 Okay, good evening, and thank you for joining us here at the Mechanics Institute. I'm Laura Shepard, Director of Events, and I'm pleased to welcome you to our program, The Future of Privacy Security for Your Eyes Only, Keeping Your Online Information Private and Secure. Before we begin, I'd like to find out how many of you are new to the Mechanics Institute. Who's never been here before? A few. Wonderful. Welcome. First of all, we'd like to invite you to come on Wednesday at noon and get the free tour of our institute. Librarians will take you around our beautiful, vast, general interest library, which is on the second and third floors. You'll get a tour of the chess club, which is an international chess club, with various tournaments and classes going on throughout the year. And you'll get an introduction to our history. We're founded in 1854, and we currently have ongoing classes and courses, book clubs, writers' groups, author programs, our Friday night cinema series, and of course, our new programming that's going on, Think and Drink, Transforming SF, and Mechanics Today. So we hope that you'll take the tour, that you'll join Mechanics Institute and become part of our ever-growing cultural family here on 57 Post Street. Also, we encourage you to join us after our program at the data bar, which is in the downstairs retail space, and members receive a 10% discount on drinks. So come join us down there. Today, of course, privacy and security is one of the most important issues of our time, and we're very pleased to welcome our panel for this discussion. So first, I'd like to introduce our moderator, Lindsay Tanziger. Lindsay is a trustee of the Mechanics Institute. She works for Covington and Burlington LLP. There, she helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communication laws. And of course, tonight we have a panel of attorneys from both the consumer's perspective and the corporate perspective. So please welcome our moderator and panel. Thank you. And I am very excited to be joined by such awesome panelists, Jeannie Sheehan from Groupon, Jacob Rajesh from Wikimedia, Whitney Merrill from the Federal Trade Commission, and Nate Cardozo from the Electronic Frontier Foundation. We all live and breathe privacy on a day-to-day basis. We're also all lawyers. So before you get up and run, I promise you we're going to try to be really practical and hopefully you find this all interesting. So I wanted to kick us off since this discussion is part of our Transforming San Francisco series, I wanted to begin by considering how important data really is the San Francisco's economy. The Bay Area's vibrant ecosystem of mobile app developers and retailers and financial services and life sciences companies and social media platforms and online services, all of them depend very heavily on consumer data. So starting with Jacob, what are some of the ways that Wikimedia collects and uses data from the people who visit your sites and services? Yeah, so the Wikimedia sites collect a few different types of data. There's information that people give us, so if you sign on to make an account, people give things like their email address, and that's useful because if you've ever forgotten your password, as I think almost all of us have, you can use that email address to recover your password and actually be able to get onto the account. There's also things like technical information that we get, things like what types of computers people are using, what types of internet browsers they're using, and all of that types of information is really helpful for the engineering teams at the Foundation because they have to make sure that the sites run well no matter what sort of technology people are using and knowing what people are doing and if they encounter problems, what technology they were using, it helps them to develop and improve the sites. Great. And Jeannie, can you provide some examples of how Groupon uses data to improve the lives of Bay Area residents? I know you guys are all over the country, but you're here in San Francisco. Yes, Groupon operates actually all over the world, but we certainly operate in the Bay Area, like many other places. The value proposition of Groupon is actually two-fold. I think a lot of people think of the customer-facing application. If you've ever used the website or the mobile app, you've probably provided your information. But we also consider ourselves having two populations. We work with one as the customer side, but the other is actually the merchant side. So you can imagine if you want to open a yoga studio, a Pilates studio in San Francisco, and you want to get customers in the door, it can be very difficult to raise visibility. And so Groupon is a great opportunity for merchants to feature deals to consumers to say, here we exist, here's a deal, it gets customers in the door. So customers sort of enjoy the discount, but the merchants really appreciate the increase in visibility. And so that's something we do for the Bay Area, something we actually do for around the world. And Groupon actually began during an economic downturn in Chicago. And it's just sort of an understanding. I mean, there's so many businesses that have idle times where they don't have consumers. And you can imagine if you're a massage studio and it's 10 a.m. on a Monday, that's not when many of us are getting our massages. And so it's a really great opportunity on the merchant side to offer discounts to get some people in the doors. You don't have those idle times, those peaks and valleys in your business. And for consumers, of course, everyone appreciates the discount. So it's really those two populations that Groupon serves. That makes sense. And you see that across a lot of different industries. That's kind of the value proposition of the ride-sharing services as well, right? Or when I post a picture of my daughter to a social media site to share with Grandma and Grandpa, all of that requires data and data collection. Nate or Whitney, what comes to mind for you guys when you think about all the data that's being collected from consumers? Well, from our perspective, we look at it both from the engineer side and from the civil libertarian side. So I work for EFF. We are a civil liberties organization dedicated to defending free speech and privacy in the digital world. And from our perspective, data is as much a liability as it is a benefit. When we look at engineers at Google, Facebook, you know, Apple, Microsoft, they see all of the data coming into their companies, coming from you to them as a way of learning more about you in order, essentially, to sell you ads. From our perspective, the question isn't what they're going to do with the data, because what Google or Facebook does with the data is essentially their business. Our question is what else is going to happen with the data? Is it going to get out? Are your browsing habits going to be plastered all over WikiLeaks next week? Or is the government going to come get it? Is the Trump administration going to come to Facebook and say, I want behavioral profiles of every Muslim in America? And if the data exists, if the data is stored in a way that can be tied back to the individual, and it's very hard to store data in a way that can't be tied back to the individual, who else is going to want it? What else are they going to do with it? And are there still ways of doing business, of getting the engineering value that you need out of the data without providing those unintended benefits to people who you really don't want to be giving benefit to? So I work for the Federal Trade Commission, which is an over 100-year-old federal agency that does consumer protection. We protect consumers from unfair and deceptive practices. I also am required to say that the views here are my own and do not represent the FTC or any one commissioner. That being said, what do I think about data? How does the FTC kind of think about data? And it's primarily from the consumer's point of view. What does the consumer know about the data being collected about them? Do they understand how it's going to be used? Is that being disclosed to consumers? Are they aware? And do they have choice? And so FTC will often talk about notice and choice. And so, you know, are you getting the choice to say, no, I don't want you to have my location data? Is the application developer or whoever is collecting the information, letting you know it's happening? And how good is that notice? Are they really aware? If you're putting it in mouse print and you have to use a magnifying glass, that's not good enough. Or light gray on a white background. Yes, light gray on a white background. And so, you know, the FTC has a very broad authority to do advertising cases where the agency that does identity theft, we also fight robo calls. So there's a lot of different stuff that can be talked about regarding data. Privacy and data security space, the FTC has been doing it for about 30 years. They've been talking about privacy before a lot of people because, you know, identity theft was a real problem and consumers were upset and complaining. And when you mentioned privacy and security, what do you mean by privacy? What does that mean to you? So, privacy to me. Wow, that's a deep question. Privacy is done. So, you know, it's having the choice, at least for me, to keep secret information that is personal to me. The PII, personally identifiable information to the FTC is any piece of data that can be tied back to an individual. So a social security number, a phone number, an IP address, a MAC address on your computer, and so it can be a very broad thing what's, you know, is encompassed in what's considered private information. But what is privacy is a hard question. For those who may not know, the IP address and the MAC address are the technical numbers associated with your computer when you're browsing. The internet are going to particular websites, so they are almost always automatically collected by websites that you visit often not publicly shown, but they are things that people have and that can be used in various ways. For example, there's websites where you can just type in an IP address and it will give you an approximate geographical location of where the person is because they are associated with, if not a particular house, at least a particular area. Do any of you have other definitions of privacy? Oh, man. So privacy is very difficult, right? Because we mean different things by the word privacy depending on the context that we say it. So as Whitney said, sometimes we mean the ability to keep secret things that we want to keep secret. Other times we mean the ability to control the audience for the information that we're disseminating. We're not necessarily keeping things secret, but we want to control who's able to see. Other times we just mean seclusion. By privacy we just mean the ability to be left alone. When I close my door in a hotel room and say privacy, please, that's not necessarily because I want to keep secret what I'm doing inside the room. It might be, but it might just be that I just don't want to be disturbed. And all of those meanings have value in the information era. And so I, in my practice at least, I don't describe myself as a privacy lawyer and I try desperately not to use the term privacy because the English word has so many different definitions and there is no legal definition of privacy. So I try desperately not to use it. I'm not a certified, what's the term? The CI certified information privacy professional. I'm not one of those. So I don't have to subscribe to a particular definition and I try not to. Yeah, I mean I think I would add to that from the corporate perspective. I mean a couple of things. I think privacy, I mean one thing I think it's very jurisdictional. I think that means one thing in the US, sort of in popular understanding versus in the EU, it's a very different concept. I would say that in the EU for example they have much more of a conservative interpretation of what is privacy and the protections that should surround it. I think the other thing that I would add is I think it's a lot of times helpful to contrast at least from my perspective privacy versus security. A lot of times from a corporate perspective we talk about privacy and that's more of a consumer facing sort of compliance protection standpoint. In terms of security though that's really around how you safeguard and protect data. So at Groupon for example I wear both hats. You know some companies will have privacy lawyers, they will have security lawyers. I end up wearing both hats where I'm sort of making sure that we're doing everything to comply with various FTC decisions but also I mean every company is constantly under attack if you have personal information. There are hackers that data has value on the black market and so one of my closest relationships at Groupon is our head of information security and that's just making sure that we take steps to protect the information. So it's very different roles and hats that I have and not every company does it that way but that's how we do it. Yeah I would add on to that I think that like when we think about privacy usually in the sort of again company perspective a lot of that is about your ability as an individual to sort of curate what's out there, what information you show to other people or don't show to other people, things like some places you want to share your political beliefs and other places you don't and keeping those separate and distinct. Whereas security is like yeah we try to make sure that if we have something at all we're telling you how it's being used and it's not able to be used in any other way or be taken by anyone else without us knowing about it. You know sometimes it's like you do the best you can and mistakes still happen I think. There's no company at the moment that is completely immune from all possible types of hacking but even if you don't make any mistakes. Yeah even if you make no mistakes whatsoever like just the rate of change of technology is such that no one is immune to that but we try to do the best efforts that we can to make sure that information that we have is stored safely and securely. A corollary to that is if anyone ever pitches you a product and they describe it as unhackable run screaming. Yes. So Jeannie when Groupon thinks about privacy and security does it consider it to be a legal issue or a moral issue or a reputational issue or a political issue or all of the above? I feel like this is when I have to make the same caveat that I'm speaking for myself and not Groupon but I would say my role at Groupon I certainly think of it as all of those things. You know we're at a time and I think this is going to be true for quite some time where the technology is moving so much faster than the law can and that is absolutely global phenomenon. So you know when my engineers come to me and they say you know we want to roll out X product you know there are certain situations where there's a law I can look to that's on the books and there are very clear answers in terms of the kinds of notice and choice and things like that we should provide. For every situation like that there are plenty of situations where there really is no law that says what we can or cannot do. And so you know a lot of times I go back to I'm a customer myself and I also know that one of Groupon's most important assets actually two things one is the data itself and two is customer trust. So if we do something to compromise customer trust then I'm not doing my job very well. And so and it is sort of interesting because there and I'm sure every company faces this there's a huge sort of generational component I feel like in terms of how you view privacy and security. You know I feel like a lot of the engineers I work with are about 22 years old why not everything be transparent and open and you know yay you know flow of information and so there are a lot of times that I am just sort of you know broadening the conversation to say we really need to think about you know the long term effects of if this data is out there or you know taking steps to minimize the information we have I mean with an eye towards it's difficult if not impossible for any company to make information 100 percent secure you know I'd rather be in a situation where we're not gathering information to begin with and so I think you know a lot of it is that's why I'm here even though our corporate headquarters are in Chicago because this is where the engineers are and so I can be on the ground talking to them you know talking to them not only what the law is but you know what we think it should be and really thinking about because it is a moral question for all of the reasons that Nate describes you know I mean I'm well aware that a government can come knocking on our door asking for location information of our customers or things like that and so we pretty much it's now only for the first time you know in the EU for example they're really starting to think about having very strict not think about going to have very strict fines up to four percent of a company's global revenue it's called the general data protection regulation and that goes into effect next year and that is pretty much one of the first time that privacy by design this concept of thinking about privacy and building it in from the inception of a product is actually being legally required but certainly you know now that's something we're absolutely thinking about in terms of our company's culture. Yeah I like to think of it as helping companies be able to use the information responsibly without being too creepy. It's the creep factor test. Exactly. So some of the people in the room in the room with us tonight are on Facebook live are engineers and entrepreneurs and developers and for them I want to explore the idea that you mentioned a privacy by design and security by design. Maybe Whitney I know you guys that Federal Trade Commission have worked on this idea but do you want to unpack those concepts? Sure. So privacy by design or the FTC also has start with security means to create and develop your product what you're building with privacy and data security in mind first because the problem is you build this really awesome app and you go from just your friends using it to a million people using it and now you have to try to implement security and privacy features it's a lot harder to do that moving backwards and along that way you may have been hacked you may have been leaking data you know other bad things could have happened along the way but if you're taking it into account from the very beginning there's a smaller chance or risk that you know user data might be used improperly and also it just sets a good culture for a company organization to constantly be doing privacy trainings or talk about security so that as they grow and change you know not every developer has administrative access and access to all the user data as they grow from you know five people in a garage to you know a thousand people across the world and so the idea is you need to build in these things from the beginning to make everything just a little bit easier later on and the FTC looks at security and privacy from a reasonableness standpoint which means we ask for a reasonable level of security and so what's reasonable it's this big gray area like this is where the lawyers have to say to the engineers that ask you know point to me to that law of why I have to do this I imagine the problem they face is well like it has to be reasonable well what's reasonable and really it's a standard that takes into the account the size of the company what kind of data they're collecting what type of service who are the users and compiling it all together to say you know what's reasonable because what we expect of Google or Facebook is very different than what we expect of a startup that is just trying to you know get off the ground Can I give a concrete example of privacy by design? That was my next question So when I set my calendar reminder to come to this event tonight I put in the location as 57 Post Street and I put the time as 6 o'clock because that's what time they said that I had to be here and for the reminder I set remind me when it's time to leave there are two ways two ways that are easy to think about that a cell phone provider or you know the provider of the operating system on this phone can do that the first is I put in 57 Post Street my phone knows where I am the phone can download traffic information and find out the route and figure out how long it's going to take me to get there and pop up a reminder my office is in the tenderloin and it takes about 16 minutes so pop up a reminder 16 minutes before 6 o'clock the other way it can do it is it can transmit my calendar entry to a central server with the location and that calculation can be performed on the server and it just pops me a push notification when it's time to leave Apple does it the former way my phone actually knows where I need to be my phone downloads the traffic information and my phone tells me and it doesn't tell anyone else Android does it the second way that I described Android tells Google where I need to be and when I need to be there Google does the calculation and returns me the answer one of those is privacy by design the other one is not aren't there trade-offs though in those two approaches I mean there's pros and cons in all respects like you know there's limited battery power server space the way that Google does it is less expensive from the consumer's perspective it requires less hardware on the consumer end it requires less software on the consumer end requires less storage on the consumer end and it requires less bandwidth between the endpoint device and the server the other thing is that the Google method of doing it provides Google with a ton of information which is valuable to them Google makes their money not on selling Android but on selling ads Apple makes its money based on selling me this right Apple doesn't sell ads they sell me physical things that I put in my pocket and one of those business models is compatible with with the on-device calculation and the other is not the end result is exactly the same I get a push notification when it's time to leave both push notifications would happen at exactly the same time Yeah I want to comment on that I mean that's something that I face in my job a lot because a lot of what I do is also effectively product advising a lot of privacy and security lawyers end up doing that and so it is interesting because the concept of privacy by design isn't even about just what your company is doing you know when I'm rendering advice if we want to give notice to our customers there's a very different user experience on Apple versus Android it's different in different countries it's different if you're on a website and so I have to sort of factor all of that in so it is amazing I mean there will be times we're rolling out a product and privacy by design means accounting for the operating system whether you're on your phone whether you're on your computer what country you're in so we can have one question and have 20 different sets of advice depending on the kind of device you are where you are and sort of incorporating all of that in and so I think privacy by design and the other comment I would add to that is is it's not just at one point in time I mean because this space is evolving so rapidly we could have come to one opinion two years ago and right now the privacy and security landscape is changing so rapidly that it is sort of it's building into company culture checkpoints to say okay this is the decision we came to a year ago now we need to evaluate that again every time we're having an update that we roll out to an iPhone thinking about whether the law has changed and so that's a conversation I'm always having with engineers keep in mind I mean Apple has terms Android has terms there's a lot of things to keep in mind when safeguarding consumer privacy I think the company culture point is a really important one because there's been a belief for a long time by people that were building applications and building software that if they just sort of built something they could then sort of figure out what they needed to do with it and look at all the data that they had and figure out how to make it better and there needs to be and there is right now a change in that thinking where instead you have to say at the very start of a process of creating something what is the information that we need like what data do we need to actually do this and how can we do it without getting anything that is extraneous or irrelevant and sometimes people are still a little bit resentful of being asked that question because they're like well let me build the thing first and then we'll figure out what it is that we actually need but I think that there's much more of an emphasis now especially on trying to figure that out up front understanding do I need to know where the person is or do I need to also know where they're going for example to make my product work and doing the minimum amount so that you're not taking information from and about people that you don't need to I want to build on that because I work with a lot of companies that are at the cutting edge of artificial intelligence and innovative things which are hugely data intensive types of technologies if you're trying to predict what somebody's saying or what the answers to their questions might be you might not be able to limit the amount of data you might need to collect all of the data so do you have any thoughts on like is there a tension between the data minimization principles that you just mentioned and these types of new technologies that really need the data they have legitimate purposes for the data so I don't want to call it attention I think you're right that when you're trying to minimize things and you're not sure what you need there's maybe a tension in figuring that out but I think that they can be done in harmony so rather than be in tension the idea is somebody who's building something even if it is a AI system that is trying to predict user behavior to help protect users or for example on Wikipedia there's some AI that helps identify articles that need improvement and more work and then point those out to the volunteer editors that are working on the projects that looks at a lot of different data to determine the quality of an article but much of that data is not private data and I think as that feature was being built there were conversations with the engineers about what information they really needed to be able to do a good job with that and sometimes the answer is we're not sure and it can make sense in that context to err a little bit on the side of making sure the thing works but it's still good to have that conversation so I don't think there's so much to be in tension as you just have to think about it on the front end I would add to that too I think one thing that's really changing is in the world of big data I think for a long time everyone understands so the common understanding is that big data is cheap it's cheap to just sort of gather everything and keep it forever and I think that that thinking is really changing it's actually as it turns out quite expensive to have these various cloud providers and especially and from a legal perspective you know I can't really make it a sentence without using the word liability of course it's a liability to have this information sort of out there and so I think that's something that's really changing I mean one thing I heard last week that I really liked is we're kind of shifting from this world of big data to accurate data it is not helpful to have stale information on your customers and the reality is is you know customer preferences and tastes you know storing that information and definitely you know with you know Amazon web services is really expensive you hope that they're safe guarding information but unfortunately you know no company can sort of protect it definitely so I think you know in terms of the world of big data I think that there's going to be a big shift I think for a lot of companies and how they think about you know how long they keep data it is very common for developers and even us as individuals to hoard data like digital lives it's very easy now I never toss anything on my computer I just transfer files because I get a new computer and there's more space for me to fill it up and so I have stuff going all the way back from high school and I think developers and you know people who are collecting data kind of think the same way well we're in a new stage of our product let's just collect and figure out what we'll do with it later the problem there are two things one are you letting people know you're actually collecting that data do they know it's happening even if you aren't using it if you tell consumers you're not going to use that data in a particular purpose and you change your mind can you do that? probably not if you said you weren't going to do it before and so where a lot of the problems for example the FTC had a case against a smart television made by Vizio and it was collecting the viewing habits of everyone who purchased the television and giving it back and then providing that information to marketing companies and consumers were completely unaware that this was happening and the FTC said you cannot do this this is not something that you need to let consumers know that this is happening and so in one sense you could end up buying a product that says we're going to collect all this information about you and you have to consent to use it and that's kind of the model we're in right now but it's nice to hear that companies are moving away where they're saying maybe we don't need everything we don't want to seem creepy it's actually becoming competitive to be a privacy conscious company a security conscious company and so that competition space is really helpful in advocating for your choice to choose what's happening with your data so for those of us who are not engineers or entrepreneurs all of us are consumers so this question is open to all of you what are some really simple and practical steps that everyone in the room or online can take to help protect the privacy and security of their information oh, okay do we have an extra like two hours? so I'm going to suggest one thing and I don't even do this as well as I should but everyone should do this don't reuse passwords on anything every single password that you have needs to be different period no exceptions do you recommend a password manager? if that helps you use a password manager absolutely I don't recommend any specific one use one that works for you do you want to describe what a password manager is? sure, a password manager is a piece of software that you have on your phone or on your computer or both that helps you have one master password for you type in your master password and it remembers your group on password or your Wikipedia password for you and can sometimes generate them and you can generate a 35 digit random letter number combination that you could never remember by yourself but it remembers it and it types it in for you password managers are an absolute net positive use them but even if you don't use them just don't reuse passwords from site to site do you mean from site to site or do you mean from time to time? I mean from site to site don't use the same password on Facebook that you do on Gmail or on Groupon or on your computer itself do you want to briefly explain why? I don't know, someone else one of the big things that happens with a data breach so you'll hear about Dropbox hacked what's another big target but target didn't necessarily have passwords it was credit card Yahoo Yahoo is a great example companies don't always store the passwords in a secure manner or the passwords are somehow breached in plain text there are multiple ways that can happen but what happens is hackers will get this information they'll find the username and the password and then they'll try it on all different services they'll just keep trying it and they'll say oh if you use this on Yahoo are you using it on Gmail? are you using it for Chase Bank? are you using it for Bank of America? and they're going to test it until they get in and now they're going down to like more serious systems so you think oh Yahoo was hacked I never used that account anyways if you use that username and password anywhere else across or at least that password but they'll guess you'll be very sophisticated so the best thing is just to have very different passwords I'm a big fan of password managers even people in the tech community will rag on the books where you write all your passwords down the chances of you getting a break in at home where someone steals your password book or is like much less but there are amazing digital password managers that do the work for you and I think I have 250 unique services and passwords I don't know how many of you will log in and it will say you already have an account and you're like I don't know when I did that shoot and I'll look at my password manager and there it will be and some password managers have audits where they'll tell you if that system or that service was hacked and so I think that's a really really great just don't use you know if you're going to use unique passwords it's a great next step but the other thing I have to say is really scrutinized as my answer of how you can be more secure the emails and the phone calls you get how many people have gotten a phone call from the IRS like we're going to come arrest you illegitimate there are probably no legitimate ones but the reality is think hard about it they're scary the emails are scary look at the web address it's sending you to why is somebody sending you a PDF out of nowhere just be critical about it and think this is odd and if something is going off in your head maybe don't give that personal information but government agencies are never going to ask for passwords or user names on the phone companies too no one will contact you out of the blue and ask for your password or your login info the IRS plenty of people will no one legit will do that but on top of that with the IRS they'll send you to a government website irs.gov I think it is to make a payment to them if you owe them money so just spread that around be critical because in this day and age the attempts to get that information from you are getting really good and if you just say you can hover your mouse over a link and see does that link look weird unfamiliar to you type it in yourself you know if Bank of America is like oh there's something wrong with your account type in your password you know what I'll go to Bank of America on my own or I'll call the Bank of America number I know or it's on the back of my card and so that type there are programs so you download it onto your own computer that program is like generating passwords for you and it has its own master password yes oh yeah we're going to ask you to wait till the microphone comes to you for questions because of recording let's take a break so it seems like there's a couple questions so why don't you want to I think you had a question just wait for the microphone please some websites are still requiring short passwords for numeric I mean we need to maybe the FTC since that's the largest body in the world maybe we should say ok you guys come up to 26 and above characters or maybe just open it up to 126 I don't care just make it a whole paragraph for all I care and just let us type something let us make strong passwords let us make it really strong I use four different words from four different languages and if you want to go to a dictionary brute force by all means yep yep hi Luke Tessier thank you for the presentation I really appreciate the work you're doing at the EFF I think it's critical something I came across when I was doing side channel attacks on smart cards this model that the payment card industry has of vendors shall not maintain certain information they shall not maintain certain combinations of information although I've seen certain vendors violate that but I'm wondering about your thoughts about having that be a sort of a more universal thing where anybody who's tracking information from customers like you shall not track location along with email address some way to use that as a model to defuzz the concept of good enough reasonable industry best practices all of these think weasel things where any good attorney could weasel out of it and say oh well that's too much that's strangely enough if this were to be a government mandate there'd be first amendment problems with that that's why the the payment card information that's all PCI so that's industry self-regulation that's not actually law it would be very difficult to do that consistent with the first amendment if it were to be a universal standard that says that if you want to be have the EFF good housekeeping sealed I think that's a great idea Consumer Reports is doing a privacy data security kind of seal of approval that they're working on it's out for comment right now but they hope that when people buy a product and it will have a consumer reports like seal of privacy conscious you'll know kind of what that means and so the industry is kind of starting to self-regulate and actually back in the day EFF did have a certification program which we spun off into its own organization that organization is still around they're very prominent but trust E and industry capture happened and now the trust E symbol is essentially meaningless I would also add to that but um that's a separate issue I would also add to that I mean I think when the challenge that every lawmaker faces I mean this has been sort of the global challenge is it's very difficult to be that specific because what ends up happening is the technology changes two seconds later and so I mean as a privacy team we have kind of like a creep contest to see sort of the latest and greatest and was out there in the world in terms of what technology can do that just the average person wouldn't realize you know and so I think that is where I think you know overall the U.S. is probably behind what is happening in Europe because there the regulations are getting a lot more stringent I mean for everyone on this panel for the longest time has noted the concept of privacy by design but I feel like this is the first true mandate with I mean now companies are facing fines of up to four percent of global revenue or or 20 million euro whichever is greater and that's the first time I mean every company I mean I was just at a privacy conference last week I can tell you that's the general data protection regulation you know GDPR I probably heard that 10,000 times because it's waking companies up to say okay because there's now actually the stick and just in the U.S. we just don't have quite the same equivalent to being certainly you know everything the FTC is doing but it's a lot more broad hi this is for the person from the FTC I think I'm more afraid of predatory capitalism than I am of my government and in these times that's saying thank you there's a company that I get an email from every day the word life is in it and every day they have a threatening subject line like you may have a negative rating people may be writing bad things about you things like that your data may be in danger and I have not clicked on it once even though I've you know gotten them every day because I understand that they're a protection racket what can I do or what can anybody do about a company like this so one I'm so sorry you're getting those types of emails that's annoying and frustrating and in our industry we call it FUD fear, uncertainty and doubt which it is putting into you to sell you a product and I hate that as far as what you can do you can personally send me that email the government I'm happy to give you my email because I'm always looking for cases and also we have a complaint assistant it's FTCcomplaintassistant.gov I swear people actually look at the complaints we get weekly reports saying you know who's the big complaint, who are people complaining about what's hot, what's new and it is something a way in which cases are generated and it's called Consumer Sentinel and it is used by multiple law enforcement agencies to kind of advocate for consumer protection so you can always email or complain to the FTC and that goes for if you get a robocall you can complain to them, you get an email you can complain to FTC and that's actually the best thing you can do because the more we hear the better but personally I'm happy to hear about it, thank you I'm Peter Warfield from Library Users Association I'm glad to say we've worked with EFF to stop RFID frequency identification tags going into library books that's 12 years ago and again now in its planned version the one thing that I'm glad to hear very much today is about the EU and the R word which we seldom hear in these sorts of discussions here and that is regulation and I would also call it collective action I think that the individual things that people can do are fine but if you have the brains and the energy to keep up with it and as you said things keep changing so you've got to constantly be alert and aware but I do think I'm very glad to hear about what EU is doing as far as I know always been much stricter and more aware of privacy issues data crossing borders and all kinds of things over many decades and I think we should look to what they're doing what we can do in groups whether it's my group EFF other groups and through government regulation we stopped RFID coming into our public library by going to the supervisors and getting them to refuse funding but I think that regulations and predatory capitalism all these sorts of things would be greatly assisted by collective action that works on governmental keeping an eye on things and regulating things I also think that there's a great need from people's ignorance well I'd like to know what everybody thinks about that whether they agree with that or have other ideas I also think that other things that are valuable are educating people about the problems giving examples of when things have gone wrong and as I said again collective so I'd be interested if other folks have a different idea or concept of the value of it so from the EFF perspective our legislative and regulatory agenda in DC is damage control that's it right now in the states our regulatory and legislative agenda is quite broad so we're doing a lot in California we're doing a lot in other states around the country but on the federal level we are fighting back attacks rather than going on the offensive ourselves I would say something similar also from Wikimedia the challenge we sometimes see as people are putting together regulations is they don't actually make people safer they will propose things that are just either completely unworkable and therefore or if they are workable they are extremely expensive and so what you end up with is a regulation that looks like it's designed to help privacy but actually will just lead to like the consolidation of big business and difficulty for other new people to come and compete so we are trying to be careful and conscious of watching for that while still advocating for privacy best practices and I think if regulation is well constructed then we would definitely support it I actually think so section 5 of the Federal Trade Commission Act is the big authority that the Federal Trade Commission has in it as Wendy mentioned it prohibits unfair and deceptive practices so you can't lie to consumers and you can't treat them poorly and I actually think that broad scope allows the agency to actually react really well to changes in technology and deal with issues as they come rather than prescriptively specific practices that are inevitably going to change in 6 months 10 years ago we would have said it's a requirement that websites store a hashed version of the password today that would be insane what's a hash? a hash is a cryptographic function that is supposedly irreversible you can take my name Nate Cardozo run it through a hash function come out with what looks like a random string prove that the random string came from my name but you can't take the random string and turn it back into my name until you get sufficient computing power and we've now hit that until so 10 years ago we thought that that was a really great way of storing passwords today it's a complete insanity to store passwords using a simple hash function indeed yeah yeah this is also for Whitney of FTC regarding the Vizio and the smart television and capturing data without consumer permission did that happen pre-Trump I would think so but I hope I'm wrong and how things change because I think Bose is starting to do that there's always so the FTC's makeup is five commissioners it's a bipartisan commission that is three of the main party of the president two of the other party and I say other party because it has been two independents and three Republicans in the past that has been three Democrats and two Republicans so right now the commission has made up only of two people we have our acting chairman Olhausen she was appointed by Obama as well as commissioner McSweeney who is a Democrat so Olhausen is the Republican as a bipartisan commission you know it's not much has changed in that sense they're both fighting for consumers and consumer rights each chairman has their own agenda and projects they like to work on and drive the industry forward acting chairman Olhausen is really interested in fraud and abuses towards small businesses as well as things that have happened or consumer issues involving veterans targeting veterans or elderly and so for what it's worth the FTC protects consumers you're never doing anything bad it's great so I have no clue that's my two cents as younger generation are pushing more for more transparency don't see the need of privacy like you kind of mentioned younger developer community what are the implications for democracy as a whole easy question transparency doesn't matter alright I'll take a stab at it I think that first of all I'm not sure that that is an ongoing and ever increasing trend I think we're actually seeing for example with the switch in the presidential administration there's a lot of people who were all for transparency and complete openness that are suddenly like hey I actually don't want all of this information known by the government so that may or may not actually be the way that the trend is going and it could be more of a waxing and waning kind of thing to the extent that there is a trend of people pushing for transparency I think it is good in some places so when you have transparency on the government side when you have transparency from decision makers and transparency from businesses about how they're using your data notice of what they're doing with it that allows just people in the world to make informed decisions and I think that makes things better for the most part I can't think of an example where it doesn't make things better I just sort of wanted to you know put in that copy out there but it generally makes things better on the other hand when you have individual people who are all this information about them is available that does create a risk and it creates a particular risk I think for activities that we normally think of as needing to be protected but that become vulnerable when everybody has all this information about everyone so for example political advocacy is the kind of thing where you generally don't want it known by everyone especially if you are advocating on a controversial topic or a controversial viewpoint but if the only people that are trying to keep things private are the people engaging in political advocacy then they are vulnerable in a way that they might not have been before I'm sure Nate can say a lot more about that I'll actually I'll do what lawyers call fighting the hypo and I'll push back on your premise I think young people have a much more sophisticated view of privacy than we do if you ask someone an average middle schooler what their snapchat or Facebook or Instagram privacy settings are they will tell you in a way that you don't even have a concept of and they have lists they know exactly who is going to see each of their posts they know which posts their parents are going to see and which posts their parents are not going to see and they are much better at it than we are so to say that young people today don't believe in privacy or believe in radical transparency I think is a that's what they want you to think and that's not right they have a much more sophisticated view of privacy than we do although that being said I think one of the reasons why Europe has such a different view and these issues is a historical perspective that I feel like there's a point that is certainly lacking in the US I mean you don't have to talk too long in a conversation with someone in Europe and there's there are very clear reasons why some of these protections just that thought process that's sort of behind that that I feel like isn't necessarily in our cultural fabric the same way although I to push back on that a little bit I think that's right as far as the law goes but then there's a number of European countries that have the highest number of closed circuit television cameras on the streets Europe has the weird dichotomy where Europeans distrust corporations at a visceral level and for some reason trust their government and in the United States for some reason we distrust our government but yet we trust corporations neither of those perspectives is correct at all I think I'd also add too the question is about transparency but I think a lot of times in the US there is this huge focus on transparency I'd say it's necessarily but certainly not sufficient for talking about what's important for our democracy accuracy of data it has been so fascinating to watch that play out on the national stage of how easy it is to sort of manipulate data and so we all have these sort of digital profiles of who we are and our digital existences and it's interesting to see how that's played out over the last year in terms of the impact of democracy so I think it's there's so many different concepts that come into play that I think transparency is important but it is interesting you know even working with customers when people say they want more transparency that's why I mean there's so much criticism of companies for having long privacy policies first of all it's legally required and it is an attempt to sort of I mean because you're sort of damned if you do damned if you don't I can tell you doing my job we want to make sure we have everything in there because the last thing we want to be accused of is saying we weren't transparent about what we're doing so you end up having long descriptions of this is exactly what we're doing but then there's that and so I think it's it's it's a really interesting time because I think it's and that's where it was a great question earlier in terms of you know is the law enough and I would say you know the answer is certainly no I mean there's the ethics questions and sort of philosophical questions and so I think that's probably one of the I mean maybe the only benefit of the current time that we're in is these conversations are happening on the national stage in I think an incredibly important way. Question on the back. Very fascinating discussions. I have a couple questions. In I live in another coast half the year and an elderly member of the family was targeted through a scheme out of Jamaica. It got to be very involved they were going after elderly people having to do with you know sweepstakes and I wrote to everybody I could think of in New York City and around the country and the only thing that we could ultimately do was change our phone number because you know there it just became a little bizarre because there were certain rules in New York where you couldn't block another country and then this sort of leads into other stuff. You know the subject of like Interpol what can you do when you're targeted for instance on your computer buying outfit in the Philippines in Africa these complicated international criminal syndicates that constantly fish people's emails and then once you step into that sand trap black hole you know three years two years five years down the line bang you're going to be targeted again. You know so what I'm wondering is why for example in San Francisco we do not have an internet fraud department for example I've been you know faced this problem several times getting stepped into various black holes and it's sort of astonishing why we don't have something like that in Northern California when you do have a complaint of this kind when you haven't actually suffered a financial loss but you have somebody that's attacked you for your identity theft etc. They've almost gotten money but not quite you know the local police force will say you don't you haven't made a loss and anyway it becomes this very complicated issue where you can't get any help. I know the FTC deals a lot with identity theft do you want to give some tips there how to avoid it what to do? Yeah so being targeted feels just the worst and sometimes it feels like you can't escape it one of the problems with identity theft and small crimes even ransomware where you'll download a virus and now it's taken over your computer it's too small of a crime for local police to get involved or they say oh the criminals out in another country nothing we can do whereas petty theft before the police used to maybe do something and so the federal trade commission for the extent that we can we work with countries we travel to other countries and work with their local police to help them combat the crime that's happening coming from their country targeting US citizens so for a long time the FTC was traveling to India working heavily with the Indian government and the police there to kind of advocate and say you know let's talk about the call centers that are doing these illegal robo calls or IRS scams and and eventually the Indian government had a big sweep and took a lot of them down and so it takes time the unfortunate thing is from the consumer side what you can do is complain to the FTC there is also identitytheft.gov which will walk you through the steps if you're targeted or you're a victim of identity theft and what to be aware of the unfortunate thing is I just ignore every phone number that I don't know once you pick up they know that someone is on the other line so I just let it go to voicemail because I know the people who need to reach me will leave me a voicemail and so I sadly screen a lot of my calls as far as like how you can stop from being targeted they're just going to throw it at you nonstop and you just have to unfortunately ignore it and report it and you know to the extent that the FTC can we do go after sweepstakes scams we do go after IRS scams and the important thing is you know goes back to my previous comment what's the thing that you can do to protect yourself scrutinize think go this is weird just hang up on them I don't know what this email is delete because if someone really wants to get in contact with you this day and age they'll find a way yeah we actually do have a pretty good resource here in San Francisco the California Attorney General's Privacy Office of the 355 Golden Gate is pretty good they can only go after bad guys in California but that's just the limit of their jurisdiction and we work with the California Attorney General as well as the Attorney General across the United States to see who are victims of fraud and scams and to protect them to try to stop those entities and that's one of the initiatives and important missions that the current acting chairman is advocating for which is let's try to stop some of this stuff and make a special effort especially those targeting the elderly I've got a couple questions in the back and then we'll move our way back to the front thank you with regard to the security of the content of password managers I use LastPass do you know whether that content is encrypted or otherwise protected from malware or somebody getting into your computer so you may have heard in the news about LastPass I can't recommend any one particular password manager but any password manager use is good password manager like it's going to make you more secure as far as whether or not they're encrypted to my knowledge they claim that they are I believe that personally I personally believe that they are and that they are doing their best to use security best practices I think the incident that you may have heard of in the media was security researchers had found some vulnerabilities in LastPass this is very normal all software has vulnerabilities all software has bugs the company rapidly responded and patched those vulnerabilities so as a LastPass user I personally wouldn't be sick I don't use LastPass but I have friends who use LastPass and I say I think you're probably fine always keep your software up to date because if they're patching vulnerabilities that's a way you can also make sure you're secure I can also tell you what not to use you're laughing because there's like a book on Amazon right now have you seen this where it's like a password manager so you can write down all of your passwords and it literally says like you know password book on it like this is wonderful just keep that right next to your computer so everyone has a bible of every password for all of your doing that would be way better than using the same password on every state way better because the chances that you're gonna have your office broken into or your home broken into is less less likely but keep that thing secure I work in an open office so I don't know about that don't leave it sitting out like on the you know on the table where it's like here's how to get into everything but you know put it in a drawer lock the drawer and like that's way better than using the same password in 30 places it's a hierarchy question here so I'm curious about your thoughts on hackers coming from Russia coming from China state owned entities that are intentionally trying to hack not just individuals but say the US government I've heard the Department of Defense has been hacked the IRS has been hacked by foreigners and I'm just curious as to what your collective take on foreign hacking attempts not on the US government and the integrity of our information from a government standpoint is how safe is that even as like from the perspective of a company that cares a lot about these things and tries our best to keep up with data security practices as much as possible I think there's an understanding that if a significantly powerful foreign government decided to specifically turn its attention to any one company or person or group they're probably going to get what they want and you can't really stop that but you just sort of live in that world and I don't think that's like it's I don't think that's the thing to be worried about because they're not going after everyone and everything and this is a matter of like being obscure enough or being not important enough for them to target like even within the US government there's just a lot out there and they may make efforts on certain things and that may happen but we just have to kind of keep improving keep fixing mistakes that are found and accept that the world is a little bit imperfect right like you can't actually stop everything and from from an information security perspective a lot of times we don't we we talk about making the cost of exploitation higher so you're never going to keep anything completely secure you're never going to make anything unhackable you can make it really expensive to hack a particular system or a particular company or a particular network and so and that's the best we're going to get right if the NSA wants into my phone they're going to get into my phone but they're probably going to have to spend a million bucks to do it and that's that's the world that I want to live in I want to I want to live in a world where I mean I would love to live in a world where things are unhackable that's a fantasy I want to live in a world where things are really hard to hack and that's the goal that I think all of us at this table share yeah I think of the unhackable piece it's sort of interesting because it's going to be a long time before if ever before we ever get there because what's interesting is to me about some of these hacking attacks is how sophisticated they aren't because a lot of times all it requires is the human element I mean phishing schemes you know you get an email from your boss hey send me X well my boss just sent me an email I'm going to respond you know raising awareness within organizations just because your boss sends you an email asking for the crown jewels that maybe your boss probably wouldn't send an email like that you know that that's a huge challenge and so it is sort of interesting because you know every company is spending more and more and more on information security I mean I noticed every time I fly into SFO and like all of the billboards are sort of cybersecurity companies and this huge cottage industry you know it's a great industry to be in because every company is you know throwing so much money at it but what's so interesting to me is you always have the human element and so as long as that exists you know it's going to continue to be a challenge so I think it's just continuing to raise awareness you know and it's exactly what she was saying earlier in terms of just that gut test of okay I mean because I get phishing emails quite often it's just very bizarre there's always like a smell test like this is just a little off you know why am I getting this right now and it's but it is amazing how good they are scam emails to really interestingly if you ever like there are examples online they are have a lot of misspellings and they do this on purpose because they don't want to be too successful they can't handle the volume so you know they're going to be off just a bit and but if they're trying to hack you they're going to be really accurate so there are two different types right you know one type of scam send me money but I think now that security and privacy are you know talked about pretty regularly within organizations it's okay to say to your boss hey I just got this email from you did you really send it like pick up the phone and call and ask the person and if they're like yeah why are you asking like you know just being extra secure and I don't think anyone's going to go to sis sis you've been you know extra secure so it's it's it's worth going that you know kind of extra step question here in the front I want to ask about hospitals and the medical medical information there have been a lot of hospital hackings hospitals are renowned for having very poor security so that troubles me and you don't want that information out and about but in addition what about turning off people's pacemakers and otherwise thwarting some of the medical things I mean how serious a problem is this and how does it get controlled well in in theory it's it's a potentially very serious problem there have been proofs of concept that you can remotely disable a pacemaker remotely turn a pacemaker into something that we call someone to my knowledge we haven't seen any of those attacks in the wild so it's theoretical so far hopefully we'll never move beyond theory part of the problem is as the internet of things becomes you know as we put the internet on things which have never had the internet on them before the engineers who build pacemakers the engineers who build refrigerators the engineers who build cars have never had to think about computer security cars have had computer networks in them for 15 years but they haven't been connected to anything so security hasn't been something that car makers have had to worry about all of a sudden you put a modem which is essentially what most cars have in them and you put the car on the internet security becomes a huge problem like all of a sudden pacemakers pacemakers have had computers in them essentially since they were built and they've had wireless communications in them for a very long time the problem is it used to be that those wireless communications device had a range of about six inches now they have a range of 300 feet and that's very different so companies in industries that have never had to think about computer security before all of a sudden do and they're particularly bad at it one of the things that I do in my practice is I counsel security researchers who find vulnerabilities in these systems and a company like Microsoft or Apple or Google have dedicated pathways for reporting vulnerabilities they're very good at it sometimes they'll even pay you money for reporting a vulnerability a medical device company says why are you hacking a pacemaker and instead of connecting you with a security engineer they connect you with an attorney and that's bad for everybody that's bad for the medical device manufacturer it's bad for the researcher and it's terrible for the patient so I think a shift in corporate culture in companies that have never had to think about these things before is what's necessary here although I think they're getting up to speed very quickly to your point about regulation it's bad out there it's really bad it's really bad there's whole regulatory proceedings on the safety of connected cards I'm part of those multi-stakeholder yet I will say too especially with medical devices it is a whole different world for computer security than your phone your phone has a vulnerability the software can be updated a company can push that update you have a medical device in your body what if it can't be updated and there's a vulnerability out there how does the FDA that regulates medical devices handle that this is a very very hard question and I know a lot of really smart people who have been in computer security for a long time who don't know what the right answer is because you get a vulnerability disclosed to the company or someone discloses it publicly and the company goes we can't update it now what and how do you handle that and so there are a lot of really hard questions with implanted medical devices that are just really special to that industry because you can't how do you recall something in your body or embedded systems in general so you know Teslas can receive software updates over the air forwards can't and you can or you know a software update over the air but they can you know you can apply the brakes over the air and so those have to go into the dealership to get active which goes to privacy by design and security by design which is you need to think about end of life products what if your company ceases to exist does the product die what if the product needs to be updated how does the consumer how does the purchaser do that and so when you think about all these things developing your product you will get to a point where like you won't hit those troubles later on hi two quick questions one going back to password managers is that keychain consider password manager and the second is it true that mobile apps are intrinsically much more hackable and less so it doesn't matter if I'm using my bank America mobile app bank of America mobile app is probably more secure than the website but that's only probably I don't actually know the answer to that question there's nothing intrinsic about having being mobile that makes it more or less hackable we talk about something called attack surface the attack surface of a web browser is quite large because web browsers can do all sorts of things they can do video they can do audio they can contact any domain that's out there by design they have to because that's what you use a web browser for the bank of America mobile app can do one thing it can contact bank of America so it's actually easier to secure that because it has we would say a smaller attack surface because it has fewer things that it has to do you know if the security engineer in charge of that product sucks the product is going to suck two quick questions quick I've got two quick questions I don't know about the answers the first one is seems to be very difficult and I don't know how you do it how does anybody know when or if the terms of use have been violated that's number one and number two I think there's a flip side of privacy and security and that is censorship so Facebook cuts out certain things they don't like certain images bibliocommens a catalog system at the public library takes the liberty of from Canada a Canadian company simply cutting out comments that people want to put on books that they otherwise would be free to comment on search engines can leave out results if they feel like it and that sort of thing so let me do the first question there is a good way and a bad way to find out that something has been you know hacked or somebody's violated your terms of use when they release it publicly and that's how you find out the good way is if you actually have you know security engineers and you have technologies for monitoring your own network so for example let's say that somebody tried to hack a like database of passwords for the Wikimedia Foundation there's we have several security staff and there is network monitoring so if somebody had downloaded a really large amount from that server because there is like an actual machine physically located somewhere it's a computer server that has that database on it if that was downloaded in a large quantity somebody on our security team would notice that and be able to tell us that that had happened and then we could investigate and figure out that maybe there had been some kind of breach and start you know notifying people and letting them know they should change their passwords or you know something like that right so the idea that is that you have internal monitoring you have security people that are actually paying attention to that and therefore can catch those problems as quickly as possible if a vulnerability is found and exploited. The other thing is I mean traditionally the FTC we generate cases in a whole different way we bring and investigate our own cases against companies and individuals for example with scams it happens to you you know what's happening your scam you complain to us we hear about it we can take action if a terms of use is violated or a privacy is violated they're collecting information that they said they weren't collecting or they're doing something that you know a consumer may not recognize it and so we rely on researchers and people who spend time looking into this type of information to tell us and let us know hey I happen to be playing around with this app and it's collecting information it shouldn't and so you know that's where news media reports etc can be really helpful at least in our enforcement to kind of look at where terms of use or terms of service violation might be coming from the censorship question the answer is a panel in and of itself yeah so I have a 36 part question two part question again so what is more important from the corporate standpoint the first to market grab the market share or let's design a product that's good secure and let's be honest about it and no frills and whoever comes first afterwards okay fine and the second part is will we ever have a HIPAA style law or regulation for all companies not just healthcare but a HIPAA style protection of data for all companies not just healthcare thank you the second one is called the GDPR it's going into effect in Europe the general data protection there's not one in the United States although probably we're all going to have to comply with the GDPR anyway more or less but there's not that to happen in the United States but historically the U.S. has done it by type or by industry sector rather than having some kind of like general privacy regulation so there'd have to be some kind of broad base of public support that would lead like the entire congress and the president to decide that that was a law that they wanted to spend their time and effort getting into place and there have been companies actually that have pushed for a broad based privacy framework in the U.S. when I first started my career I was doing that work but then congress broke we'd certainly love to see a situation where we didn't have 48 states we'd certainly like to see a situation where we didn't have 48 states data breach and notification laws to comply with I would love a national standard that would make a lot more sense I mean it is a good point the general data protection regulation most companies with global operations are evaluating because you can't have multiple products and so ultimately we aren't looking to that for global operations but to address your first question I certainly can't speak for all of corporate America obviously we've seen examples of both I mean there are companies that speed to market before they stop and think about anything I mean and so I think as a consumer one thing I look at Groupon is a company with a ton of vendors and so it's been very interesting I think one of the most interesting things for me doing this job is I end up sort of doing due diligence from the corporate perspective because there's a lot of really neat technology right until you realize it is four people sitting in the back of the garage one of them probably getting high and you're thinking about we're going to give our crown jewels to them I don't think so and so I think we're at a time where I think companies are well aware that customer trust is important and so I think the companies that are sort of speed to market maybe they win in the short term but if you lose that customer confidence that's something I truly believe it's very difficult if not impossible to get back I would add to that I think the first part of that question is not really an internet related thing or a privacy related thing it's a question about reputation and it's something that has always existed in business for human history there are some people who try and take advantage of a situation and jump in quickly and exploit it and not be careful and there are other people who care more about their reputation and their reliability over a longer time and I think we try to have ways to distinguish that so something like what Nate was talking about with trustee before they sort of lost meaning where if you have some people who are like checking out is this company complying with best privacy practices that is a way to know if something is good or not and there are some people that are going to care about that I design I design I mean we do have an example for NOx and just here in our backyard when it's the opposite no one has technically escaped from Alcatraz so if you put something inside no one can think it out no one can think so I mean yeah there are things that are unhackable but it has to be designed that way well you'd be surprised anything called unhackable is a challenge by hackers and security researchers to find a way it would be expensive to hack so we have to hack it we didn't see any other comments thank you to the panel and thank you for such incredible questions thank you thank you and I'd also like to give a special thank you to Lindsay Tonziger who is also a Mechanics Institute Board member so a special thanks to you and our esteemed panel wonderful conversation come back and keep it going