whose data we're using. So we need to make sure that we remember that systems contain data about people, not just personal data, and I strongly encourage engineers to think about how their mothers would feel about this, or their spouses or their friends, and would they want their data used in this way, and then after we do that then we can define digital privacy, and so my definition of digital privacy really relates to the personal data collected by the organizations and the use and processing of that personal data. So, the organizations are the only ones who know exactly what data they're collecting and how they're going to be using our personal data and they have the power to do with it what they want, and right now there's not a lot of laws especially in the United States that prohibit companies from using personal data however they want to use it. So individuals do not understand how their personal data is being used and options for control for us is very limited, which puts organizations in control of individuals.

Brian Walker: We hear a lot about privacy versus security, what are your thoughts on those themes?

Janelle Hsia: Privacy can be achieved without security, and I think a lot of my security friends don't like to hear that. But the way that we do that is by not collecting the data to begin with, right? We have a choice whether or not we're going to collect somebody's email address or their home address of their precise geolocation, so if we don't collect it we don't have to secure it. So I think that's one of the like mind-blowing things that sometimes comes up when I talk about this. The other thing is that security is about keeping information from getting into the hands of the wrong people, whether it's internal disgruntled employees or those external bad guys, those hackers that we talk about, and security is always from the company's perspective, right? We talk about the data that big tech have lost, right, because it wasn't secure, and generally security doesn't care about the data that they're protecting, they just want to make sure that that CIA (confidentiality, integrity and availability) is maintained. But with privacy we look at it from the person's perspective and how can people trust us, those companies, with their data. So with privacy I look at the data first and then I decide what security controls I want to implement.

Brian Walker: Janelle, how do you think we can best achieve digital privacy solutions?

Janelle Hsia: I think we need to keep using technology to solve the privacy problems, and what I mean by that is we need to look at minimizing the data that we collect. As I just mentioned, if you don't collect it, you don't have to protect it. But in addition to not collecting it, there's a lot of other techniques that we can do to help preserve privacy in the systems so we can de-identify the data, we can select specific pieces of data, or we can maybe separate the data so it's less linkable to a specific person, and we can architect our system with privacy in mind at the beginning so that we have put privacy baked in, that privacy by design concept that everybody talks about. But there's really good strategies and tactics, there's the Hoepman strategies that has come up with the four strategies and subsequent tactics to help architect solutions and secure solutions and systems with privacy in mind, and then after we've done this great job from a technical perspective, we can make sure that we are supervising them and making sure that companies have good monitoring and logging and good policies and procedures and encryption and good access controls, and then after all of that, we can make sure that people are aware, right? We give them the knowledge of the data the company is collecting, how they're processing it, and then we give them control. I think most people have heard about those data subject rights, so we give them control of their data.

Brian Walker: What are some of the key challenges facing digital privacy?

Janelle Hsia: Yeah, I think for me the biggest, there's two, the biggest one is just awareness for both engineers and the general public. I think engineers can't solve a problem that they don't know exists, and a lot of times when I do my training and awareness, or I do podcasts like this, it is about making sure that the engineers know that they have other choices in how they construct their systems and that they can actually put privacy in without the tradeoff of usability. I think sometimes organizations are afraid to talk to privacy professionals because they don't want us to say you can't do that or you shouldn't do that. But that's not how it works. We try and help organizations still utilize the data that they need, but we just look at it differently, we sometimes ask different questions.

Brian Walker: So, Janelle, how do you see the IEEE Digital Privacy Initiative helping to advance the technology space?

Janelle Hsia: Yeah, I think again it is education of the engineers, and back in March 2021 I was a contributing editor to one of the white papers for the digital privacy and we talked about creating standards so that we are all speaking the same language and also really using what's called privacy enhancing technology, PETs. I actually did a presentation on that a couple of years ago trying to make sure that the engineering community knew that there was these tools that you can use to embed privacy into the systems. So, we have things like differential privacy, we have homomorphic encryption, secure multiparty computation, and zero-knowledge proofs. So there's these technical solutions that the engineering community needs to be aware of, and even though some of them are definitely in their infancy, we have companies on the cutting edge that are starting to implement them and we're really starting to see how we can continue to use personal data but do it in a more privacy preserving way so that the data isn't necessarily linked back to the individual or that the system is collecting data in a way that the individual would expect the data to be collected and used. So, I really think that's how the Digital Privacy Initiative can help is creating those standards and providing education around a lot of the technical solutions that are available to them. I feel like that a lot of the engineers I talk to, they're not even aware that there's these additional tools that they can implement.

Brian Walker: Janelle, I wanted to thank you again for participating in the IEEE Digital Privacy Podcast Series. Do you have any final thoughts to share with our listeners?

Janelle Hsia: Yeah, I think the biggest thing is if you see something you say something, and I think once you're aware of how to protect personal data you really can't unknow that, right? So a lot of the things that I've talked about, if you learn how to architect a solution by minimizing the data that you collect or by selecting just specific pieces of data and making sure that it's properly secured and that you have good access controls, once you've learned these things, it's really about embedding them into your solution, and then it's also about learning some of the harms that can happen with some of the personal data if it's used in ways that it shouldn't be used, and once you kind of know some of the harms that can happen. again you're more aware of it and so you can hopefully stand up and do something about that.

Brian Walker: Thank you for listening to our interview with Janelle Hsia. To learn more about the IEEE Digital Privacy Initiative please visit our web portal at digitalprivacy.ieee.org.