Join IEEE Digital Privacy
IEEE Digital Privacy

IEEE Digital Privacy Podcast Series: Episode 10

 

Sreedhar RaoA Conversation with Sreedhar Rao
Co-Founder, Yantrie LLC

Listen to Episode 10 (MP3, 28 MB)

 

Part of the IEEE Digital Privacy Podcast Series

 

Episode Transcript:

Brian Walker: Welcome to the IEEE Digital Privacy Podcast series, an IEEE Digital Studio Production. This podcast series features conversations with industry and academic leaders, as well as key stakeholders of digital privacy, in order to help advance solutions that support the privacy needs of individuals. In this episode, we speak with Sreedhar Rao, an IEEE member specializing in digital privacy, and a key architect of the IEEE Digital Privacy Model (DPM). Sreedhar shares his insights on the beginning of the model and how it can focus privacy expectations and influences on the individual. So, Sreedhar, thank you for taking time to contribute to the podcast series. To get started, can you introduce yourself and tell me a little bit about your background?

Sreedhar Rao: Thank you, Brian. This is a great opportunity to speak with you. I have more than 15 years of experience working in the telecom space, supporting, and building networks and applications for the telecom operators like Verizons of the world. In doing so, I've kind of helped build the 2G infrastructure, the 3G infrastructure, and the evolution towards 4G. These days, I work a lot with operators trying to help them move their infrastructure to 5G and use cloud-native applications along the way. As I work through my telecom days, I have used data across the entire telco infrastructure and help operators monetize that data, and then also help them launch new products and services throughout the multiple interactions that I've had in the telco space. With that said, my interest has also been to try and figure out how operators use the data and what are the boundary conditions under which they can use the data to support their own business operations.

Brian Walker: Right, so that kind of leads into how you got involved with digital privacy?

Sreedhar Rao: Ah, in terms of where I got interested in privacy, and then why I think the specific way in which we are approaching privacy within the IEEE Digital Privacy Initiative is of interest to me, right? So, when I was working with my master's on cybersecurity and policy, one of the things that I got interested in is understanding privacy. We were talking cyber security, but privacy became a major topic within the coursework that I was working on. As I went through my coursework, and as I went through some of the writings that I was working through my graduate program, what I found is that too often privacy is being discussed purely from an organizational point of view. As I looked at that, my main thought process was “What happens to the individual? What happened to the individual?” Because privacy was an individual concern which was recognized by the legal community, which was recognized in various ways earlier. But as we got into the digital space, privacy became more a conversation about organizations and how organizations can manage their risk in terms of the data that they collect, and in terms of the data that they inadvertently expose when things go wrong. But I did not see any kind of conversation in terms of how the individual gets any kind of say in the decision-making process along the way, which, with respect to data, that potentially impacts the individual the most. That's how most of my writings ended up taking the risk management principles that were applied to the organizations, and in my graduate courses, every opportunity I got I was actually doing the reverse engineering, so to speak. I was applying the risk management to the individual. What happens if the risk management tools were applied by an individual to themselves, and then what does that tell us? Very quickly I found out that it is a useful way of looking at it from an individual perspective, but it misses a big picture in terms of exactly what the individual can and cannot do within the privacy world.

Brian Walker: I understand that the Digital Privacy Initiative has introduced a new digital privacy model, sometimes referred to as the DPM. Can you tell our listeners what the genesis was for creating the DPM?

Sreedhar Rao: So, when we started the Digital Privacy Initiative, I was talking to the IEEE members, and one of the things that I noticed is that the IEEE Digital Privacy Initiative was specifically focused on the individual perspective. I was very excited to hear that it wasn't just me, there was a large community of privacy professionals, technologies, professionals, including academicians, who were all looking at the individual perspective and trying to figure out how do we get the individual into a privacy conversation so that it's not always about the organizations? So, that's how I got started with the Digital Privacy Initiative, and as we looked at the individual perspective, it was becoming very clear that every organization, every standards body, even the academicians and the legal community, everybody had a different starting point with respect to what an individual's privacy means. When we looked at that, we were basically looking at saying “Okay, how do we get a common language? How do we get a common starting point so that all these different aspects of privacy we can have a universal way of expressing that?” So, that's how we got started on if I take an individual perspective, what is that universal view? What should we start with? We kind of started with a clean sheet to say “Let's forget about everything that exists in the privacy domain today. Let's forget about all the legislative and all the principles that we have within the privacy initiative today. If we wanted to start with a clean sheet, where do we start with?” That's how we got started with our privacy model. There are several different things that happened, but basically that was our genesis in terms of why we think that the Digital Privacy Model is a good way of creating that common language.

Brian Walker: Sreedhar, can you give our listeners an understanding of what you mean by “Expectations of privacy,” as it's used in the DPM?

Sreedhar Rao: So, when we took the Digital Privacy from an individual perspective, we wanted to basically take an individual's view. Where does the individual start with when it comes to their privacy? What we found is that regardless of who the individuals are, regardless of what part of the world they are, every individual operates within a society, within their culture, and each of these society and cultures, they all inform the individual in terms of their potential privacy, right? So, what we looked at is that there is a basic expectation of privacy from individuals. So, regardless of where the individual is in their life, regardless of what region of the world they reside in, what we kind of agreed was that there is always an inherent privacy expectation that the individuals have as they conduct anything within their economic or social circles. So, we started with the expectation of privacy, and we wanted to actually get a kind of understanding of how we create that expectation of privacy, and how do we create the nomenclature that will allow us to express that expectation in a unique way so that technology teams, the legal teams, and even implementation, or even the individuals themselves, can understand it in simple terms.

Brian Walker: Can you tell us about the two-tiered approach that's been taken in creating the DPM?

Sreedhar Rao: So, we started with the expectation of privacy. So, this is where the two tiers start, right? So, we had the expectation of privacy, which is a pure individual perspective. You start with that individual's expectation and then you kind of have influencers on top of that expectation. So, our starting point was basically that expectation. That's the two-tier; you have the expectation of privacy, and then you have the influencers on privacy.

Brian Walker: So, Sreedhar, clearly there's lots of elements related to the Digital Privacy Model, or the DPM. Can you help break it down for our listeners?

Sreedhar Rao: Yeah. So, let's take the individual perspective, right? So, when we talk about the expectation of privacy, we ended up actually breaking that down into six characteristics. So, these characteristics are basically-- have two parts to that. The first part is the kind of information, the kind of data that an individual always has in terms of any transaction or any interaction that they have within a digital space, right? So, if we take that approach, then the first part is consisting of what we call the identities. This is any kind of identity that the individual may have, whether it is a government issued identity, or a digitally generated identity within an ecosystem. Then you have the behaviors. An individual performs different actions both in an economic or a social situation, and so you have the data associated with the behavioral aspects of an individual within that environment. Then you have the inferences. Inferences became important because as we add more tools that are doing machine learning, as we add generating AI technology into the digital ecosystems, there are a lot of learnings that are being done autonomously, and that actually creates inferences about an individual, which then also becomes a data point that can be used to do various things within the digital environment. So, inferences, and then lastly, the transactions, which is basically anything that the individual does, right? They might make a payment, they might actually make a purchase somewhere, they might actually go physically from point A to point B. These are all data points that are specific transactions that the individual conducts within any environment, both physical and virtual, right? So, these four characteristics, the identities, the behaviors, the inferences, and the transactions, these are the four fundamental aspects of information about an individual. On top of that, what we are seeing is that expectation of privacy basically means that these four data points, these four information elements, or these four information characteristics about an individual in any environment, the individual always has an expectation that the confidentiality and integrity of all these data points are maintained by whoever has this data or has access to this data. We also see that the individual has an expectation that the access and observability of that data is available to the individual, which means that the individual has some way of accessing that data, and then some way of observing that data in terms of what's happening with that data, who's using it, when and why. So, the combination of the four types of information, and then the confidentiality, integrity, and access and observability, these form the expectation of privacy. So, if you look at it, an individual basically has that inherent expectation, and this then can be used both from an individual perspective to say what level of confidentiality I want to maintain on certain types of data. What kind of access I want for that data. What kind of observability I'm willing to have, or willing to give away if I don't want to have that. What kind of integrity needs to be maintained? Now, so these are expectations from your individual perspective, but from an organization perspective, you can also use the same expectations to now say “How do I maintain confidentiality, integrity of all the data aspects, all the information aspects about the individual that I might have in my possession? What are the access and observability rules that I can provide? What are the tools that I can use and what are the technologies I can use to support that confidentiality integrity, or access and observability of all these data elements? How do I store them?” So, these are the ways that technology teams and product teams can then use this model to inform themselves in terms of what they need to do in order to protect that data. Somewhere along the way there is going to be a match in terms of what the individual wants versus what the organization can provide, and then that has the ability to support the expectation that the individual wants.

Brian Walker: It sounds like there's a lot of moving parts. So, I think at this point I would like to point out to the listeners that there is a good graphical representation of what you're speaking to. So, if any of the listeners go to digitalprivacy.IEEE.org, you can download the model itself, and I think you can follow along more closely with the discussion here. Can you tell us more about other influences on the expectations of privacy, particularly those that are discussed in the model?

Sreedhar Rao: Along with the expectation of privacy, one of the things that we also bring into the model is the concept of the influences on privacy. Because we believe that just because an individual has that expectation doesn't mean that that expectation is going to be met within the environment in which the individual is operating, within the specific conditions under which that expectation is being captured, right? So, there are influences that then determine the extent to which these expectations are going to get met, right? So, these influences are the technical influences. Then we have the regulatory influences, then we have the economic influences, then we have the legal influences, then we have the legislative influences, and then the individuals themselves. This is individuals themselves, are having their own influences on that expectation that they have. Finally, we have the society and the cultural influences. So, when we bring all of these things together, then we can say “Okay, this is your expectation. These are the influences that push and pull that expectation in different ways.” Ultimately, you finally have a set of privacy that you are able to meet, where the individual and the influences come together and then create that space where the individual can conduct their transactions, conduct their operations, and then organizations can do their business in an environment where everybody has a clear understanding of what the privacy needs are.

Brian Walker: So, Sreedhar, what are your thoughts on how this model will be utilized by stakeholders and the privacy community in general?

Sreedhar Rao: This model can actually create a talking point. This model can actually bring the diverse groups of communities, the diverse groups of thought leaders, and we have a common starting point to create a privacy environment where the individual's expectations are the center point, but then we wrap that with these influences to say “What is that expectation? How much of that expectation can be met?” And then “What are the boundary conditions under which certain expectations may or may not be met?” So, there are different ways of looking at this, but we believe that this model allows all the groups to come to the table and start a conversation. Now, with this model, you're not going to miss anything, right? There are several different things. Privacy is not just security, privacy is not just legal compliance, privacy is not just legislative compliance. It's a mixture of all of these things, and how do they come together is what we are doing in this visual representation we call the Digital Privacy Model. We believe that this allows the larger community to have a common starting point so that everybody has the same picture in terms of what needs to be done, how we do it, or what are the conditions under which this can be done.

Brian Walker: Great. So, I think we've got a good overview here, and I'm sure that we'll probably do some follow-on podcast related to the Digital Privacy Model. In closing, do you have any final thoughts you'd like to share with our listenership?

Sreedhar Rao: Yeah. I am very excited. This was a conversation that we had with multiple privacy professionals around the world. So, this is definitely a work in progress. But it is very exciting to see that we have a way to bring the individual into the privacy conversation, which we all agree is missing in current privacy discussions around the world. So, hopefully the Digital Privacy Model will be a starting point for us to start building privacy solutions from a different point of view, which takes the individual as the focus, and then we branch out to what the industry needs to do, what the organizations need to do, and then how do we bring that individual element into all these privacy conversations. So, I'm pretty excited. I hope the community finds it useful. There are, of course, a lot of work to be done because we have to figure out additional details in terms of exactly how the model will apply to different conditions, and how the model will apply to different vertical organizations. So, all of these things are part of our Digital Privacy Initiative. Within our subgroups we are starting a multitude of conversations with the DPM as a starting point, and then we are looking at different applications and different use cases where we can use DPM to create a more individual-focused privacy environment.

Brian Walker: Thank you for listening to our interview with Sreedhar Rao. To learn more about the IEEE Digital Privacy Initiative, please visit our web portal at digitalprivacy.ieee.org.