Let’s Talk Privacy & Technology Episode 7: Automated Privacy Consent with Lorrie Cranor
As part of my fellowship with Santa Clara Law’s leading privacy law program, I’m curating the Let’s Talk Privacy & Technology video series. Each episode features a privacy expert, practitioner, academic, or innovator. We discuss the intersection of privacy and technology, covering topics ranging from privacy engineering, privacy enhancing technologies (PETs), and data ownership, to data ethics, privacy tech, cybersecurity, and more. I publish episode notes in this blog, including this post dedicated to episode 7. Other episode notes are available in the Privacy & Technology publication.
I sat down with Carnegie Mellon University’s CyLab Security and Privacy Institute Director Lorrie Cranor. We talked about her work in the privacy engineering space, including her vision of automated privacy consent in the future.
- On automated privacy consent: Lorrie shared one of her visions for the future of privacy. The idea is for a user’s web browser to negotiate with websites in the background. This is similar to the P3P and Do-Not-Track (DNT) standards that came out in 2002 and 2010 respectively but failed to see mass adoption.
- On the DNT’s (and privacy tech’s) biggest challenge: Lorrie believes that the DNT failed because there weren’t proper incentives for adoption. The standards took years to develop, and when they were finally released, regulators were no longer focused on online tracking. Without regulatory pressure, companies didn’t see the need to adopt them. Today, regulators all over the world are finally paying closer attention to privacy again. I agree with Lorrie that the timing for privacy tech is right. As I previously observed, we are at a point in history where founders, technologists, investors, regulators, consumers, and enterprise customers are in agreement with privacy experts, advocates, and evangelists that we need privacy innovation. We need to make the most out of this momentum.
- On the legal and engineering tensions in privacy: We talked about the classic divide between legal and engineering teams. First, the two disciplines speak completely different languages. Lawyers and policymakers tend to use broad terms that are meant to transcend narrow use cases and withstand the test of time, whereas engineers dwell on specifics, in 1s and 0s.
- On the skills needed to navigate the cross-functional privacy domain: Privacy engineers and lawyers don’t speak the same language. Lorrie shared the skills that she picked up along the way that she found helpful in navigating and bridging the legal-engineering gap. We share some of these important soft skills below.
Listening skills are particularly important to understand different perspectives given privacy’s cross-functional nature.
Communication skills —specifically, learning to speak the other side’s language — are also important to set a common understanding.
Curiosity is a must if we are to have a holistic vs. antagonistic or, worse, incomplete view of privacy.
Negotiations and problem-solving skills are also necessary to move the needle in privacy.
Episode Theme: Privacy Engineering