S2E2: "Software Libraries, SBOMs & Wicked Privacy, Oh My!" with Michelle Dennedy (PrivacyCode)

Debra Farber  0:00 
Hello, I am Debra J. Farber. Welcome to The Shifting Privacy Left Podcast, where we talk about embedding privacy by design and default into the engineering function to prevent privacy harms to humans, and to prevent dystopia. Each week we'll bring you unique discussions with global privacy technologists and innovators working at the bleeding edge of privacy, research and emerging technologies, standards, business models and ecosystems.

Debra Farber  0:27 
Today, I'm delighted to welcome my next guest, "Privacy Jedi" Michelle Dennedy. Michelle is one of my personal heroes with over 20 years in privacy, data protection and innovation. She has served as Chief Privacy Officer of Sun Microsystems, McAfee and Cisco. and she authored the seminal work, "The Privacy Engineer's Manifesto, Getting from Policy to Code to QA to Value" and companion workbooks. Currently, Michelle serves as Founder and CEO of privacy tech company, PrivacyCode, and is also a Founder and Partner at Privatus Consulting. In addition, she's a sought after advisor, serving on multiple startup Advisory Boards, including The Rise of Privacy tech (along with myself), Privitar, Data Protocol, Cytrio, and Drumwave. Welcome, Michelle!

Michelle Dennedy  1:20 
Thank you very much. It's so good to chat with you as always, Deb.

Debra Farber  1:24 
Great. Well, I'm so glad you're here. I know, you will often say that "privacy is a strategic business enabler," and I agree. And, you've also said that "data is central to driving decisions that matter to build trust, execute operations, and fulfill promises, and privacy and data protection is therefore central to those tasks." Can you expand on that a little bit for us?

Michelle Dennedy  1:47 
Yeah, definitely. I think it's really interesting. I was just having a conversation yesterday with a gentleman where I was saying, when you look at some of the juggernaut companies of our day, right now - the big digital blockbuster companies that are trillion dollar revenue companies - I was asking the question: if we properly accounted for the cost of goods sold of those digital goods, would they still be trillion dollar companies; and, are we really looking at what does it cost to produce a digital environment? And so, he just looked at me like I had lost my mind. So let's go back in and kind of unpack a little bit about what do we mean by cost of goods sold? And is privacy a cost? And...and is it a compliance drag? Do we even have it? As my old buddy Scott McNealy once proclaimed, "Privacy is dead," and he said, "Get over it." I think that was wishful thinking on his part at the time. And so what do you mean by all of these things of value and privacy and values?

Michelle Dennedy  2:56 
Let's take a step back of sort of what's really going on here. So, when we look at some of these huge, huge companies, would you ever have thought in a brick and mortar setting that essentially a bookstore, grocery store, and sort of notion store would be a trillion dollar business? And if you threw in a magazine...a newspaper company and a grocery store (I guess I already put in the grocery store), these are not businesses that are known for being a huge fat margin businesses. And of course, I'm talking about specifically Amazon right now. And no, the answer's no. Providing tangible goods requires gas and people and time and space and sweat. And so, now we're talking about what does it take to deliver, in this case, real goods. There's real goods being shipped hither and yon, but on top of those real goods, we're also adding in surveillance. We're going to actually follow the behaviors of the entire shopping journey from the time you go into the virtual environment. You're shopping around your stickiness. Your presence remains after you've left and there there becomes this buildup of you, this residue of you left behind; and, that is the piece that is apparently worth over a trillion dollars: our collective residue. And so, if you look at it and say, "Well, wait a minute. This tangible act of supplying me a book or supplying me a grocery or supplying me, you know, lipstick on-demand through the mail, that should be the same cost or less. And so, the profit margin being that much bigger, why wouldn't that differential be the digital cost of the information about the human beings? So, if you look at it that way, then it becomes kind of obvious like, "Hey, that corpus of information is obviously valuable," and so I think we can all agree about that. And so if we put a label of "marketing" or "advertising" on it, we see this trillion dollar business. And it's not just Amazon, obviously. You can see all of these digital relationship businesses, and everyone's got a digital footprint now. And so, we're looking at how are we pricing information? How are we sharing information for pay? How are we building up our brands? Etc. And we can see very easily that that transaction, the analytics, the AI, the IoT, observational data is worth valuable money. Well, when that information is associated with humans and human behavior, we in the privacy world call that "privacy" or "data protection." And so that's what I mean that when privacy is a strategic business enabler; if you're doing privacy well, if you're doing it efficiently, you're making sure that you're not doing so much observation in such a ham-fisted way that regulators come after you and fine you, oh, say, I don't know, 400 billion euros, or you do it in a way that people actually want to engage with you and don't try to promulgate rules and regulations so that they ban the application entirely because they're worried that your application is spying on an entire populace. So, there are ways that we can look at data and the tracks that we're laying down as a common good, and value, and something valuable, and something even fun. And there's other ways where we can look at it as a drag, as something compliance-heavy, as something "Oh, woe is me. I gotta go do." And, I think somewhere in the middle is the fun of privacy, privacy engineering, and shifting left of saying, "Let's assume for a minute that data is valuable. Now what?" That was probably more expansive than you wanted when you said, Expand on that."

Debra Farber  7:00 
Oh, no. I thought that was really comprehensive. I think that's excellent. I think you really explain why you feel privacy is a strategic business enabler; and, you know, I definitely agree with that. I think, you know, I guess one of the challenges I see right now in the market is that while more and more people are agreeing, "Okay, I could see how privacy could be a strategic business enabler, we're still seeing large organizations push forward with privacy-invasive techniques, getting a lot of money from consumers from hoovering up their data, and, you know, maybe through dark patterns or through online behavioral advertising or through ways that consumers aren't so informed about how their data is being used. And I'm seeing VCs, scale these organizations as opposed to saying to them, "Hey, privacy is a strategic business enabler. Don't do that" or "I won't fund your organization unless you are focusing on privacy." Right? Very often, security is used as a shorthand for all things trustworthy within an organization, and it's not. Security is just one of the many facets of risk to address, and that needs to be built into your systems. Right? So how can we change the investment thesis and get them...get the VCs and Angel investors to direct more of their attention to the privacy problems?

Michelle Dennedy  8:27 
Yeah, I think, so...I mean, we've gone from market to VCs, and surprisingly enough, those two things are so, so tangentially related. It's surprising sometimes. So these are more a mood than an algorithm. I'll put it that way.

Debra Farber  8:46 
So, can we put that on a T-shirt because I would buy that T-shirt?

Michelle Dennedy  8:49 
Right? I think so. I think...I think they will admit to that...is like, you know, it's...if you ask somebody what the price of a stock is...it is...the price of a stock is the price that the stock is at. And that's sort of like: what will a VC invest in? They will invest in what a VC will invest in. So, I think there's there's a couple of things. I think, A) the exciting thing is there are venture people who are long-haul investors, who are interested in value creation businesses; and, those are the ones that I love talking to because those are the ones who are realizing that, you know, we're having this conversation early 2023. All signs point to some sort of slow down. It's a weird one: it's not like 2001; it's not like 2008; but it's not as bad as the 70s. But we know that capital, even though it is incredibly plentiful, is being conserved for very rarefied purposes. We'll put it that way. There's a lot of capital in the market, more so than ever before. There's a lot of capital for data-intensive businesses, more so than ever before, and knowledge-based applications and businesses, and efficiency models that are highly-specialized. So, one would think that a highly-specialized information-based system that will be served to a human and knowledge that will be created to be leveraged by a human - i.e. privacy - so, information about that individual and detailed information about that market and marketplace about people (so, privacy-sensitive), you would assume that there would be a ton of money just saturating the marketplace for companies that build into the fabric of this new economy, a repeatable process where information value can be created, generated, stored and distributed. And each one of those phases for privacy is absolutely blue ocean. Everyone's doing things on spreadsheets and paper and writing with sticks in sand right now. So, it really is sort of an invention-palooza in privacy right now.

Michelle Dennedy  11:16 
So, where you're seeing venture people who are looking to build like we did in the early aughts, that's when we looked "Huh, software, cheap; hardware expensive. What if we did something that we'll call cloud?" Well, that's what got built after the dotcom bust. You started to see application stores, and you started to see the rise of mobile phones getting denser and denser; and, app stores and music started to be freed under licensing models because software started to eat the world. And now, you start to see, here we are 20 years later, data is biting back. So maybe software did by eat the world. But the reality is, the logic that says 0/1, on/off on/off, but didn't direct that energy anywhere and didn't curate who the buyer was and who the seller was and was that a valuable electron. Well, that created the world we're in now. So, now we're looking at the substance. So, we've got our hardware, and it's distributed in a hybrid cloud network of clouds. We've got our software (and there's a lot of it), and we're trying to figure out how to secure it. And that's a that's its own palooza of security. I mean, I can't believe they're still VCs re-investing in the same old: same old, same old, you know, virus list. Right? Like, how many times do you see that company? Or a privacy vault - I mean, we've seen a thousand of those companies; but, we're not seeing a privacy vault in use in the supply chain of data, and that's an exciting company to me.

Michelle Dennedy  12:57 
So, if you see this as a marketplace, it's growing a marketplace that's riding on top of the natural progression of where we've seen the evolution of the rest of the technology stack. You start to see the smart VCs and the bankers and most importantly, the buyers. This is where the marketplace has to explode. The Chief Privacy Officer is a buyer, but not the buyer. The smart CMO who can no longer count clicks or depend on analytics to be the metric that's going to show that they've been a good boy or girl in their little C-suite. They're going to have to invest in privacy and privacy engineering because, again, when we're curating data about people, we're doing marketing. So marketing people are going to invest in privacy technology. If we're doing curation, to make sure that we're within the regulatory boundaries, we're probably going to be more in the legal sens, probably be closer to our Chief Privacy Officers. If we're going to be building product and dealing with these clouds in hypercloud space, we're probably going to be deep within the engineering bowels; and, so those privacy engineering teams and the shift left, that's going to be your buyer for privacy tech. So we've got lots of different buyers. We got lots of different pieces along this natural progression for all of the various tools and technologies that are just starting to come over the horizon in the privacy technology and privacy engineering fields.

Debra Farber  14:34 
It really is exciting. I've been watching this space explode over the last two-three years, and the amount of innovation is overwhelming, but in a good way. Overwhelming to follow because there's so much going on. So now, to that end, I would love to ask you about your work at PrivacyCode, which I'm really excited about. And, I should also disclose to the audience here that I am an angel investor in PrivacyCode.

Michelle Dennedy  14:57 
She is an angel. Can confirm, yes.

Debra Farber  15:01 
So here's a snippet from the website: "For decades, companies have been missing the means to apply plan, track and measure privacy requirements with privacy code. Organizations can now prove and measure the volume and quality of privacy engineering with meaningful metrics, reports, and a "bill of materials" or BOM. So, I'd love to unpack some of that statement. First, I love that you're focusing on privacy requirements across the product development cycle and not merely like legal requirements being pushed down. Can you tell us a little more about the privacy problems that PrivacyCode solves for?

Michelle Dennedy  15:36 
Yeah, so it's a fun space. There's a lot of us on the left side of the equation, I'll put it this way. So a lot of people automatically assume that privacy tech is one thing or they assume that you're competing with a PIA generator or some sort of a knowledge management for your compliance tools. We love those things; and those are good, quick, convenient checklists, and they're important tools to organize your work. and keep your data, you know, your datasets, clean for, you know, organizing your contracts and whatnot. Love that stuff. What we do is we really look at the privacy engineering problem through the lens of a privacy engineer, and what I mean by that is, we look at the problem from a process perspective as well as a technical perspective, and those things have to work in synergy. So, I think about things as we wrote about in The Privacy Engineer's Manifesto. So, there's no big surprise. That's...that's 20 years of my head is in that book. Thinking about what are the business rules that we're trying to achieve. So, if you're building a system where you want...one of the examples from the book comes from work with a company that may or may not rhyme with something called Bisney, allegedly....

Debra Farber  16:54 
What could it be, Michelle? What could it be?

Michelle Dennedy  16:56 
I don't know, but it makes me happy when I'm on this earth to think about it. But years and years ago, so I'm not disclosing any sort of intellectual property, but the problem at hand way way, way back in the day was to imagine a world where you might want to plan your whole vacation in one place, in one application, which now sounds like such a cute and quaint little thing. Back in the day, that was a hard problem to solve. So, understanding what that data map was from the very beginning; and, that's a "who, what, why, where and when" sort of Zachman architecture business problem. We've forgotten about business problems when we start to, you know, grab, like spasmodically for requirements: "Oh, my god, we're doing something in the European Union. What do I have to do? Oh, my God, oh my God, it must be about consent." Oh, no. Stop, take a breath. What we wanted to do is we wanted to build a planner. We wanted to have something involving children. We want to have people that are traveling, so you're probably crossing boundaries. We're having people who are going to physically stay somewhere, so there's going to be hospitality business elements here. We're going to transport people from hither to yon. We're going to cross the boundaries of different people's specialties. So, we're probably going to federate our identities and have some people caring about you when you're in the air, some people caring about you when you're on the ground, some people feeding you, etc. So, all of these different rules or requirements about where the business rules go, everything comes with a sort of a bubble of requirements for that data.

Michelle Dennedy  17:07 
And so where this bubble of requirements and data come along, you want to have a way to orchestrate all of that motion, the process, the commands that you're giving to your technical teams. And we want to have a way to have that conversation and organize that conversation so that at the end of the day, you can do a couple of things. You can have a way of communicating what you've built to different constituents. Your consumer deserves to know what you've built and that's some of this transparency and communications work that seems to have been so hard for people who haven't planned with business rules in mind. So, how do you communicate that? You want to be able to communicate to your regulators. What have I built that is being controlled in x, y, and zed ways? You want to be able to communicate if I decide to take another job. What has been done before? Where is the work? And of course, this is the hardest thing to do of all: in our former roles that you and I have both worked in very large enterprises, how do you synergize requirements across various specialties with various types of sub specialties and different languages? So I'm speaking like Legal over here, I'm speaking Tech over there, and tech isn't Tech. Tech is sometimes identity. Sometimes tech is encryption. Sometimes tech is database. Sometimes tech is network. Sometimes tech is vendor proofs, for example, and that's just the beginning.

Michelle Dennedy  19:56 
So, what PrivacyCode does is it allows you to become the conductor of a beautiful symphony, and all of your requirements can be in one place; and all of your specialists are allowed to be specialists; and we teach them how we have a whole huge library of implementation based on hundreds of years of experience of the team; and you can automatically, as you work, you don't have to take an extra step, you're managing that symphony together. You're making sure things are timestamp. They're dated. They're synergized. You're communicating well. And along the way, you can use all these other tools that are out there in the marketplace. You can use your compliance tool. We love that. If you've have a PIA, great; let's use that in concert with what we've already got because you've already disclosed what your controls are there. Great, start from there or when building a program. Let's start from here. Let's pick up a framework; let's start from there. It's all about having a simple way to communicate in the language of people data.

Debra Farber  20:56 
I think that's great and obviously needed in the marketplace. And, I'm just curious, what are you seeing in the market from buyers? Like, as you've been developing PrivacyCode, what have their pain points been regarding privacy assurance?

Michelle Dennedy  21:12 
I think...I'll tell you the highs and lows. I think the lows that make me sad are there are a group of people that have sort of given up and it makes me sad. And what I mean by that is - it's not just legal people, it's not just technical people - there are people that are like, "I'm an encryption person. I encrypt things and I go home and my job is done. Done. I'm a lawyer and I write the contract, and I wrote the contract and I go home.

Debra Farber  21:41 
Right.

Michelle Dennedy  21:41 
I tell you what to do and if you didn't do it and you didn't understand my language, and that's many, many "too bad for you,s" and none of those things are sufficient. And I think the saddest part of all is, I don't see boards having conversations about data. I see some annual reports having conversations: about the class actions that are being held against them, about the existential threats that privacy fines have against them financially,. I don't see them saying, "Hey, directing specific information to these types of customers is really valuable to our business. How are we going to be better about knowing that information, curating that information, being better at taking care of that information than our competitors?" That, to me, is exciting business data. So that's at the macro, big, big, big company, sort of disappointment. It's we need more see CPOs and experienced privacy people at the board level talking about how does this flow as a governance notion.

Debra Farber  22:46 
Right.

Michelle Dennedy  22:47 
And then the exciting thing for me, and the weird thing that I did not expect, is I think our very first paying customer (and thank you. You know who you are) and our first flock of customers are very well funded, I'd say B round and up folks who are deeply embedded in data and I don't think they meant to be there. So, they're either doing AI stuff or they're in health tech or they're in fiserv stuff or even ad tech revolution, or even some security folks. And they've realized, holy cow, if we're going to have customers (because it's not going to be that quick, you know, heady, 2019/2020, let's just IPO and we don't have to worry about governance) like, if you actually want to sell things, people are going to be looking for your bill of materials. Where is your information about your privacy controls? They need to see it in black and white. So, those are the customers that are flocking to us, and I was really surprised by that. I thought it would be mostly the large enterprise. It's not. It's the small business that says, "We want to do business better and people are asking us along the supply chain, 'what are you doing about privacy?'" and you better have an answer for it.

Michelle Dennedy  24:09 
And you know, it's it's amazing to me the volume, and I think to get back down to your point about the VCs, any VC that's looking at their portfolio and telling that portfolio not to have an answer to what are you doing about privacy for your supply chain, for your sales preservation, you are paying your your your entire flock of companies a very grave disservice because I'll tell you the other anecdote as you know, from my days in-house, both as an IP attorney (I used to be a patent litigator back in the day and do M&A evaluations) and then acting as a Chief Privacy Officer, one of your many roles in that role is to evaluate transactions. So when I would buy a company, the first thing I would look at is how many outstanding privacy obligations and promises have you made? Have you said that you will never sell the data and now you're selling your company to me? Well, I'm going to give you a massive hair cut if you're a health tech company or you're selling children's health data or you're a cancer research company that can't sell me your research data now because guess what, it can't be anonymous if it's cancer research data, kids. So anonymity is not your friend. You can't secure your way. You can't encrypt your way. You can't not have a privacy, fundamental proof of work,and have a good healthy business that's based in repeatable digital strategy. So if you're a VC, you better be asking every one of your portfolio company, get some PrivacyCode, stat.

Debra Farber  25:53 
Hahahaha. Yeah, I think having assurance metrics or a way to prove you're doing...that you're adhering to your requirements and responsibilities, I think is going to really change even the VC's perspective because then they can see how non-aligned some companies are. And then to your point about how you're seeing a lot more movement in the space from post-Series B, raise startups versus enterprise, large enterprise, I would say my guess (because, you know, it's anecdotal evidence here, right), but my point of view is that it's just so hard to turn around such a large ship...

Michelle Dennedy  26:33 
Yeah.

Debra Farber  26:34 
...that has so much data across, you know, the world in so many processes, and just, like, you just can't just add a bill of materials like on to all of that, even in a few years. I mean, it just takes too long. So, you know, I've been putting my own attention lately to companies that are building from the ground up, because then at least I could have more of a guiding hand in, you know, helping select a framework and building to it just like you were mentioning, as opposed to trying to fix all the technical debt or label things that you know...the bad data governance that currently exists in some organizations.

Michelle Dennedy  27:12 
Exactly it, and you're an angel investor. I mean, you're not going to invest in something that is clearly a tire fire. I mean, you were...you were very brave about one certain social network that will not be named; and they were just slurping up everyone's contacts to even receive one of these invitations, and I remember listening to you, and I was like, "This is unbelievable!" And then I received one of these invitations, and sure enough, I was like, This is so toxic. How could the investors put money into this? Because I can't even try the service because it is such a security and privacy violation. That there's no one who has a job at any company that has any privacy or security policy that would be allowed to use any of their equipment, because it would slurp up every confidential contact; and, I remember you saying "This is hundreds of millions of dollars going down in flames," and sure enough, you were right.

Debra Farber  28:13 
Yeah, well, the company still exists. 

Michelle Dennedy  28:15 
It's not a very good company.

Debra Farber  28:17 
I don't personally know anyone who's using the service anymore and, you know, I got really loud about on social media so that...to protect others. One, others from being harmed by exactly what you just said: your data being hoovered up and just not even having any security or privacy protocols that can...or I should say controls that can actually protect you and keep you safe online, but also because I saw all these privacy and security folks flocking to this network to...as a new way of collaborating and networking with one another, and I didn't want them to look like fools for the industry by recommending to their friends who are not in privacy and security to join it, and then like actually called privacy harms to them as privacy experts. That would just be kind of counter to everything we stand for. But yeah, that's just....

Michelle Dennedy  29:05 
It was a bad investment all around, and to your point, fixable. Like, it's not like it was a bad idea to have that service; it was a bad idea to not have privacy on that surface.

Debra Farber  29:18 
Okay, so one of the one of the other things you just mentioned, and I want you to unpack it a little bit more for this audience, "software bill of materials" is a new concept, I think, to most privacy folks. I have been following it a little bit because, you know, I know there's efforts out of the federal government to kind of have what they call SBOMs, software bill of materials, and if you could just tell us a little bit more about what that is and what's an SBOM and what's PrivacyCode's approach?

Michelle Dennedy  29:46 
Yeah, so I mean, this is something that goes way back. I mean, this is...this is part of like, for better and for better and for worse and for better again, I guess for like a Walmart for example. They became legendary for their supply chain. And the only way...and I'll go even before, really in the earliest days of Walmart, there's a great book that I always recommend to people. It's by Mickey McManus and I'm ashamed I can't remember his co authors, but it's called Trillions. And one of the things that that Mickey talks about in his book is in 1952, the revolution of pricing and goods and supply chain, again for better and ill with the consumers and the way it is, was the revolution using the container in the container ship, the humble container in the container ship. Before that, you had to, you know, weigh things, and things would go rotten on the decks of the Longshoremen, would have to figure out what fit on a ship and things would be very non standard, etc. And so with with the advent of the container, you can actually measure things, and then on the end of the container, you can have a bill of materials.

Michelle Dennedy  30:59 
Now you've had a bill of materials ever since the beginning of time, but by having a routenized way (and this goes to you have Lorrie Craner talking about nutrition labels a couple episodes ago on your show), I think a Software Bill of Materials attempts to sort of cross that gap of communication of...it's a shorthand way of saying, what is an almost standardized methodology so that we can say in a shorthand way, what am I dealing with here? What is the handshake that needs to occur in this type of software (and I'll include, you know, process and hardware in there), but we call them SBOMs for whatever it's worth. But here is the basic philosophy in the software or here's the OS. Here's how it interoperates. Here's how it behaves or here's the standard of care. Here's the level of security. Here's the level of privacy. Here's the type of protections or here's what it's not. Maybe this is just an unfettered, unclean pile of random digit data; and, so if you knew that this was just some sort of data collected with unknown provenance, you would put that in some sort of container away from your production. Maybe that's something that you would figure out. Is this something I can use? Do I have to do extra work to make sure that it's clean to make sure it's anonymized? Do I have to process it in some extra way. So having some sort of a software bill of materials helps the entire supply chain just like that container ship. It helps the flow, it helps the understanding. It helps someone coming along later, who maybe needs to update.

Michelle Dennedy  32:53 
You know, we've just had a big case come out of Europe this week saying that having a statement in your Terms of Use that says, "Hey, now we're going to use behavioral advertising in the course of using these services," and the European Union have said, "No, you have to...that is not sufficient consent, and so advertising to people in that way is no longer acceptable business practice. If you had an SBOM that said, "This is how we do it," and you were able to modularize that consent, you be in a much, much better place today. I mean, if you read people's terms, there's crazy stuff in there that people tried to stuff in there. So, I'm not trying to call out any one company over the other, but the holding was what it was. Right?

Debra Farber  33:39 
Right. I guess, yeah, of course. In my opinion, I just don't understand, can't comprehend how Facebook would even believe that behavioral advertising could possibly have a legal basis that's part of the contract, as opposed to, you know, a different legal basis. But that's...that's a different issue altogether. We were talking about software bill of materials. So you're right, that would be very....

Michelle Dennedy  34:06 
But it's the perfect point. It's a perfect point, Deb, because when you start to break this stuff down in to disciplines, it's like there's a public policy piece; there's a how information electrons are being shared and where they're shared; and there's like time (like the political winds of time). There's money. And so all of these things work in synergy. And so if you look at it sort of dispassionately, of each of these operators, when do we need to change things? Now, maybe it never should have been that way in the first place. That's a separate discussion. When we need to change things, the more we understand what is in that basket of assets, and how each of us can operate on those things and what is changeable without throwing out the entire system, or throwing our hands up and saying as I've seen some commentators, "Oh well, it's just the cost of business," which by the way, brings me back to my cogs thought. It should have been the cost of business, they should have brought an SBOM.

Debra Farber  35:08 
Right, which also...the SBOM provides transparency, too, of like, "This is what we're saying is in here."

Michelle Dennedy  35:16 
Yeah, I think this is where data bites back. Software ate the world, and it made you think you were really rich; and now you're spending all this time litigating issues that happened 10/15/20 years ago when you should be delighting people of tomorrow.

Debra Farber  35:32 
I mean, that's an excellent point, as we innovate more in new areas, new tech stacks. Right? So let's say XR, machine learning, you know, you name it, large language models, right? As...

Michelle Dennedy  35:44 
Augmented reality

Debra Farber  35:45 
Augmented reality - you get all of these things. As we're innovating more, we don't want to make the same mistakes that 15 years down the road, you know, the business is going to be fined a lot because they didn't put the appropriate privacy and security and ethical considerations into the building of the business as well as the technology that supports it. So what would your advice...like how can I use the bill of materials for maybe some new development? Walk me through an example of how...I don't know, let's say a machine learning company?

Michelle Dennedy  36:19 
Yeah, so I don't want to give too much away, but one of my, my fastest and best selling libraries is our ML and ethics set. And the way...our first users are using that is there's a lot of process and there's a lot of sort of decision matrices that are being laid down, but there's code, too. And so, deciding what your supply chain is when you're talking in very large data sets, when you're really talking about machine learning where there is enough pattern recognition, then there is scale required to do very large sets of processing and understanding provenance and the speed at which you need to replace the freshness of the data and the type of data, to have a process in place, to understand provenance, to understand where bias can creep in, and to understand how that testing, that QA and the release and then even the return of the process of the decision making outside of the tech and within the tech, that's where that kind of design and execution is being, you know, I'm watching it happen; and that's that's what people were using PrivacyCode for today and I really didn't expect that. I thought that was gonna be like a hippie dippie thing that people are gonna want eventually, when we were a much bigger company. And sure enough, it's like one of the things people are like, "Yes, we're so hungry for this and we want to recognize how we're making these decisions today that we know we don't know the answers."

Michelle Dennedy  37:57 
So, when we know that there are the known unknowns are where we know that we're pioneers. We're trying to use augmented reality, for example. (This is not a real example. So, my clients, if you are working on this, and I don't know about it, I'm not talking about you.) But, I can imagine a world where we have a lot of lonely people on the planet, we wouldn't have so much of this divisiveness and anger if we didn't have insecure and lonely people. We need to have augmented reality so that we can get people to see their families more; and, we can have...we have a very...an aging population. It would be wonderful to be able to send our elderly population on trips using augmented reality. Well, we're talking about people with different abilities. We're talking about sending people into different cultural environments. We're talking about having capabilities, cross-generationally. All of these things we know before we lay down a zero or a one might be fraught with all sorts of unknown ethical issues, but by knowing those unknowns and understanding where and how we're gathering the data, or what kind of observational techniques we're going to use, it helps us to shape the decision-making when we inevitably make the mistakes of tomorrow, or when we delight in unknown ways of tomorrow. And so I think that's part of the reason...like I stopped midway through making an obscene amount of money as a C-level executive...to do what I'm doing is Christy and I are building a legacy. I want people to get on PrivacyCode and build something wonderful and tell people about it and be able to communicate that long after I'm in my assisted living home doing AR and going to the moon, you know with my headset.

Debra Farber  39:45 
I love it. That's amazing. And one of the reasons that you've been a hero to me, really, that you really care about moving the industry forward, and this isn't just a job for you. I'm cut from the same cloth...just a few few years younger. So I had my...

Michelle Dennedy  40:03 
I love it. She's a lot younger folks.

Debra Farber  40:07 
So, I'd love to switch to talking about the other company that you work at, which is Privatus Consulting. I know you were Founding Partner there; and, I found the following quote on the Privatus website, "The privacy and compliance world has become so complex that traditional problem solving methods no longer apply. Privacy has become a 'wicked problem,' multifaceted, contradictory and interdependent condition with no endpoint and no clear path forward." Your team developed a strategic framework that you call "Wicked Privacy." Can you please tell us about the Wicked Privacy Framework and how does it differ from other approaches?

Michelle Dennedy  40:48 
Yeah, so it's very much in synergy with PrivacyCode. So, PrivacyCode is the technical arm, and then what Brian Lee and I are doing on Privatus is really, philosophically, everything that I've been talking about, which is, Brian and I were working together at a data analytics and visualization company (which was my first foray out of BigCo) and he said to me, as I was talking through some of these privacy supply chain issues that one of our clients was having - I was sort of saying, "Woe is me This is hard," and I said to him, "Hey. You know, you spent a lifetime in the military. What was that all about, Brian?" and then it comes out: oh, he didn't just spend some time, he was a Lieutenant Colonel, which I was like, "Holy cow." That's not like... they don't hand out like participation medals over there; and he spent the last 25 years in the Army in the U.S., coordinating for the Pentagon - anti nuclear proliferation. So he and his team would go out and like literally stand...

Debra Farber  41:45 
Small stakes, small stakes.

Michelle Dennedy  41:46 
Yeah, just a little bit - there's like not blowing us up. Thank you, Brian Lee and company. And he sent to me a couple of things that really resonated with me. One is he was like, "I don't think I'm going to do anything more impactful than that," and I was like, "Yeah, that's big. I'm going to try to make you like this at least as much as that." And then to, you know, he said, "I think the problem and the complexity, that got us to the brink of self annihilation with nuclear power is at least as complex as privacy. So, we should talk about that." I said, "Okay, fair and humbling," and so that's when he introduced me to this whole world of wicked problems, and you can look them up. And it's a genre, mostly in sort of public policy-related things like hunger, you know, climate change, and, and anti nuclear proliferation. And they are defined by their special types of problems that are not solved and can't be proven that they're solved. You just have to solve them. And that is very much privacy. So, we don't know if disclosing enough information is sufficient until we've disclosed and we're constantly sort of testing live, like the world is our beta test in privacy and there's no stopping point. So, as long as...and my father put this best. He said, "There's only two kinds of companies that care about privacy. The first kind of company has customers and employees; and, the second kind of company wants to have customers and employees; and no other company deserves to have any information."

Michelle Dennedy  43:09 
So, probably a wicked problem has almost endless perspectives. So if you imagine a field with a...with a lake going down it, if there's a farm on that field that's kind of beautiful, bucolic. Now, you put a town. Where does that town go with relationship to the cows, and everyone needs to drink, but everyone also needs to poop? And then you have a factory, and then you have a school, and then you have roads, and then you have bridges, and then you have...so we have these resources, and so you have this shared resource. And so you're constantly evolving. Every time you solve one problem, you create another one; and so it goes with privacy. So, the more we evolved into this software eaten up world, we are very, very much known. We are very, very much surveilled. That doesn't mean it's over. It means we have a new problem. So, then we solved it with a lot of encryption, but then we had all of these bad guys doing bad things. Okay, so now we're going to solve it with this policy and we're gonna solve it with this new technology. And now we've got quantum coming down and we've got deep fakes in and we've got this new political movement, and so you see how it goes.

Michelle Dennedy  44:43 
So, when you approach the world through a wicked problem, it's not fatalistic, it is multimodal. It's very much like the C-suite. Your CTO does not share the same perspective as your marketing person. Your HR person does not look at the world the same as your salesperson, but somehow we create a unit; it has common shared goals for a common objective; and, over time, we create common metrics so that we're all working with our specialized areas to move ourselves toward a goal that we believe is a better place and a better outcome, and that's the nature of a wicked problem.

Debra Farber  45:18 
Thank you for that. It has me thinking, you know, how do you...how do you define (I don't want to say how you define it), but the...like, what are examples of some metrics for different personas that you just mentioned because I know that one of the biggest challenges in privacy over the years has been that we really didn't have many metrics that resonated with the C-suite other than, you know, breach metrics, which then eventually went to become a security metric more so than privacy; and then, now over the years with, you know, GDPR and data protection rights, it's now metrics around like fulfillment of those data protection rights.

Michelle Dennedy  45:18 
Yeah.

Debra Farber  45:19 
But that's compliance! That's not necessarily moving the needle on privacy by design and privacy engineering. So, help me understand what some metrics might be, without giving away all of the wicked privacy framework that you have.

Michelle Dennedy  46:14 
Yeah. I was gonna say like, that's a whole nother like, that's a whole nother hour; and I'm gonna recommend...like, so, we'll daisy-chain guests, I want you to have Robert Waitman from Cisco. He is still there after all these years. I hired him. When I started at Cisco many years ago to do privacy metrics, and he came; he was a quant. He's one of these very overexercised brains, with an MBA and a law degree from Georgetown and Harvard and all the places, and McKinsey and all the places. So, he said, "I don't know privacy" (and he does now), but I said, "Good. I want you to be a quant." He said, "I know quant." And so the best way to to do a metric for any one individual organization is to compare things. And so, exactly as you've said. And, I find it fascinating that SB 1386, which was the breach disclosure law in California, how many trillions of dollars, venture dollars, businesses, the entire security industry has benefited and made so much money and mansplained the crap out of privacy. That's a privacy law, y'all. None of you people were there with us at the table. We brought...Susan Landau and Whit Diffie were the security people that came with us to the table. It is a privacy law. It was about accessing personally identifiable information; and, we decided that there were not enough dollars in, you know, in the 2000 world, to be painful enough. You know, right now we're talking about, you know, a billion isn't enough to shame some of these big companies. Back then it was like, "Oh, 100 million is not enough; and, so we said, "What about shame? How about shame? Will shame work?" Well, you had to tell people when you screwed up; that conversation created a trillion dollars of value for security people and they all pretend it's not about privacy. All of that value creation was privacy.

Debra Farber  48:19 
It's like how can you have the same...I remember, I was back, I was American Express in my very first privacy job out of law school, managing online privacy. At the time, it was its own bucket. And, I watched that metric get moved from the privacy office to security; and, I was like, "Wait, wait, wait, but that's like the only one we have!"

Michelle Dennedy  48:41 
Not so fast! So, I mean, the minute you're successful with a privacy metric, it gets called gobbled up by marketing or by sales or whatever; and, you know what, I'm okay with that. So compare things is my answer, and you'll find interesting data. You know, we did a lot of this when I was at Intel, and again at Cisco and said, "You know, when you sell this kind of thing with transparency, how much will you sell of this thing per region? When you sell this thing with transparency, and a control, how much will you sell of it plus, traditional "non-data" products, etc." Those are the metrics that you want to figure out again, going back to my Privacy Engineers Manifesto example. Start with the business rules. If your goal is to have an application that allows families to plan a partnership matrixed vacation that is air, land, park, restaurant, total hospitality, ownership of dollar wallet, then that's your metric. All of the "people data" related to that is your privacy benefit metric.

Debra Farber  49:55 
I really do like that because it puts the entire team on blast or (organization or depending how how big the company is) that it keeps the focus on privacy and not as a thing like you add on or that Compliance is going to deal with later. It keeps a top of mind as everyone in the room is strategically talking about requirements, that's inclusive of....

Michelle Dennedy  50:16 
Well, we have limited time on the planet. We don't have time for nice-to-have. We don't have time for compliance because it's busy work. We got limited time here. So, we're executing on business rules because this is a good business to be in. We're doing ethical things because those are sustainable. We're doing good business because we're going to fatten those margins by serving human beings because human beings are the ones who can reach into their pockets and get those wallets out. That's privacy.

Debra Farber  50:41 
It's a good point. By using the "shift left" mentality, a lot less of money is going to go into compliance because if you fix data leakage or the data governance problem, and you know, data is not sprawling everywhere and you have to go find it and discover it, because it's in a well-architected way, and, you know where it is and what's downstream and upstream and all that stuff. By investing in the processes, and how you're designing the product and service and the offering and the marketing and all of that and adding privacy, embedding privacy into it up front, that is actually like decreasing the amount of compliance burden.

Michelle Dennedy  51:23 
Yep.

Debra Farber  51:23 
And I'm finding it's taking way too long for companies to recognize that.

Michelle Dennedy  51:29 
Takes a long time. I mean, think how long we've eaten hot dogs with abandon and before we got on to like, "Hey, wellness is cheaper."

Debra Farber  51:39 
Yeah, that's a good point. Well, I want to, help make...move this forward faster. I'm optimistic about where privacy is going. I never have been more optimistic given all of the focus on the technology side, but there still needs to be this communication to the market to the stakeholders, educate buyers.

Michelle Dennedy  52:02 
That's all we need to...we need buyers to buy, and if you can't buy a million dollar license, I'm still gonna love you. If you buy a $10,000 license, I just want you to buy. We need you to try. We need to experiment things and by its nature - like so we're asking lawyers to buy things, which is is sort of an unnatural act. Like a lot of people went to law school because it was like the safest way to always have a career, and so we wanted to take a chance; and, a lot of the stuff that's being built right now is being built right now. So, don't expect it to be Stonehenge. So, try things. There's never been a better time to, to put your own personality into it, to get a great deal on stuff, to try new things that are going to make your job better. Yeah, you might have to do something extra. This is my favorite to like, oh, I don't have time to do something new because I'm so busy. And I'm like, Well, are you doing it? Are you...are you happy with your program? Are you doing everything really well? Are you getting the metrics you want? Are you communicating seamlessly with all of your stakeholders across your your wicked problem landscape? No, they won't even talk to me. They think I'm just a buzzkill. I'm like, well, then you've got to try something different. Or, "I don't have time."

Debra Farber  53:21 
Right? Then they're not gonna be...

Michelle Dennedy  53:22 
24 hours. I got 24 hours; you got 24 hours. That's how much time we all have. You have to try something new. Or you're stuck with what you have got.

Debra Farber  53:33 
So how can people contact you if they want to, you know, try a pilot or demo the product?

Michelle Dennedy  53:39 
Throw some money. Oh, and I should say, you know, like, I'm terrible about this, Deb. Like, this is why I get in trouble all the time. So, we're just getting ready to raise a seed. So, if you've got some money, we're ready to take it. If you've got some time, we're ready to sell you a license. We've got some great libraries ginned up and we would love to help you with your program. Whether...if you need to set up a program, you can reach me at Michelle@privitus.online; that's my consulting persona. Or, you can reach me at Michelle@privacycode.ai Both emails get to the same...to me and, yeah, just reach out. I'm still occasionally on Twitter, not as often as possible, but I, you know, it's kind of like watching the denouement. So, I can't not watch the end of the end; but, I'm also on LinkedIn. So I'm very findable. Come and find me, search up PrivacyCode.ai, and come and innovate with us. We're building what's next, and we're excited to work with you. And don't be shy.

Debra Farber  54:40 
Amazing. Michelle, thank you so much for joining us today on Shifting Privacy Left to discuss privacy engineering, value creation, wicked privacy, all sorts of stuff, and your work with PrivacyCode. Yeah, all sorts of stuff. You know, we'll definitely have to have you back on the show in the future. There's just an endless amount of things to talk about.

Debra Farber  55:02 
And with that, I'll say...I'll bid everyone "Adieu!" Until next Tuesday, everyone, when we'll be back with engaging content and another great guest. Thanks for joining us this week on Shifting Privacy Left. Make sure to visit our website shiftingprivacyleft.com where you can subscribe to updates so you'll never miss a show. While you're at it, if you've found this episode valuable, go ahead and share it with a friend. And, if you're an engineer who cares passionately about privacy, check out Privado, the developer-friendly privacy platform and sponsor of this show. To learn more, go to privado.ai. Be sure to tune in next Tuesday for a new episode. Bye for now.