[00:43] Privacy on the Cyber Side

Petko: One thing I love about Silicon Valley is how technical and how just getting folks together. You get some great ideas. People always forget about that. But I'm actually more excited about today's guests.

Because it gives us a unique perspective that we sometimes in cyber forget about. In cyber, we always think about the bits, the bytes. We think about the new shiny objects, the new tools, but we don't ever take it from a larger view of why or something else. 

Today's guest is going to give us really a legal perspective on the cyber side. I'm excited to get that perspective. We always get stuck on the cloud, the bits, the bytes, and where I'm storing stuff. We forget about everything else around privacy, democracy and why we have encryption, and what the benefits are.

Do you want to introduce our guest, Rachael?

Rachael: Please welcome to the podcast Mishi Choudhary. She is senior vice president and general counsel at Virtru. 

Mishi: Thank you. Nerd alert. As if you didn't have enough jargon, you wanted to add the legal one also.

Rachael: I love it. Now, I mean you have such a wonderful history in your profession as a lawyer, particularly being in the technology sector for so long. I would love to just as a jumping-off point because so many people forget about, legal should be at the forefront when we start talking development and technology development.

You were at this wonderful organization, the Software Freedom Law Center for about 17 years. You were, I guess in the trenches of where the intersection of lawyers and the legal element and software development were happening. Right?

 

The Users Privacy

Mishi: Yes. It was when open source was not as sexy, in the early aughts. I wanted to add, as I said, more jargon. Which I did not understand about technology and to work with people who hated lawyers and didn't want to pick up ever their phones and lived in court. I'm like, "Yes, I should do open source here.

That's fine." I did that being on the ground floor. And as we were talking earlier, once greed and capitalism joined, I think the open-source revolution caught speed. Here we are, hot, sexy, everywhere, omnipresent.

Rachael: I love that. Now you're at Virtru, so you've moved over. But are you seeing, as you get deeper in the industry, where in the chain are the challenges, still for legal? I mean you got a seat at the table or are you fighting for a seat at the table? Are you allowed to even talk about that? I didn't even ask if I could ask that.

Mishi: Well, everything privileged and confidential. Nobody can summon anything in discovery here. The interesting thing about Virtru, having spent all this time with developers but also doing a lot of policy work around the world, including the US, and Europe. And I was born in India and India as well.

I think what I understood was there's so many important stakeholders, especially the users. Who doesn't get as much of a voice? Because the fat cats can always make deals and call civil society and everybody else for the pictures at 4:00 PM before cocktails.

 

Legislation and Policy

Mishi: I was like, huh. Policy and law will happen gradually and slowly. But I also want to be at a place which is making these products possible, so that people can have the tools to create privacy before politicians figure it out, what kind of rights we need. So, I do get a seat at the table.

I do get to speak my mind. The good part is that the mission is very much aligned, about creating products which can give control to the user. That's the fun part.

Petko: Mishi, can we step back? You said something. When you think policy, what excites you about that? Because I think as a cyber technocrat you hear a policy and I don't want to touch that. But why is it so important?

Mishi: Ah, yes. I know. I wish that they actually made standup comedy shows and other such fun stuff to explain all that complicated jargon. But then we would've let all the people in and the secret would be out and we wouldn't look as smart. But everything touches our life in terms of policy.

I think what was important to me personally is that with one stroke of a pen or what is decided in terms of legislation or policy can impact the lives of swaths of people. 

Not only in our country but around the globe. Because all of this is so deeply connected now that every country watches what the other one is doing. With tech, things are so much closer and closely intertwined. So to me it is that, oh, I would like at least to understand it in a way that I can explain it to my parents and also my nieces and nephews. 

 

The Importance of Privacy in Our Society

Mishi: That also tells you a little bit about the kind of simplicity we require in these conversations. I am, as I said, a nerd who also wanted to really get down into the weeds to figure it out. To make possible that rights conversation, what individuals want, that gets talked about. 

People all around the world want to use good tools. But they don't have time to worry about their rights, their data collection, and all those things until some problem happens. So that, to me, is very important, to make it possible.

I feel it is the responsibility of all of us who do understand it to ensure that we can have those conversations about rights, individuals, and about balance. While the rest of the society is just living their lives. That's why I do what I do.

Rachael: I love that. Did you want to talk? I had a question too, Petko. We're going to be fighting each other to talk to you today, Mishi. I mean I love what you're saying too. It kind of gets into, I guess a nice segue. We talk about privacy policies, and regulations. It's such a hot topic.

When you think of something like GDPR, when it came online. There was so much confusion. What does it mean? Do I really have to fall in line? Or can I just roll the dice and see if something happens eventually? Then you start seeing that trickle over here and it does, it becomes much more complicated. 

 

[08:27] How Privacy Affects Our Everyday Life

Rachael: I'm fascinated from the legal perspective. I mean even trying to navigate that, if you're a small business trying to navigate any of this, how do you do that? It just seems that it's so confusing if you're doing business with EU customers, but you also have business in the United States.

There's CCPA, GDPR, all these other states going online with different policies and regulations related to privacy. How do you even operate a business?

Mishi: Well, I think hard things are hard, so I don't have simple answers. But I do think that over a period of time, we have developed certain ways to address these issues. The beauty of capitalism is that there are other businesses to help you figure out how these questions work out.

But to the fundamental point, despite the jargon, which whether it is GDPR or the CCPA, my interest mostly is in the principles of why these things are important.

That is mostly to keep people at the center of it all. That's why I like to think about whether it is data protection, digital services, or CCPA. My motivation always is, can I think about putting people at the center?

Is it really protecting people, without having them jump through various hoops or not? Ooh. See? I get agreements from all sides now.

Petko: When you think of people, I start thinking, privacy is where my mind automatically goes when you start thinking legal and people. I imagine privacy differs throughout the world. We have GDPR. We kind of talked about that. Is there anything in privacy that's influenced your thinking here, in your day-to-day work that's important?

 

The Varying Perception of Privacy

Mishi: Yes. I think that's a very important point about what you say about how people all around the world think about privacy and what it means. The limitations are a little different everywhere one goes. Obviously, the legal systems are different. But mostly people all around the world do believe,

if nothing else, in their ability to have that freedom of thought. I, in my own head, should be allowed to think whatever I want. Sometimes comfortable, sometimes uncomfortable, but to learn from my own thoughts.
Imagine how different our world would be if all the books for the last half millennium had reported their readers to the headquarters.

Including informing the King or the Pope or anyone, how many seconds each reader spent on each book, what book one read, what did that do, et cetera. Which now happens because it is being replaced by an appliance that tracks your reading for the bookseller subject to whatever the king's subpoena is.

But if we believe in that liberty, that absolute freedom that I can be left alone in my head to think about things, to formulate opinions, to come up with something how to live my life. That's how only I think about privacy, which helps me think about it all around the world.

Once you go to Europe, because of the experiences they've had during the wars, during the various crisis, obviously they're much more sensitive about data being collected.
In the United States, we've had a much more robust 1st amendment tradition, about how privacy and free speech collide with each other. 

 

Privacy in Our Freedom of Speech

Mishi: But here also, the expectation of a lot of people is that, what do you mean I don't have protection? What do you mean I don't have privacy? For example, when we talk about health data and with the recent change in the Supreme Court judgments, I think everybody just assumes, and we have HIPAA, so it protects us all the time.

Of course, that's not true in that sense. But mostly everywhere, what I have seen is people just don't want state or private indifference or a middleman between them and whoever they are interacting with. They like the conveniences the technology offers and they would like the benefits of it.

But they don't want, whether it is Mr. Zuckerberg or it is their government, anyone coming in between what their usage of technology is and what benefits they derive.

I also feel that we are either government or companies read every face, dissent is under permanent intimidation. That's why all of us become much more sensitive when we are watched or even if somebody tells us we are watched. That ability to be able to do certain things in the privacy of one's own head, that is very visceral to all of us human beings.

That really guides me as the global North Star no matter where I am.

Petko: You mentioned freedom of speech. At least the folks I was speaking to always think freedom of speech is different than freedom from being accountable for my actions because I can say whatever I want.

But saying that, are you sure you want to say that on TV, have a million people hear it? Or doing what you think you're doing might cause other actions that you didn't factor in.

 

Pros and Cons of Technology

Petko: But yet, I think the way you phrased that, freedom of thought is really what we're talking about or freedom of speech to think my thoughts and share them. Freedom of action is a different term, but we tend to always put it into freedom of speech. I can do what I want. I like how you phrased it as, it's in my own thoughts.

It's just interesting because I think in other countries you're being monitored 24/7. 

The nation has the ability to delete things from certain chat apps and things like, if they don't like it or block it. I know technology has had a lot of benefits, at least in terms of technology pushing us, and giving us better insights and better data. When I'm using Google Maps to go to my nearest place, that technology is helping me, but I'm being monitored at the same time.

I struggle with, should I care if I'm getting benefit out of it? I guess my question's if I'm monitored why as an individual, should I care if I'm being watched by Mark Zuckerberg or Facebook or something else?

Rachael: Especially if you're not doing something nefarious. You're just in the course of your day-to-day life, I think that is what you mean. Right?

Petko: Yes, correct. You're more eloquent about it.

Rachael: Why should I have something to worry about if I'm just living my life?

Petko: Yes. I'm not doing something stupid. I'm just using the technology to help me solve a problem.

 

[16:00] The Underlying Magnitude of Privacy

Mishi: Yes. That's actually a great point. I don't like to dismiss it. A lot of times it's presented as, I'm not doing anything wrong, why should I bother? I think there can be clever quips to that answer, but that doesn't appreciate the complexity of it. A lot of times, like someone, said if you give me six lines of the past person, the most honest person ever who has ever been on this earth, give me six lines written by them and I will find something to hang them, from those six lines.

It's about interpretations. About the collective usage of that data. It's also about, I am not only collecting data about one interaction, but then I'm letting it talk to various other databases. Based on whatever I would like to infer, then perhaps decide how I want to treat you today as a person. Why it gets complicated is also because in Western democracies, here in the US, we rely on the judicial system. We think robust institutions will actually take care of a lot of things. There's a rule of law.

That may not always be true because certain governments can always slip and one has to think about it. In many other parts of the world, where we have already seen, what is legal today may not be legal tomorrow because the regime changed. What is acceptable in society, morally or traditionally or in terms of the zeitgeist itself, may not actually be acceptable tomorrow. We see homosexuality, how that seems just natural to us. 

 

Dangers of Collective Privacy Breach

Mishi: It's just a choice about whoever wants to live their life the way they want to and love is love. That's not obviously the case in several parts of the world. A young person trying to use the internet, a search engine, or something else to just explore what is it that they're feeling, and why does it seem different from what the majority of their society is talking about. Now data collected about that person used in a certain other way does have a lot of impact on their actual safety and their life.

It is also about, what is it that we want to say these days. Social media, which rewards outreach over deliberation, quick reaction, whatever will get engagement and does not allow for a lot of deeper discussions, obviously will also pick up things selectively. Then that can be used against many people.

Sometimes people are just learning. If I think about undergraduate studies or law school or business school and I'm like, wow, you were the dumbest person I've ever seen or known actually. What were you thinking? Did you not ever read a book? Did you not pay attention? I didn't pay attention all the time, obviously. I read many books, but maybe not the right ones all the time. But sometimes I wanted to read the wrong books.

I did a campaign long ago to say I read banned books. We made a list of banned books all around the world and especially in different countries, just to see why people ban certain things. It's an interesting thing, which gives you an insight about why people in general want to do things to grow.

 

Right to Personal Privacy

Mishi: University is a place where we were allowed to have those exchanges of ideas. But because the internet never forgets, so I should be punished about something which I thought, wrongly perhaps, 20 years ago. That is where I feel that we take that freedom to grow and liberty of thought and et cetera, all of those things. Also, I do feel that I love capitalism, obviously. Greed does help revolutions on all sides. But there has to be some understanding of where the guardrails are.

Advertising cannot actually justify any kind of business motivation. I think why people should care is not to say stop using every tool that is available, but demand that tool to give you convenience but not take away your rights. Which in the future might come to bite you in some other way.

Petko: It sounds like it's really about, you need to be able to choose what you put out there, that's public versus non-public. If I'm talking to my spouse, I should be able to text them in private and not have it appear publicly anywhere or have it used for data mining somehow. That should be truly private.

Mishi: Oh, absolutely.

Petko: So it's interesting that it's about control, really. It sounds like it's about control of your privacy. Without that, if we don't have privacy, we don't have democracy, realistically. If you're voting, for example, your vote should be secret. You need to validate that I can vote, but knowing exactly how I voted should be secret because I could be targeted, hypothetically. So I like how it's really about democracy and privacy linking together.

 

Encryptions and Data Collection

Petko: I know there's various solutions out there like Apple and Google, that do this or on chat and there's apps like Signal that are used for internet encryption. I think all of them strengthened user privacy and it ends up protecting a lot of the user data. But how do you think some of that type of encryption impacts companies and third parties that do any type of data collection?

Even law enforcement, where there is more encryption happening now end to end. Being deployed for regular users? Is it impacting law enforcement? Is it impacting data aggregators?

Mishi: Again, I am that really, really bad kind of lawyer who always says it depends. Give me more facts or pay my hourly, so that I can actually give you a good answer. I'm like, really, you want that answer and you're not going to pay me for that?

Rachael: Hilarious. I love it. I hate to break it to you folks, but we're going to make it a two-part episode with Mishi. What a great cliffhanger right here folks, though. Right? I can't wait until you come back next week for part two. So until then, be safe. Don't click strange links.

Don't forget to smash that subscription button. See you next time.

 

About Our Guest

 

Mishi Choudhary, SVP and General Counsel, Virtru. A technology lawyer with over 17 years of legal experience, Mishi has served as a legal representative for many of the world's most prominent free and open source software developers and distributors, including the Free Software Foundation, Cloud Native Computing Foundation, Linux Foundation, Debian, the Apache Software Foundation, and OpenSSL. At Virtru, she leads all legal and compliance activities, builds internal processes to continue to accelerate growth, helps shape Virtru and open source strategy, and activates global business development efforts.