[0:33] The Rights to Privacy

Rachael: We welcome you back for part two of our conversation with Mishi Choudhary. She is SVP and General Counsel at Virtru, and we are talking all things privacy. So without further ado, let's get to the point.

Petko: So last year, Apple and Google introduced end-to-end encryption for user privacy. At least Apple and Google did that so your iPhones and iPads and device are protected, but how does end-to-end encryption protect user data? Why does it matter for law enforcement and others?

Mishi: So like I was saying is that when we talk to different stakeholders, they obviously present their own incentives. They're not always incorrect, but they may not be taking into account what the others are thinking about. Why this is important is again, the sanctity of my communication. So if I'm writing to Rachael or to you, I want only you to be actually reading what I've written to you. I also don't want that somebody who just decides in the middle that what are these people up to tries to look into that information. 

And it also gives me the assurance that I not only have confidence in this communication but also the recipients are the people I trust. And that could be just something very simple. I think we can all frown upon many people's way of using various apps.

But that's how whether it is younger people, older people, or people of different sensibilities want to share apps or the internet for a variety of purposes. Somebody wants to send some pictures to someone else, who am I to judge what they are doing that for? And they should be allowed to do whatever they are doing there. 

 

The Game-Changing Move in the World of Privacy

Mishi: And a lot of private things can, as I said, may not appeal to the sensibilities of other people, but they are entitled to that. When you said Apple, Google or 2016, my US family and friends are always a little confused about.

But the rest of the world recognizes it much more is WhatsApp, which is Facebook's crown jewel, Meta, as I should say, in the rest of the world. When they rolled out Open Whisper Systems or Signal's end-to-end encryption in 2016, they changed the world of privacy for a very large part of the world where their future markets are.

India has 950 million feature phone users and only around 420 million smartphone users. So you can imagine that market, which is a total addressable market, is already double the size of the United States right now.

So it is very attractive to companies right now. But when they decided that this is what they are going to do, they're also responding to the demand of the consumer. They are recognizing the fact that law enforcement needs data when there is an actual crime. 

They also say that metadata, which phone, what is happening, all of that can help address a lot of issues here. But obviously, that's not a good headline. That's not very good for a politician to say, "Because I am going to save you all from every terrorist on earth."

That's too complicated, too much jargon, doesn't do very well on the floor of the parliament. WhatsApp actually did put out an analysis to say that only from metadata, they were able to identify and unearth 300,000 accounts that were distributing CSAM in a month.

 

Privacy in the Face of the Law

Mishi: It does work. There are other methods including hashing, which is hashing of known offensive images, which can be detected automatically at scale also. So those things work, but if the idea is no, let's assume everybody's a criminal, let's collect all data all the time so that we have total information awareness.

And whenever there is a problem, we'll go dip into that and get something. If you think of it from that perspective, then of course law enforcement is right. We should never have any privacy because everybody should be a suspect. 

But if you think about it from the fact of like, well, let's just assume this is default. I do whatever I do, you do whatever you do. If we ever commit a crime, somebody should be able to follow some processes and then come after us. Why can't we move to that mature discussion instead of going in circles to do something?

Which starts from Bill Clinton's administration, actually, the crypto wars the first time. I'm not that old, but it sounds very Sisyphean. It's like you keep fighting the same fight because it's fun.

Rachael: Exactly, that's hilarious. And I'm curious too on your take, we talk about user privacy. I mean the whole TikTok thing, right? I mean, you just can't run away from this discussion. And I was on a call this morning and one of my colleagues in the UK was talking about, I guess the EU was talking about banning TikTok on all devices.

And even so, I used my personal phone for work email and things like that. I probably shouldn't do that, but I'm a TikTok user. 

 

Is Banning Applications the Right Approach?

Rachael: So if I kept TikTok on that phone, I wouldn't be able to get my Teams messages, my Outlook messages from my company. And I'm feeling very conflicted, Mishi, if they do this to me. But where's the line? You know what I mean? I mean,

I guess that's always the question, kind of, where's that line of the work and personal because they're so blended today in the hybrid workforce? There's not that line that there used to be. 

It'd be very hard to make regulatory decisions on any kind of grand scale. And as a lawyer, I mean you're steeped in this and it's a very thoughtful process. I mean, is that the answer though? I mean is the answer things like we just going to ban this app out versus trying to find another way?

Mishi: Yes, that's a good solution. Simple thing, ban everything. It's fun. All those weird dances would stop. Nobody would tell me to buy 50 beauty products to do something. 

Petko: We can go back to when we had devices that was not a full communicator, didn't have the phone, didn't have the internet, it was just a flip phone.

Mishi: You don't have one now?

Rachael: Getting old school, Petko.

Petko: I need to upgrade.

Mishi: You already do where upgrade means downgrade and downgrade means whatever. But I have to confess, I do have a flip phone, old school one also.

Rachael: You're wonderful. You're so simple. I love it.

 

[7:57] The Effects of Technology on Geopolitics

Mishi: I think it appeals to the young and the old equally. And I can actually claim some cool question. I'm sure it's not called cool question anymore on TikTok. I think banning is always an easy way to do it, and it's a blunt instrument which several governments use. The government of India banned TikTok.

And that's why it also tells you how important tech geopolitically is, and why the ban was because the Chinese and the Indians share a border. 

There's only this tiny thing called the Himalayas in the middle. And when there were border skirmishes, the government of India's response was, "Well dude, we are going to block everything which you are selling in our digital world." So they banned a ton of apps there. So India hasn't had TikTok for over two years now. It was a very popular app.

The good thing about TikTok was that unlike Instagram, which required better devices, TikTok could work and be optimized on cheaper phones and cheaper devices.

It's a different economy. So obviously, one, as I said in terms of it still works on feature phones, it still works on very low different level of devices and it did optimize itself and it works very well. It was very quick. It didn't require a lot of text, which is not the language of most of the world and music is, and videos are in that sense.

That's why everybody has been forced to move to reels or whatever new thing they want to call. But they did that. 

 

How the Internet Helps Shape the World

Mishi: They banned it. I am not going to say completely that our fears are completely unfounded. That there is no data collection happening, that there are no parties in the sense of countries which are not using that data collection for nefarious purposes.

Rachael: You know what I find interesting in this, I'll just make a quick side point just to you, Petko, but we had Sheera Frenkel on from the New York Times. I think it was like a year and a half ago. One of the things that she was talking about was for a lot of these countries, these social apps become their way of actually getting information.

Sharing information like news of what's happening or communicating with each other. 

And much like you were saying, Mishi, I mean you find these apps that actually work with the technology available to you in this particular country. And then when you ban them or cut off access and you start cutting off access to communication.

The ability to share information, freedom of thought within these communities, which I think is a discussion in itself, right?

Mishi: Absolutely. And I think that's why we are right now living in a world where the balkanization of internet is going to be the future, it seems like. US will be its own island. Europe will be its own island. The Chinese, Russians, the Iranians have already decided how they want their population to use the internet.

And Indians can never make up their mind. Some days, there are democracy. The other days, they're like, "Maybe we want to be somebody really different right now."

 

Looking at the Big Picture

Mishi: "And look at China, they're doing very well. Maybe we should also control everything." And that's why it is true that a lot of data collection does happen. It is true that governments historically have never had as much power as technology now offers them. And that's true for all governments. And to bring it full circle, that is why it is so important for us to rely on rules, law, and policy. Because who knows which government will be actually governing many of these tools later on? 

Israel, like the place where startup nations, everything, and today's time says many of entrepreneurs are thinking that the judiciary is going to change so we should move out of this country. And that tells you a lot about how tech entrepreneurs are also thinking. They need predictability in law. Companies like mine and many others, like the ones you talked about, have now completely understood that regulation is coming and the users would like privacy while getting the convenience.

So companies will build products which are pro-humanity IT, but they also need predictability. They can't have different rules, different laws every time. And I as a lawyer who sits inside, I'm like, "Come on. I can't do with changing laws all the time," although I want them to change long term, but then to stay stable after deliberations and discussions. And so that is why it is so important to look at it from that larger zoomed-out perspective and to say this is what we would like as a business. 

 

A Pretty Straightforward Solution

Mishi: This is what we would like as individuals, and this is what we expect from our governments as well. And that's why when somebody says ban TikTok, I really have to squint my eyes, take a pause. And I'm like, okay, I like simple answers. But silver bullets are going to hurt a lot more in the long run than the slow boring sausage-making.

Rachael: I love that. Petko, reaction?

Petko: Rachael, I don't know. I'll say one thing that drives me nuts is with GDPR, at least they have the right to be deleted. I can't tell you, I think I logged into Facebook and I have not logged in for over 10 years. So I really requested them to delete 10 years ago.
I don't use Facebook or any of it.

I logged in and it still had my original account and it still had all my data from 10 years ago, which I told them I want it deleted. It was never deleted. They just made it inactive. I think the definition of delete maybe varies between California and where I live, but I'm still impressed.

I mean, the fact that they store my data longer than the IRS stores my taxes is kind of impressive.

Mishi: There's a lot more Mr. Zuckerberg wants to know about you than the IRS's offices.

Petko: Yes. So now, I know that in California they passed something like a GDPR, CCPA, and I think Virginia just passed one as well. Do you think that's going to have an impact on some of our privacy protections?

 

[15:06] Understanding the Importance of Privacy Laws

Mishi: So one interesting thing is, again, just because there are new laws, our old laws don't automatically disappear. I wish that were the case and sometimes I do wish that and sometimes I don't. Like when I grew up in India and I became a constitutional lawyer and somebody told me sedition, and I'm like, that is a British era law.

Didn't we get independence? Why didn't we get rid of all these laws? We didn't. We still didn't. Sodomy, we still were punishing homosexuality under those laws.

And so the thing where what happens, and as you rightly said, is that many states are now doing their own privacy laws because they understand the importance of it. And the United States does not have an omnibus privacy legislation.

In California, being California, the fun people that they are, they're like, "Well, we're fifth, sixth largest economy, we run the world, we'll just get whatever we want."

However, that also tells you that that is a responsible way of saying why do we always put all responsibility on the users? "Don't do this. Don't share your location. Why did you put your data out? Why didn't you do this?" And as Petko is saying, is like, why did you create a

Facebook account and why is all the responsibility on me? I have a zillion things to do, I have to take my kids to school, I have to fight the PTA, I don't know, I burn the dinner. I have a zillion other things to do. I'm a very bad cook also. But I don't have time to think about this dense stuff. 

 

Achieving a Safe User Experience Is a Team Effort

Mishi: And sometimes when I pay attention and people are sending me advertisements, changing my insurance rates, or telling me I can't get something because I looked up something on Google. That's the time when I start paying attention to it. Then you want me to say,

"Well, it was your problem. Why didn't you read terms of service? I already told you your first one is mine and everything is mine. You didn't read that contract."

I get paid to write those contracts. For a long time, a lot of that notice consent is legally robust but not very good at the societal levels. And that's why I said lawyers are not the only answers to this. It has to be a society-wide communication and discussion. And as you were saying about a Virginia passed,

Connecticut did, California did, and many of these states are trying to say we need to protect our people. We need to do these basics which people expect. 

You go to Europe, your internet experience is very different out there. And they're saying we need to step in and help the people figure it out. We can't let it just be data collection, make such products, sell ads, and all of that would be hunky-dory. It's not. The world has changed from 2010 till from to that time to today.

And however, the interesting bit, like Virginia is such a great example in that sense. Like the Dobbs decision happened and there is a privacy law and then there is menstrual data and that starts a whole different conversation. 

 

Technology, Policy, and Law

Mishi: Who can collect? Who cannot collect? All of that. And whether you are a woman or not, it helps you see how much of interference of a third party is there in such intimate decisions of your life, and which is put on steroids with the help of technology.

One of the fantastic things were truss engineer team led by women did was when this decision was happening and they were seeing. They used our underlying technologies, open source, one to build a secure cycle. So I can track my periods, I can do whatever I need to do about my health, but nobody's business it is other than mine.

So there are products which are being made. That's why I always think it is technology, policy, law, all of these things come together to protect people who are at the center. And that's how I simplify it in my head because as much as I find reading these long 50 pages things meditative, I also have a limit. So I have to simplify everything and map it. 

And I think the best test always is, can you explain it to somebody who's maybe 10 years old and can you also explain it to somebody who's 65 years plus? Because we tend to forget that part of our society completely that as if people who reach a certain age are not part of our society. So if you can explain it to both the sites simply, then those conversations can actually go in the direction where we all want to go.

Rachael: That's a great point. 

 

The Advantage of Consistent Privacy Regulation

Petko: So Misha, I'm thinking long-term. I mean we have California, we have Virginia, we have Connecticut, we have all these states who are saying, "We don't have overarching omnibus approval at the United States level. We're going to do our own." But do you think we'll ever get there where technology companies will say, "Look, we've had enough. We can't have 50 different laws we need you guys to agree."

And they'll ask the federal government at some point, let's just have consistent privacy regulation versus all these onesie-twosies. Because I can't imagine how complicated it would be if, oh, I have to factor in how I treat someone's data based on what state they're resident in. And if they move, God forbid. 

What do I do with old data? Do I retroactively have to now consider that sensitive as well? If I'm in Texas and I move to California, does now all my data related to all my activities that I did while I was in Texas protected under California law? So I guess my question is, do you think we're ever going to have some overarching sweeping privacy regulation across the whole US?

Mishi: I thought everyone from California moved to Texas, not the other way around.

Rachael: You're very true there, Mishi.

Petko: I mean Texas is kind of cold lately, so I think people moved to California.

Mishi: Taxes, no taxes.
Rachael: It's like 80 degrees here. What?

Mishi: Do you have electricity right now?

Rachael: Not cold today.

Mishi: Is the power there?

Rachael: Yes, we do have power this time. So that's great.

Mishi: Sorry.

Rachael: So we're lucky today. You never know. That's what's so exciting. You just never know, Mishi.

 

[22:10] A Machine with a Mind of a God

Mishi: That's actually a very, very good question. In fact, something which we have all been waiting for a very long time and you are right. I think, in fact, on the hill also you've seen efforts where I think the companies realized early on that regulation is coming no matter what. And these are smart people.

They know that whether it is any advanced society, governments and courts are beginning to reckon with extraordinary difficulties. Which have been posed by these centralized platform companies or whoever is operating media. And they're changing human civilization.

I don't say that lightly because these companies survey our daily social behavior. They read our mail, they spy on our social interactions, they present edited newsfeed, personalized advertising, and they're building a machine with the mind of a God.

And they have acquired breadth and depth of social power over our impulses and behavior patterns. That exceeds any similar form of influence, public or private, in human history. So they know that such legislation is coming. 

And they want to influence that legislation so that it completely doesn't destroy their only business model, which they know is surveillance capitalism. But you know how functional congress is. Now we are in a different cycle.

Now we are all waiting to see what 2024 would look like. And like most administrations, the first two years things get done, and then two years are preparation for the next term. Then something perhaps will happen or not happen. However, I don't think that the US can actually stay ahead of where the world is moving.

 

The Need to Provide an Alternative

Mishi: Both in terms of advancement of technologies. We can all be very scared about AI, what Chinese models would look like, what other people's technological advancements do. Taiwan is giving the CHIPS Act or everything else, but we cannot then say, "Oh yes, this part we will not do."

So there is something coming. What it would look like? I'm not sure right now. Europe has a much easier time doing it because honestly, I think they're not going to like me, but they don't have much innovation going on. 

But they have a lot of good laws coming up. Because where are the alternatives? If they could create an Airbus for a Boeing, where is their own Google or whatever they want to build? And they're extremely smart people with a great sense of history, so they need all of that.

And people need tools and people would want to say, "Okay, you’re telling me Facebook is bad. Can you tell me what else should I use?" So there needs to be a European answer which is built not only in European commission, but it is also built in products. 

So India is trying, but as I earlier said, honestly, if we would stop in India, you're yo-yo-ing between do we want democratic principles or we don't want one. I think we would be much better off creating those privacy-respecting products.

And that's why despite everything, both Europe and the US still have a very important role to play in where the leadership goals in the world on these issues. But don't hold your breath. It's not coming tomorrow.

 

The Privacy-Cannabis Act

Rachael: You keep hearing rumblings of it for sure. But yes, what is a timeline for something like that? Because it's huge. It would be huge. And then to try to of course pass it is the other piece. It impacts everybody, that outcome.

Mishi: Well, until then we can all buy more privacy-respecting stuff.

Petko: So I got a tough question for you, Mishi. If you had to bet which would get passed first, a federal-level approval for consistent privacy across all states or federal-level approval for cannabis?

Mishi: Ooh, I'm not a betting person, but this one is cool. What are the odds?

Petko: One's ahead technically in a number of states, right? While the other one probably has more pent-up demand.

Mishi: That is a good one. I wish we privacy folks had the same PR team as the cannabis ones or the same impact.

Rachael: Maybe they could be combined. Maybe there's some goodness in bringing them together. I don't know.

Mishi: I don't know.

Rachael: The Privacy-Cannabis Act.

Mishi: They want to smoke it all on the streets. They really don't care too much about the privacy aspect of it. You can walk on the streets of New York and actually get a lot of secondhand smoke these days. So I'm not sure if the combined effort is there. I don't know.

Actually, that's a very, very good question.

 

A Common Ground in Federal Privacy

Petko: And I think it's an important question because it's going to dictate what Congress picks. They can't do both. They're going to end up having to do one and at least in this session or decade, whichever it is, right?

Mishi: Despite all of that, I do think it's much easier to point at the cannabis thing to still stay in terms of on the state level because a lot of criminal law is also at the state level. And I would say that the federal privacy one is, I'm not sure about the timelines, but I do think that there is at least the ability to find common ground between the two political parties there. Well, tooting my own horn.

Petko: As a lawyer, you're saying we're going to probably have privacy for us before we have cannabis. That's what I just heard.

Mishi: As a lawyer, I'm only saying, dude, where is my invoice?

Petko: Oh, these billable hours that lawyers have to deal with all the time.

Mishi: Well, I went in-house, they bought my soul now. I don't have to do hours and hours. You know what, no, I really don't have a clear answer to that. Mostly because I do find it very fascinating and I do think there is overlap for both parties. My problem only is these conversations because they have these companies which are also providing a platform to speak for political actors also. So all of those, get conflated all the time. 

 

[29:47] Putting People at the Center

Mishi: So the moment you mention like social media, misinformation, disinformation, which oh, whether it is it has a liberal bias or it has a conservative bias. Those conversations just cloud. And I'm like, yes, these are all important issues.

But the kitchen sink, if you're going to throw at it, how will we solve anything? And these are overlapping to some extent, but they still cannot be all done with realm legislation. 

That's why the conversations sometimes are a little frustrating. I also think that we tend to think, "Oh my God, Europe is becoming too regulatory, burdensome." But to be very fair to them, they have put people at the center and they have taken the leadership to show that we will have to do it. And it is an important market.

So businesses have adapted to sell to that market. It's not that we can't get it done here. So I will say still, maybe what I'm doing is I'm just projecting my own desires and I'm like, "Oh, I want privacy. Cannabis? Whatever.

People can go to another state." 

But what I'm thinking is that if they can handle the privacy part of it, Congress would also come to think about it that many of the other aspects are more complicated.

Content moderation, who takes in, who takes out, those are different and somewhat collection of data feeds, all of that. So if we fixed at least collection of data problem, we would've addressed some bits of it. 

 

Privacy as a Protection for the Users

Mishi: But we need to really segregate even if the companies are so big that everything looks like at only one monster when actually, there's several people under the overcoat. 9 or 10 of them, or I don't know, 15.

Rachael: Yes. Well, I look forward to the day that we get some alignment at the federal level because if you end up with 50 different state-by-state types of laws, I imagine that would be very difficult to navigate.

Mishi: Yes, sister.

Rachael: That goes to point earlier.

Petko: Well, but Rachael, I'm curious, which one are you looking for? Cannabis or privacy?

Rachael: Oh, well I told you.

Petko: I'm not sure.

Rachael: Just bring them together, Petko. Just a twofer. Can we do a two-and-one? Yes, no, I imagine privacy would come online first myself, just given how long we've been talking about it and how incredibly imperative it is. And we've talked a lot too about kind of privacy as it relates to like cybercrimes and cyberstalking.

All of these things that you have literally no recourse for in many ways unless you're able to get an IP address and prove all these things. 

 

Looking at a Different Perspective

Rachael: And so I think you get a privacy federal regulation and you start getting in a step in the right direction of where we can address some of the more nefarious things that are happening over time. But you got to start somewhere, right? So that's my hope, that's my positive affirmation for the day.

Mishi: Well, I've done my job. I have one person in my corner now.

Rachael: Yay! Well, Mishi, I do want to be mindful of time. I know we've run over. Thank you so much for joining us today. This has been, I think by far my most fun conversation in a long time. So thank you for that because it's such an important conversation, and you got to look at it from so many different perspectives. Thank you for bringing so much of that prism. Prism to light here today for our listeners.

Petko: Absolutely. Thank you.

Mishi: Thank you. You both have been very generous and a lot of fun and putting up with my long-winded paragraph-talking self, but I'm very excited. I was very glad to be here and talk to you both.

Rachael: I loved it. So to all of our listeners out there, thanks for listening again this week. And be sure to smash that subscription button. You get Mishi's episode right in your email inbox every Tuesday. So until next time, everybody. Be safe.

 

About Our Guest

 

Mishi Choudhary, SVP and General Counsel, Virtru. A technology lawyer with over 17 years of legal experience, Mishi has served as a legal representative for many of the world's most prominent free and open source software developers and distributors, including the Free Software Foundation, Cloud Native Computing Foundation, Linux Foundation, Debian, the Apache Software Foundation, and OpenSSL. At Virtru, she leads all legal and compliance activities, builds internal processes to continue to accelerate growth, helps shape Virtru and open source strategy, and activates global business development efforts.