Share this page!

Lea Kissner Profile picture
Twitter logo
10 Jun, 29 tweets, 5 min read
First up at #PEPR21 "Privacy for Infrastructure: Addressing Privacy at the Root" by Joshua O’Madadhain and Gary Young from @Google.

Because hey, privacy is a full-stack problem, from humans and the societies they build all the way down to the hardware. Infrastructure is key.
Both Josh and Gary have been at Google for "a while" (I think that's about 15 years each) and are both wizzes when it comes to privacy, especially in infrastructure.

Infrastructure is systems that provide other systems or products with capabilities [not the security kind]
Types:
* storage systems
* network systems
* data processing systems
* server frameworks
* libraries
* system integrations
* etc.
Data-agnostic system
* it's not aware of the types of data which it handles. Used because generality, simplicity, avoiding responsibility ("we just handle data, it's the client's job to do it right")
* related concept: data processor vs controller
Note that if the system is data agnostic, it's effectively responsible for making sure that client teams know how to use it correctly, because the infrastructure can't handle privacy issues.
Why infrastructure privacy reviews?
* can't we just review the products rather than the infra?
* scaling: solving privacy at the infrastructure level benefits *all* users of *all* clients
To look at:
* what (user) data does the product handle (collect, read, white, process)?
* what does the product use the data for?
* where is the data stored? For how long?
[missed one]

for infra: also, how does the infra help its clients meet their needs
Infra privacy concerns
* data: client provided (what kinds of data? is data-agnostic?) vs system generated (usage logs, error messages)
* clients: who are the current and intended clients? (how does the system know?) how many clients can the system handle? (how much time does it take to get clients into a good state?)
* use cases: what categories of data are in scope (personal data?)? current uses? planned uses? possible uses? (could unplanned use cases present privacy issues?)
* access control: how is access to the system controlled, how do clients control access to their data? is access to the data logged? (who, what when, how, why -- people who manage a system should not have unfettered access to it)
* retention/deletion: how can clients delete data? how long does each step of deletion take? [this stacks through different layers of a stack or pipeline]
* meta: what infrastructure does the system depend on? is it properly configured?
Configuration and cost externalization?
how much configuration is needed by clients to achieve a good privacy stance?
1. Zero config (bad stance not possible across everything)
2. good privacy stance by *default*
3. good privacy stance *requires per-client configuration/code* -- who does this work? clients? infra team? both? how difficult/specialized is this?
4. good privacy stance not possible [don't be here]
Build vs buy in infrastructure

Build:
+ can be tailored to your requirements (including privacy)
- requires time and investment

Buy:
+ off-the-shelf, (mostly) predictible costs
- less visibility into/control over privacy stance

Even leading infra may have a bad privacy stance!
Infra privacy warning signs:
1. negotiating with infrastructure teams only indirectly through clients
2. evaluating infra using product focus
3. undocumented infra standards & expectations
4. assume off-the-shelf infra will satisfy bespoke privacy innovations/commitments
5. infra goals not aligned with client goals
6. with great power comes great vulnerabilities: turing-complete is not your friend. Can be used for literally *everything*. Hard to make safe.
7. uncontrolled externalized of privacy costs onto clients [or privacy team]
Future of infrastructure privacy review
* systemization: identifying, documenting, and applying common solutions
* infrastructure-oriented risk frameworks
* annotation and automation
[like any livetweet thread, this isn't a complete transcript -- don't forget to check out the #PEPR21 talks live or the videos afterward!]
Q: When is it a good idea to let go of control of your data and give it to a 3rd party?
A: If and only if you think they can meet your needs better than you can. It depends on your in-house expertise -- some companies have a lot more of it than others.
Evaluating that is beyond the scope of this talk ;)
Q: What about API as contract?
A: Example: think about a deletion API. You might want in the documentation how long it takes a deletion to show up and complete [remember that when you tell a database to delete isn't when it removes the data]
Q: Do you have examples of an API with a privacy contract?
A: ... I can think of some internal ones but haven't seen this happening externally. Sorry.
Q: Data categories and annotations and how they flow through infra -- how build a data map?
A: we think it's important that systems which allow large-scale storage of untyped data is important, but can fall back to the idea of having the metadata on the container
For example, tagging the schema [note that schema isn't sufficient and Gary isn't being limited there]. The infra doesn't need to care about the semantics of the tags, just need to identify certain values.
Josh points out that you need tags at different levels: column, row [e.g. "this user's data can only be in X location" or "this is especially sensitive"]
Q: what are some techniques to avoid backup data showing back up when it's supposed to be deleted?
A: First: tags around backups so it can only be used for system integrity -- can't go back to use it for other purposes.
[Note: look into the data deletion talks later in the conference -- the trick here is that your data deletion system should keep looking for data which should be deleted and keep doing it. That way it handles backups and other kinds of failure.]

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Lea Kissner

Lea Kissner Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @LeaKissner

Lea Kissner Profile picture
10 Jun
It's time to kick off an entire session about data deletion at #PEPR21 (It's hard!) with "Deletion Framework: How Facebook Upholds its Commitments Towards Data Deletion" from Benoît Reitz, Facebook

That's right, come one come all, this is @Facebook' data deletion framework.
We can't expect people to write their own data deletion logic.
* They often don't know how to do it well and write bugs
* The deletion logic and data definition may drift apart over time

So we get annotations that people put on their storage
Annotations example. There are multiple different types of edges, like "deep" saying when a post is deleted, the comments should also be deleted.

If it's a "shallow" edge, it should delete the association but not the object (e.g. a post is deleted but not the whole user)
Read 23 tweets
Lea Kissner Profile picture
10 Jun
It's time to talk about consent at #PEPR21 starting with "Designing Meaningful Privacy Choice Experiences for Users" by Yuanyuan Feng, Carnegie Mellon and Yaxing Yao, University of Maryland
Notice and choice is a legal framework. There are privacy notices which tell people about the practices. The controls let people have limited controls.

But in practice the controls are usually difficult to find, overly simplified, and sometimes manipulative using "dark patterns"
Dark patterns manipulate people into making choices they might not otherwise make. For example, the terms/policy are linked in tiny type and there's only one button: sign up. Any choices are hidden behind this, which is suboptimal.

Or the pre-selected options may not be good.
Read 14 tweets
Lea Kissner Profile picture
10 Jun
Next up at #PEPR21: Cryptographic Privacy-Enhancing Technologies in the Post-Schrems II Era

from Sunny Seon Kang, Data Privacy Attorney
Going to provide context on CJEU case C-311/18, aka "Shrems II"

This launched companies into a whole tizzy because they said that folks needed "supplementary measures". What the heck is that?
Without Privacy Shield, you can't transfer data from the EU to the US (thanks, Shrems I), because the US isn't considered to have "adequacy" [essentially strong enough protections under the law. People were pissed about Snowden]
Read 16 tweets
Lea Kissner Profile picture
3 May
More and more folks want to hire privacy engineers. This is great! You almost certainly need them! But, just like security, privacy engineering is a whole field.

So for the folks who want to hire or become a privacy engineer, a rundown of the current rough types I see. (Big🧵)
First off, let's talk about the two things that people want out of a privacy engineer: (1) privacy-respecting products and systems, (2) compliance.

Compliance is making sure that all the correct paperwork is filled out showing that you followed the rules. Here's the thing...
Compliance is necessarily reactive. It's responsive to failures of the past. If you're doing new things, then you're likely to hit new failure modes. For you, compliance isn't going to be sufficient. Because when things go really wrong, no one cares about paperwork.
Read 26 tweets
Lea Kissner Profile picture
31 Mar
Most of us know about the Dunning-Kruger effect, where people who are clueless about a subject are also clueless about how clueless they are. I had not looked at the original study.

Part of it "tests" humour. According to the Cautionary Tales podcast, these are the test jokes:🧵
First off, I find it interesting that there's a "correct" answer. (It's #2, which I found, like many of you, to be too cruel to be funny.) But what I found more interesting is that they determined this "correct" answer by asking a panel of professional comedians.
The Dunning-Kruger study was published back in 1999. There's been an awful lot of change in what is considered funny. There's a lot less tolerance for punching down. Comedians from groups that many professional comedians thought were unfunny (e.g. women) are magically funny now.
Read 7 tweets
Lea Kissner Profile picture
10 Mar
@anildash @natematias @ruchowdh @cfiesler FWIW, working with folks to build products and systems which are respectful of the lovely diversity of humans which exist is what I do. I've been lucky enough to work with a bunch of deeply ethical, thoughtful, and smart folks with a range of backgrounds and skillsets.
@anildash @natematias @ruchowdh @cfiesler I can talk about a bunch of things that I've done, places where you can see my work and that of folks like me, I can talk about PEPR, a conference for talking about this sort of work, but what I can't really talk about is the many things that never launched because of quiet chats
@anildash @natematias @ruchowdh @cfiesler Fundamentally, people want to build great systems and products. I try to help them understand that to get to greatness, you need to have respect built in -- folks I've worked with often come out feeling like they've built a better product and know how to design better.
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @LeaKissner has new unrolls!

Check out other threads from @LeaKissner!

Read all threads by @LeaKissner

:(