[00:00:10]
>> Hello everyone welcome to the Institute for information security and privacy lecture series I'm quick Reisman director of programs here at the i.s.p. for those of you who are joining us for the 1st time today we have Peter Swire one of our esteemed professors at Georgia Tech as well as he's an associate director here at the I espied and he's going to speak want data portability and cross border data flows Hey Peter Well well thank you Gloria and hi everybody and as I said in the chat so you can start to look at it as you go along I've got the topic for the 1st 30 minutes which is data portability and then a different topic for the 2nd 30 minutes which is cross quarter data flows and I'm going to stop after data portability and invite you all to be thinking if you have any questions or comments.

[00:00:59]
And I have a courtesy a point with college of computing and with public policy so I work. To go across boundaries and I'm not going to open up my aunt though Hi everybody. Here's how these 2 parts fit together so if you're working on cyber security or privacy both of which I do it's very often essential to map the data flows so if you're doing cyber security how did the attack come in what exfiltration is happening you need to figure out where the data come from where is it going and for privacy how is the personal data or p.-i person in a filing for Mission collected by the entity processed inside the entity and disseminated to someone else or 1st topic today is portability when Should there be mandates legal rules to transfer data from Alice to Bob a more likely from Facebook to some other company the 2nd topic is cross border when do the rules change that the data flows across borders the Internet was designed by its creators to be truly global but it turns out nation states have something to say about.

[00:02:05]
So my background you heard some of this I went to school for a long time I wrote my 1st article on the law the internet way back in 1993 it's hard to imagine but this is how long I've been working on these topics and as Gloria mentioned I worked in the White House under President Clinton so for the HIPAA privacy rule medical privacy who I was the White House coordinator that rule together I helped write the rule for the banking privacy as well I chaired the White House working group on encryption so I was really involved in 1909 in what the u.s. government set of rules should be for encryption and we opened up the possibility of strong encryption and also shared a White House working group on how to update wiretap laws for the Internet a lot of my work is on surveillance and wiretap stuff.

[00:02:48]
I started teaching a full semester course on cyber security or the law of cyber security in 2003 so early on there and as Gloria mentioned after the Snowden revelations in 2013 President Obama in the news when 5 people to do the n.s.a. review group say what should we do for n.s.a. reform and as Fleury also mentioned I work with the info Institute for information security and privacy so when I worked on the review group there was a nice picture on the right President Obama to his left is Michael Morrell used to be head of the CIA to his left that's me I'm not falling asleep I'm listening closely so we're in the Situation Room and we're trying to figure out how to reform the n.s.a..

[00:03:30]
So here's some things about classes you might be interested in every fall I teach with Professor any and time of the College of computing the course we're teaching right now is called Privacy Technology Policy in law and he sprang including this coming spring I teach a course called information security strategies and policy is across listed through public policy and sheller as well as computer computing computing and the spring course teaches what you might think of as the non-code aspects of cybersecurity of which there's many companies in international affairs and government was the Monday night class so there's a few scheduling conflicts a project based class but there's some writing involved but there's no test or exam and then we also with the great Kennedy may have created a course called privacy for professionals that's an online course and I don't know what the rules are going to be going forward about you taking online courses but it tracks what it takes to be certified as an Information Privacy profession but these are things you might find interesting we welcome you to the classes there's data portability Here's some reasons why there is current interest in this topic one is that g.d.p. are the European privacy law went into effect a couple of years ago and it contains in it the right to Data Portability an individual has a right transfer his or her data to a different service or to themselves and California went and passed the California Consumer Privacy Act And that went into effect in January of this year so California is a huge economy and g.d.p. are as Europe a lot of the industrialized world right now has a right of data portability in place if you're building your systems for consumers you have to think about how to build also as you know right now there's huge policy debates about digital platforms monopoly as Amazon a monopoly as Google monopoly what should be done about it if privacy issues there aren't interested shoes and so portability comes into as we'll see in a minute in both privacy antitrust the cyber security.

[00:05:27]
Also while this while these general rules about portability and happening there are sectors of the economy where there's already in the end a Tory data portability so in March this year u.s. Health and Human Services released a rule requiring portability and interoperability in certain way during the health care sector that's 20 percent of the economy and you have to do something about that in the European Union they have a financial services are set of rules that open banking the e be able to transfer in the United States from Bank of America to also Fargo or or some other bank and the u.s. has some similar laws that are in place for the financial side but terminology in the report that I issued in the last few weeks which you can if you do Swire data portability and assess are in for social or his research network you can see the report I proposed some terminology to help us here and the right of data portability like Europe has is the right of an individual to transfer data and portability with a small p. is the kind of term of art transfer the data of one person and that's the individual right you would have to transfer to yourself get your stuff out of Facebook or do a 3rd party but there's a lot of discussion in the antitrust area and Congress in Europe there's a lot of discussion about mandating transfer in whole databases sharing of more than one person.

[00:06:50]
In your or sometimes that's called data sharing but data sharing these about a 1000000 things and my paper proposes calling this other required transfers which would give us a lovely acronym of Port portability or other required transfers of individual or multiple people in the us health care rule for instance a hospital might have a software provider and they have a right under the law to transfer all their records to a different software provider or cloud service they can't be stuck in their own service in Europe has similar rules.

[00:07:23]
There's also a term in Iraq or ability and a lot of you have you know computing background and I think the best way to use this word is as a technical ability of 2 or more systems to exchange information so you can think of common data formats you can come in communications protocols and other technical mechanisms good naval operations 2 or more systems me that's when interoperability is done portability is when there's a mandate for an individual or a database to go from one place to him and as we said in.

[00:07:53]
The European g.d.p. our Has this right and the transfer in this and other laws are supposed to be without hindrance and as you see when you think of cyber security without hindrance might be pretty scary and in California the law says the individual has a right to see their own data in a or a bill and readily usable form because that's what's going on right now and if you build systems you have to build the system so here's the dilemma when you think about portability we want to open up data flows or do we want to close down a pretty simple foundational question the people who do and I trust law competition law they call it in Europe you know there's many many reasons to open up data flows so let's assume that there's a large valuable database of a say all your social or all the things you bought from big on line retail if other companies had access to that data if they could play with it if they could come up with new projects new services then we have more innovation we'd have more competition and so the people who think about antitrust and are worried about monopoly power of the platforms they're coming in saying we've got to open up we've got to open up these data flow so more people have access to that and that's convincing if you want to have more competition and less monopoly on the other hand you know we're here with i.s.p. we do privacy and cyber security a lot of times you're trying to lock down or closed the data flows because we know for these reasons what if the data gets into the hands of the wrong people.

[00:09:22]
In cyber security that's often a focus on unauthorized access a hacker or an insider who's not supposed to see and privacy is a focus on well who should be authorized to see the data and are often chair feel about that unless the user really wants it to happen to this rhesus to open up data flows France I trust as reasons a close data flows how they have to decide and just as a couple of close to give you a sense of what's being talked about at the high levels of government the Federal Trade Commission does a lot of the u.s. competition and I trust law and their Head of competition said this year that the relief we might need for these monopolies might include an obligation to provide the data on specified terms this is the u.s. government enforcement agency saying we might need to require these data flows to have competition and they had this Federal Trade Commission workshop a couple of weeks ago that I was the introductory speaker for an on a panel in Europe their head of competition said they're worried about the prominent position of data and digital markets that it is superimportant spoil of the new economy and what does she say should be done about it well the need to ensure the possibility of venture e. new competition might argue in favor of mandating access to data we already have these laws on the books portability rights and now we're seeing calls from the major regulators of pushing harder for mandatory openness.

[00:10:46]
To how to respond to the dilemma open is good closed is good how do we decide when to open and when to close down my study proposes a well designed portability and other required transfers impact assess you know we do privacy impact assessments in federal agencies in the u.s. and Europe that you data protection impact assessments let's try to figure out the structure intellectually of what it would take to decide when portability makes sense and the study of the methodology was that with the people I was working with we drafted structured questions 1st here's what we think the intellectual structure is to think about the portability now we're going to test this against a bunch of case studies which we did not show you some of the case studies in a minute and we changed the structure of questions we learned from the case studies in depth and we validated what the structured questions are to help us think about when is it a good idea or a bad idea to have portability Here's the case studies the 1st one of the most famous success story is phone number portability so if you're using I don't know if you can see today and you want to switch to t. mobile then you're able to keep your cell phone number and that's not because the companies love that idea the companies would love to lock you in and have you keep your cell phone number only with them but in laws that were passed about 20 years ago in Europe United States we said there's a requirement that they let you mobile or your mobile phone them now that makes portability look like this huge win but what we found when we looked at the case studies is that successful but it's a misleadingly easy or simple case.

[00:12:25]
So it opens ups data for competition you get to move your phone number to the new carrier but most users want to have your phone number known so your friends and colleagues can call you it's not a privacy problem you want people to know your phone number and beyond that for cyber security the history has been you're going and showing up in person and getting an account there's a lot of cyber security authentication at the time of numbers so cyber security and privacy are pretty easy opposition says let's do it everything was pushing the same direction now the other case studies we looked at the u.s. something called the Dodd Frank law requires portability so you can get your your records out of the bank and into into it or a mint Europe has similar laws like that for health care I already mentioned this this Health and Human Services rule and the h.h.s. rule that came out in March is trying to encourage to be able to get your insurance company or your medical provider to import your data in a smartphone apps you can have your own app in your phones do cool things to manage your data it also has health i.t. requirements but that the people that the software companies and cloud providers are going to make sure that that the people who have health care records comported to a new health provider and that's us law case study that looked at government databases have open data requirements I've been an expert witness in another case where this special law in some states that are McBeal dealers but the point here is we looked at real live case studies for portability and said What do we learn from what we got out the other side of this process is a set of structured questions and I'll briefly go through the high level points just so you know she just show you the intellectual structure of how to think about opening and closing Dept one the most important step is you have to define the data flows.

[00:14:15]
Where does the data come from where does it go what types of data have to be ported What specifically are the legal requirements this is flat out description think about what the data flows are then you can start to think whether a good idea or not now there's a bunch of benefits from flowing data the 1st one here on the list is what about antitrust income Titian maybe you have network effects maybe of lock in effect maybe there are barriers to entry to let's make sure we figured out what the reasons are to maybe open up the data flows for antitrust reason we want to have innovation in other commercial benefit from having the portability in this we might have noncommercial benefits so a lot of computer science people and just ordinary people want to have control over your data you don't want to have your data stuck in one service where you can't get it out there might be regulatory and legal effects there might or might not be feasible in practice and the last one is look at the incentives of who's saying it's a good idea look if they're saying it's a good idea because they think they're going to get the data they might be right but it might be that they actually sort of have a skewed incentive to try to exaggerate the Venice now there's risks and costs.

[00:15:27]
So there's a series of some questions on privacy risks what about identify data what about the risk of d identification What about the risk that the privacy data flows are going to open up data about other people so if I have a picture with you do I get to portage or do I have to ask your permission 1st before I take that photograph and take it out of Facebook and put it somewhere else on the cybersecurity side of briefly mention 3 things the 1st thing is you have to have good authentication or else portability becomes a new way to have the 2nd thing is on security that you need to have surety in transit which often means having an a.p.i. in place for security and the 3rd thing for security is there's going to be standards for data formats and things and you want to have security built into the standard.

[00:16:16]
Ok so we have portability seriously a cyber security risks there's some risk that can happen downstream right you transfer the data to 3rd party recipient and maybe they do something wrong with it and there might also be discriminatory stand in for people are trying to prevent you from getting access to the data to watch out for how those standards were.

[00:16:39]
Competition often says open up the data flows but competition could also be hey I have an idea let's have Facebook and Google get together and set up rules that help them and hurt everybody else do you have to make sure the rules for sharing data make sense so we have benefits we have risks and we have here a structure set of 14 questions you try to help you do the assessment the why would we maybe go through the hassle of doing a portability impact assess while there's all these new laws and proposals and frankly most people are not expert in privacy and cybersecurity and antitrust I happen to have taught all 3 of those the most people have it and so in practice you're going to need a team of cyber people and privacy people and antitrust people to assess whether this court ability ideas a good one in your company do it or not maybe maybe not you're probably going to need it seem to think through what the implications and then it also provides a systematic way to assess what's good or bad here you know help antitrust regulators realize they should think about privacy and security to help the privacy regulators realize that competition might help people and so they should be a little more open to having data flows and they might be otherwise and the companies can assess what are the most promising initial.

[00:17:56]
The conclusions and then I'm going to I've saved a few minutes for questions and comments opening up data flows transferring data can have great benefits right the competition for innovation for freedom of choice closing data flows also can have benefit we can have better cybersecurity might my port impact assessment provides a method that's Ignaz to get out his proposal what are the benefits of the transfer what are the costs of the benefit of the transfer and we increase the benefits like do it in the right places can we reduce the core the cost that's just fixing privacy in the right place and so the idea is for this complex and increasingly important topic is coming into the laws all over the place the portability impact assessment can assist policymakers and companies to reach better decisions in the end the show for now I say 5 or 7 minutes and really I'm here for you are there any comments or questions.

[00:18:50]
Let's see so the 1st one I see what I think about the concept of self sovereign identity s.s.i. the block change models. So we might I might need some help from you in understanding it some more. Need so block chain. Has certain properties that lot of you know better than I do that I've worked on as one of the things that blocking can do is have.

[00:19:20]
Very good records that are not easy to alter about what has been done with data over time. And and on the other hand. I don't know enough about s.s. idea and I wonder can we are we able Carly and Gloria to let Christopher Kaufman speak so you can explain it but unfortunately our technology currently is not set up that way so maybe it won't respond in chat I don't know if you can use a few more words about s.s. i.d.m. Sorry I don't but I think I think I'm blocking what I'll say just generally is that there is there are sets of applications where it makes sense and there's a ton of applications where doesn't make sense in my experience it's not going to solve if there's data in a database is not going to solve the problem that the people who work with the database can see stuff.

[00:20:17]
Let me go ahead to the next question and California people have to use the data and the so that the 2nd question is can they be transferred to another party and and white the answer in my understanding is that they should have the companies in California are supposed to make it so you can move from service a to service b..

[00:20:39]
And a lot of the companies do that because if they're big enough to have to build it for California they're big enough that they're in Europe and in Europe it's very clear that you have to be able to transfer it to another service. And frankly for a lot of work Mary users downloading a huge stack of data and then uploading it to a new service is a pain and so there's something called the data transfer process project you're interested in seeing how this is is being done in the world the data transfer project has a series of open source.

[00:21:15]
Modules that are designed so that your company can interact with the data transfer project who can then send it to the other service that's an effort to make it easier for consumers to move from service a to service b.. Christopher cough an **** and different question about OFAC that's the Office of Foreign Asset Control.

[00:21:37]
So. I think we're going to get into some cross border things in a minute one of the things to be aware of when you're building your systems is you're not supposed to be trading with terrorist organizations you're not supposed to be trading with countries like Iran or North Korea that are on sanctions list and so especially when you're in a company that's big enough to care about these things and the company especially in the financial services side then you have to be aware that you can get in trouble if you're trading with these sanctioned entities and that's something to be aware of.

[00:22:11]
Let's see. So s.s.i. is a concept that you can hold the key to your personal information and Grant and withdraw access though there's. A speak to things I know about rather than going down the rabbit hole of of sort of understanding what you're saying there's been a ton of efforts and your capital is have gone broke.

[00:22:40]
Trying to create business models that work like this sometimes there's call data info media areas so if Chris is the person Chris might want to have more control over the data sets you hire Peter is very trusted service to say hey I'll show some of this data to these advertisers and some of this data to this social network and then I can grant him withdraw privileges and so Peters trusted services basically making it so that you have really Grayle or control over who gets to see your data and and probably also in those things there's a bunch of activities such as advertising that's happening either on your device or on the device or on the service you share with Peter's for us to data source but the 3rd party out there doesn't see it so people with a crypto background people like people in the audience have been proposing variations on for 30 years David Chalmers c.h. in us and Stefan grond have written books and tons of stuff about various.

[00:23:46]
He works for a global bank Well you know least I called it called where you are where you're coming from but if you go back to the the books by Chom and Stephan brand you'll see a lot of really cool crypto where either you or you working with your trusted service can do Cis elective revelation of your data.

[00:24:07]
Up until now no one's figured out how to make that pay no $1.00 to figure out the business case and one of the reasons is you know you're thinking about dealing with the Amazon or Facebook and now Peter's trust a service claims you can trust me but who the heck am I I don't have a a great big franchise why would you trust me to really be in charge here and so the trust problem is trusting the info media.

[00:24:33]
And so it hasn't so far taken off Ok so we've we've done at least a few questions and I thank you I'm going to move to cross border data flows and we have a bunch of time for questions on that I'm going to. Go back to my slides Ok deep breath Part 2 a different kind of data flow problem a set of data flow from service a to service b. it's a data flow between Europe and the United States or Europe and other countries so in July the Supreme Court for Europe the court of justice for the European Union issued a major decision that I think quite possibly bans many flows of personal data from Europe the European Union the United States and the court the case is usually called strands 2 after the name of match Rams will talk about the 2nd though Europe's had stricter privacy laws since it went into effect in 1998 was what was called the Data Protection Directive what we call privacy United States is often called Data Protection in your it went into effect in 1998 and was adopted for 2 different reasons one of the reasons was to have uniform data protection laws so that France and Italy and remaining all the countries inside of Europe could flow data back and forth because they all have the same privacy rules and another reason was to protect privacy but here's the kicker this whole idea of adequacy and the idea of adequacy is if Europe has all these strict privacy laws what about when it goes to India to China to the United States.

[00:26:09]
How well they are maintained protection for the European people when data leaves the European Union so coming out of the book that I wrote here in 1988 and then I was working government in 2000 we created something called a safe harbor which basically said when the data leaves Europe in the hands of one of the companies that signed up for Safe Harbor when the data leaves Europe the companies have to pretend it's still European data they have to keep the same kind of European legal protections in place and the focus here is on companies being able to protect the data when it comes from Europe to the data center in the u.s. and in those days the level of compliance in Europe with actual laws was very low there were this sort of aspirational laws Europe has declared that these rights fundamental rights to privacy exist and now we're going to.

[00:26:57]
You know say that that's the law but it took a long time for it actually to get built out in practice so here's a picture of this guy met sram says he's from Austria he went to law school and he went for a semester abroad in the law school a Silicon Valley and here's what happened in that meeting there was a guy from Facebook there was giving a lecture was slides and on the slides it had a picture of the Irish Data Protection Authority and Ireland is a lot of you know is the headquarters in Europe for most of the big u.s. tekla.

[00:27:33]
And this Facebook lawyer says he's sort of laughing he said Yeah look that the Data Protection officials are in this office above a pharmacy like this little tiny set of things how are they going to keep track of the global giants like we don't worry too much about those European privacy laws well in the audience was a European privacy lawyer who got pissed off and he went back to Austria and he started to harass space he requested all his data from Facebook he was 23 years old at the time this is about 10 years ago and Facebook instead of getting a CD-Rom or a download printed out 1200 pages and delivered it to him in pretty much unintelligible form and he was pissed off he said they're like playing with me I'm going to play with them so one of the things he did is he filed a complaint in Ireland against the growing Data Protection Authority in Ireland big.