Privacy Chats with Rachel and John

People often wonder if their phone is listening to them when they see advertisements related to things that they recently discussed, but didn’t search on their phone.  Could this be true?  Is your phone listening to you?

On Episode 24 of Privacy Chats with Rachel and John, we look at published findings of other people who have dived into this topic.

Artificial Intelligence continues to move the boundary of hypothetical technologies - such as brain reading devices - closer and closer to reality. How close we are to that boundary today, and where that boundary sits in terms of becoming a threat to privacy and civil liberties, remains a subject of debate. On Episode 23 of Privacy Chats, Rachel and John discuss the progress made in recent neurotechnology advancements as well as other affect-recognition technologies, including non-invasive video reconstruction using brain activity and brain fingerprinting (yes - you read that right!) What can, or should, we expect as far as effects on law enforcement and personalized advertising activities? Is it too early to tell? Tune in and join the conversation too find out! This episode was inspired and informed by the following publications: 19 May 2023 - Cinematic Mindscapes: High-quality Video Reconstruction from Brain ActivityBrain fingerprinting: a comprehensive tutorial review of detection of concealed information with event-related brain potentials

Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993)

What will a second Trump term mean for US Privacy and AI Policy?

Former president Joe Biden set a record number of Executive Orders into motion related to Artificial Intelligence and National Security into motion during his term, but there’s still plenty of work to be done. FTC Chair Lina Khan pursued legal action against US technology companies in an unprecedented way during Biden’s term and pushed the boundaries of the FTC’s enforcement role in the process. And although containing the harmful impacts of AI remains a bipartisan goal, to what extent - considering the anticipated tradeoffs to innovation - is where the divide continues to exist. 

How will the new administration impact the direction of Privacy, Security, and Artificial Intelligence policy, both on a domestic and international scale? On episode 22 of Privacy Chats with Rachel and John, Rachel talks about her 3 key predictions regarding how the Trump administration will likely respond to the activities set into motion under former President Joe Biden.

…..…..…..…..

…..…..…..…..

This episode makes reference to the following Executive Orders instituted under former president Joe Biden: 

• (EO 14110) Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence

• (EO 13985) Executive Order on Advancing Racial Equity and Support for Underserved Communities Through the Federal Government

• (EO 14117) Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern

This episode was written inspired by research involving the following publications: 

• NextGov.com: Trump promised to repeal Biden’s AI executive order — here’s what to expect next

• IAPP News: A view from DC: What does a second Trump presidency mean for privacy, AI governance?

• IAPP News: A view from DC: The beginning of the end of the free flow of data

• Oversight.house.gov: Oversight Committee Releases Staff Report Finding FTC Chair Khan Abused Authority to Advance the Biden-Harris Administration’s Agenda

• Security Infowatch: What can the security industry expect from a second Trump term? 

• Tech Press: Where US Tech Policy May Be Headed During a Second Trump Term

• CNN.com: 2016 Presidential Campaign Hacking Fast Facts

• Wikipedia: Donald Trump Tiktok Controversy Wikipedia 

• Reason.com: https://reason.com/2024/04/24/another-illegal-power-grab-from-the-ftc/

• White House.gov: Fact Sheet: Key AI Accomplishments in the Year Since the Biden-⁠Harris Administration’s Landmark Executive Order
  

Doxing is “the action or process of searching for and publishing private or identifying information about a particular individual on the internet, typically with malicious intent.” - Oxford Languages

New technologies, and faster processing of information is making it far easier to find and access information about us.  AI will bring this to the next level allowing for rapid aggregation of disparate data.

On Episode 21 of Privacy Chats with Rachel and John, we look at new technologies that make it easier to identify people and access information about them, and why we might want to be more cautious about what information we allow to be out there for people to access and utilize.

GenAI (Generative Artificial Intelligence) and AI in general, continues to be all-the-rage, permeating nearly every business conversation involving automation, scalability, and improved insights in the pursuit of minimizing cost and maximizing revenue. Given Privacy and AI are inseparable concepts at their core - what does this increased emphasis on AI mean for professionals subject to these technologies in their day to day roles? 

On Episode 20 of Privacy Chats with Rachel and John, Rachel and John reflect on the industrial revolution’s influence on surveillance, standardization, and automation, how these practices have influenced the economic imperatives of AI, and how AI will continue to challenge the concept of worker’s reasonable expectation of Privacy in the modern workplace.

Privacy Engineering is an essential function of mature Privacy Programs, joining aspects of software engineering, data protection, privacy compliance, and privacy risk management. On the latest episode of Privacy Chats, Rachel interviewed Jay Averitt, a Privacy Engineer at Microsoft, who shares his career journey, how he would describe Privacy Engineering at an “ELI5” level, and what in particular makes Privacy Engineering a challenging yet meaningful career. Jay regularly writes about the Privacy industry on LinkedIn, initiating insightful conversations regarding common challenges faced and crowdsourcing practical, real-world solutions with other Privacy professionals: https://www.linkedin.com/in/jay-averitt/.

Innovation is the spark that ignites the engine of progress, all of which is fueled by cooperation and a mutual interest in creating a better world. We tend to look at privacy from the perspective of what is, rather than from the perspective of what could be. 

On Episode 20 of Privacy Chats with Rachel and John, we spin a new narrative on how data could be owned, managed, and distributed in a way that brings a new level of transparency and control to individuals and contributes to the greater benefit of humanity.

AI Tool Koe Recast claims that its AI voice-generating software requires just a few sentences of audio to replicate your voice. If that’s not suspicious enough, other options need as little as three seconds to capture and reproduce it to a convincing degree. Long gone are the days of Caller ID Spoofing! 

Scammers these days might just be using ChatGPT to help write a convincing story as well. Such AI impersonation tools are surely a small price to pay for the $2.7B that US consumers lost to imposter scams in 2023 alone. And although it’s been the tried-and-true method for decades, phone calls are no longer the scammer’s medium of choice. According to the FTC, the highest overall reported losses were caused by scammers on social media. We’ll have to wait and see if the FTC’s amendments to their Trade Regulation Rule meaningfully improves the situation in 2024. 

In the meantime - you can tune into Privacy Chats with Rachel and John to learn more about the very real implications of high quality deep fakes found in our everyday lives. What’s cooler than out-scamming the scammer, anyway?

In this snappy episode within our new “Security for Privacy” (S4P!) series, we challenge your knowledge on password best practices through a fun and engaging quiz format. Tune in to learn what it takes to create resilient passwords and manage them appropriately in 2024 - both for yourself and for your organization! __________________________________________________________________________ Resources used to inform this episode:

• NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk
• MS-ISAC Security Primer – Organizational Password Best Practices
• A look at Password Health Scores around the world in 2022 - Dashlane

Impersonation scams are not what they used to be. According to recent FBI research, Americans lost roughly $1.3 billion in 2023 to scammers running impersonation scams.

In our new “Security for Privacy” series, Rachel and John dive into the most prevalent form of social engineering today, particularly how scammers disguise themselves as trusted figures and how to identify them before it’s too late.

Links to information sources used in this episode:

• https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineeringhttps://
• www.fbi.gov/wanted/cyber/russian-interference-in-2016-u-s-electionshttps://
• www.usa.gov/imposter-scamshttps://
• www.fcc.gov/grandparent-scams-get-more-sophisticatedhttps://
• www.aura.com/learn/why-do-scammers-want-gift-cards

In Episode 17 of Privacy Chats with Rachel and John, Rachel shares her synopsis on what may be one of the wildest healthcare privacy breaches to date. As of June 17th, a Texas surgeon is facing federal charges for leaking patient information in an attempt to expose continued gender-affirming care at Texas Children's Hospital, blowing past the boundaries placed by HIPAA to protect sensitive healthcare information. 

Who’s involved? Who’s to blame? What is at stake? Tune in as Rachel and John explore the political, legal, and ethical implications of this controversial incident!
------------------------------------------------------------------

• HIPAA & Privacy Laws

• June 17th: Doctor charged for unauthorized access to personal information of pediatric patients at Texas Children’s Hospital

• June 17th: Indictment accuses former Texas Children’s Hospital doctor of obtaining patient names, treatment codes illegally

• June 10th: Whistleblower faces federal charges after exposing alleged continuation of gender-affirming care at Texas Children’s Hospital

The EU AI Act was first proposed by the European Commission in April, 2021 and has been working its way through the legislative process ever since. John had a chance to hear from other industry experts about this at the 2024 IAPP Privacy Summit, taking away key insights for discussion. On episode 16 of Privacy Chats, Rachel and John decipher the EU AI Act’s known tenants - such as its focus on improving internal markets while protecting democracy - and hypothesize on its long term implications to global innovation.

Although Privacy isn’t explicitly called out in the US Constitution, there is a long history of recognizing that people have a right to privacy and that this right can be inferred from several amendments in the U.S. Constitution. In this episode of Privacy Chats with Rachel and John, John leans into his studies as a Masters of Privacy Law student at Seton Hall University School of Law to educate us about the nuanced relationship between Privacy and the U.S. Constitution. 

We discuss significant Supreme Court cases of the last century which demonstrate the implicit recognition of Privacy as well as common misconceptions regarding the direct interpretation of the Constitution as a guarantor of the right to Privacy in the US.

In this exciting interview episode of Privacy Chats, Rachel and John have a conversation with Associate DPO (Data Protection Officer) Gonzalo Caro, to deliberate about the recent explosion of Generative AI (“Gen AI”) powered technologies and the implications to personal data processing. Gonzalo supports the Office of the DPO at Meta in Dublin, Ireland, which allows him to share his views about Gen AI from a uniquely informed lens. DPO’s play an integral role in ensuring the company they represent is compliant with relevant privacy laws and regulations and employs a risk-based approach toward doing so.

On February 8th, 2024, the Wall Street Journal reported that OpenAI CEO Sam Altman sought to raise $7 trillion in funding to expand their footprint in the global AI market.

Coincidentally, an episode of Privacy Chats with Rachel and John was brewing in the background to shed light on the potential privacy risks of Large Language Models (LLMs).

Covering all angles of the potential privacy risks of Large Language Models (LLMs) is no easy feat, but John and Rachel share what’s top of mind in their experience and research through answering the following questions: 

• What are “LLMs”, and how do they work on a fundamental level?

• How might LLMs pose a risk to Privacy?

• What can you do to help mitigate these risks in today’s world? 

It’s critical to evaluate and manage risk for any new technology early and iteratively in order to balance the benefits with the prospective harms on a micro and macro level. Tune in to hear a different perspective on the very technology that’s taken the world by storm!

Is Your Car Watching You Drive?

Internet- connected cars continue to be one of the fastest growing IoT markets, with over 400 million connected cars projected to be in operation by 2025 (source). In this 20 minute episode of Privacy Chats with Rachel and John, we investigate the most common capabilities of connected vehicles on the market by researching answers to the following questions:

• Why are vehicles becoming increasingly internet-connected? 

• What data are connected vehicles collecting, and what is it used for? 

• Which functions pose a threat to protecting your privacy?

• Who are the threat actors? 

• What can we do about it? 

Tune in to learn what your car might be capable of in the future (or perhaps today!) on your morning commute.

Happy New Year! In Part 2 of 2 of our dual- New Years' release of Privacy Chats with Rachel and John, we delve into the recently adopted SEC rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. 

With the rules in effect from December 18th and reporting requirements starting on December 25th, we explore the impact on investors and the motivation behind the SEC's decision. SEC Chair Gary Gensler emphasizes the materiality of cybersecurity incidents to investors, drawing attention to specific breaches that significantly affected shareholder value. 

Our discussion covers oversight disclosure requirements for publicly traded companies, detailing the annual disclosure of their cybersecurity program in their 10k, as well as per-incident disclosure obligations on their 8-K forms within four business days. The rule's formal intent is to provide timely transparency to shareholders about risks affecting financial performance, reputation, or compliance. While proponents believe it offers "decision-useful" information, opponents express concerns about potential disclosure during ongoing investigations. 

• December 14th statement by Erik Gerding: https://www.sec.gov/news/statement/gerding-cybersecurity-disclosure-20231214#:~:text=In%20July%20of%20this%20year,management%2C%20strategy%2C%20and%20governance
• SEC.gov’s Official Press Release: https://www.sec.gov/news/press-release/2023-139
• Official Text: https://www.sec.gov/files/rules/final/2023/33-11216.pdf
  

Happy New Year! In Part 1 of 2 of our dual- New Years' release of Privacy Chats with Rachel and John, we discuss the Federal Trade Commission's (FTC) proposed updates to the Children's Online Privacy Protection Act (COPPA). 

The FTC aims to address issues such as inadequate consent models, data retention concerns, and misleading statements related to children's privacy. Major proposed changes include restrictions on the use and disclosure of children's personal information, limiting services' ability to monetize children's data, and shifting the burden of security and safety from parents to internet providers. The FTC's role in protecting children's privacy, previous COPPA updates, and the expanded definition of personal information are highlighted. 

The updated COPPA Rule would require changes in targeted advertising, opt-in mechanisms, limitations on push notifications, restrictions on surveillance in schools, and enhanced data security measures. This episode emphasizes the significance of these changes in safeguarding children's data and includes a quote from FTC Chairperson Lina M. Khan regarding the proposal's affirmative obligations on service providers.

• FTC Report Update: https://www.ftc.gov/news-events/news/press-releases/2023/12/ftc-proposes-strengthening-childrens-privacy-rule-further-limit-companies-ability-monetize-childrens
• 'Official Proposal Text: https://www.ftc.gov/system/files/ftc_gov/pdf/p195404_coppa_reg_review.pdf

Join us in this episode of Privacy Chats with Rachel and John for a deep dive into the Digital Markets Act (DMA) and the Digital Services Act (DSA). We navigate the intricacies of these new regulatory requirements by breaking down key questions such as:

• What is the Digital Markets Act / Digital Services Act?
• Who do they apply to?
• What do they have to do with Privacy?
• What do these companies need to do (or avoid doing) as a result of this regulation?
• How are they enforced?
• What are the intended benefits of each?
• When does it come into effect?

The objective of this chat is to shed light on the DMA's and DSA's implications to in-scope companies as well as to the users of those services.

In this captivating dialogue, we sit down with our knowledgeable friend, colleague, and fellow privacy & security professional, David Greene. The three of us engage in a comprehensive conversation regarding the implications of the California Privacy Rights Act (CPRA) on the broader California Consumer Privacy Act (CCPA), pivoting the free-flowing discussion around the following questions:

• What's the difference between the CCPA the and CPRA?
• Why was CPRA necessary so soon after the CCPA was enacted?
• Do we call it "CCPA" or "CPRA" now?
• What are the costs for violating it?
• What are some examples of violations?
• Why should I care if I'm not a California resident?

Tune in to this enlightening discussion and gain valuable insights that will help you navigate elements of the CPRA and stay informed about the evolving landscape of data privacy and protection.

--> CPRA Official Text

--> CCPA Official Text