Talk by Polina Zvyagina, Airbnb (San Francisco), at Stanford Engineering on February 25 2019, Session #6: 'Growing ‘Bitcoin Cities’ Across the Globe from Slovenia || GDPR Compliance Case Study || EU Digital Economy Policy'.
Website: http://www.StanfordEuropreneurs.org
YouTube Channel: https://www.youtube.com/user/StanfordEuropreneurs
Twitter: @Europreneurs
1. Privacy @ big tech
2/25/19
Polina Zvyagina
Privacy Counsel @Airbnb
European Entrepreneurship @ Stanford
2. Agenda
● Who I am
● Why Privacy matters - The law, the industry, consumer expectation
● Why now?
● “How to” Privacy
3. Privacy & Security Counsel
● Privacy Legal team based out of HQ
○ Data Protection Officer in Ireland
● We set policies for the whole company related to data use
● We support your product counsel in helping to draft notifications, help with UI flow, adjust policies,
resolve issues as they come up
● We work on scalable Privacy solutions such as:
○ GDPR Efforts
○ Training
○ Privacy by Design
○ Self-service playbooks
5. ● Privacy-Related mistakes can
cost 4% of global annual
turnover
● 60% of breaches are caused by
human error
● Equifax Breach Cost $400M
6. Complex Regulatory Framework
● US Law:
○ Section 5 of the FTC Act: Unfair and deceptive acts and practices
■ + FTC recommendations
○ SCA, FCRA, TCPA
○ State by state data breach notification, CCPA, wiretap laws
○ Industry-specific laws: financial (GLBA), children’s marketing (COPPA)
● Europe: GDPR, Directive 2002/58/EC
● APAC
○ Every country has its own set of privacy laws, but the strictest are:
■ Singapore, South Korea, Japan, Australia
Lots of regulators
7. GDPR Case Studies Lessons learned
Action Summary Damage Lesson
Google(UK
2019)
● Bundled consent made it unclear to the users of
android phones how their data will be used
across all of Google’s products. Didn’t make it
clear that account creation is not necessary for all
phone features.
$57 Million Minimize the data
used for each
purpose
Track consent
Do not use data
collected for one
purpose for another
purpose
Easy UI with fewer
clicks that explain
how data is used
8. GDPR Case Studies Lessons learned
Action Summary Damage Lesson
Facebook(UK
2018)
● Improper sharing of data £500,000
fine by the
UK's ICO, a
congressio
nal hearing,
and an
unpreceden
ted formal
apology
from
Zuckerberg
- for all data sharing
with third parties:
complete a security
assessment and
implement
recommendations
air/security-review
9. Future of Privacy Law
● Consumers and regulators are only becoming more savvy to how companies use their data and they
want more control
○ CCPA
○ Pending BIlls:
■ NJ, Conn, NY, Penn, SC, DC, RI
○ Biometric Data state laws: Illinois, Washington, Texas, New Hampshire
○ Federal Privacy Regulation?
This is just the beginning
10. Let’s define some terms
● Personal Data: Any information relating to an identified or identifiable natural person; an identifiable
natural person is one who can be identified, directly or indirectly by any kind of identifier (GDPR). This
is not what you know of as PII, it’s much broader
● De-Identified: information that cannot reasonably identify, relate to, describe, be capable of being
associated with, or be linked, directly or indirectly, to a particular consumer (CCPA and GDPR)
● Privacy Policy: public facing notice that advises the world and our users about how Airbnb collects,
shares, stores, and uses Personal Data
● JIT Notification: Just-In-Time Notifications that advise users about very specific data uses usually within
the UI, either through a pop-up, toast or in-app notifications
● Privacy by Design and Security by Default: being proactive, rather than reactive when it comes to the
treatment of user data
● Privacy Principles: Minimization, Purpose, Limitation, Accuracy, Storage Limitation, Integrity and
Confidentiality, Fairness and Transparency, Security
12. TRUST
● Trust is hard to quantify but the loss of trust costs a lot of money
○ Fines under GDPR: 4% of the total worldwide annual turnover of the preceding year
○ Cost of the breaches vary, but most recently: Uber is paying $148M to settle, Anthem $115M,
Facebook TBD
○ These costs do not account for lost users and dips in signups and internal operational disruption
● Why do regulators care? Because people get hurt when their data is misused, not properly protected
● Regulators are not the only ones that care: consumer advocates, watchdogs, reporters & data subjects
themselves
Consumer trust requires: empathy, logic, authenticity
Consumers trust of government and big organizations is at an all-time low
13. Source of Truth
● Consumers read the Privacy Policy and JIT notifications to understand how we collect, use and store
their data
● In the US, regulators read the Privacy Policy, use the product and look for deception
● Across the world, regulators rely on the Privacy Policy to understand how we collect, use and store
consumer data and they send investigative questions
● We recommend everyone, especially leadership, read the privacy policy and consider whether it
accurately reflects all activities of your teams.
○ Our privacy policy is broad so in most cases, what you do should be within its realm
○ Certain products and features demand that we update the Privacy Policy
● The Privacy Policy is a catchall, internal policies are more strict!
Airbnb Privacy Policy : Practice what you preach
14. Other places we might make representations about privacy
and data
● User Interface (UI)- info toolkits, just in time
notifications
● How-to videos
● Help articles
● Conferences, Interviews with reporters &
regulators
● Blog posts
● Emails we send to users
● Survey language
● Emails we send to try to get user stories
● Here’s a summary of companies under FTC
consent decrees for 2017 (2018 report to
come out in January)
16. Privacy Principles to Follow
● Privacy by Design extends to a trilogy of encompassing applications:
○ IT systems;
○ accountable business practices; and
○ networked infrastructure.
● Risk-based approach to how data is treated based on sensitivity of the data & volume of data
● Personal Data:
○ Any information relating to an identified or identifiable natural person (‘data subject’); an
identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person
● Financial Data: Does not need to be Personal Data to be highly risky if mismanaged
In every product decision
17. Privacy By Design
● Proactive not reactive
● Privacy by default related to Personal Data
○ Tag data appropriately according to a data schema
● Privacy has to be embedded into the design process Full functionality: positive sum, not zero-sum
● End-to-end security
● Transparency
● Respect user privacy
An excellent standard for the last 10 years, and now the law, under GDPR
18. Privacy Principles
● Adherence to the following privacy principles:
○ Data minimization- this is the most common pitfall and the begin of privacy decay
○ Identify purpose of the collection
○ Limit the use of the data to only that purpose for which it was collected
○ Accuracy
○ Storage limitation
○ Integrity and confidentiality
○ Fairness and transparency
○ Security
● Consumer rights
19. Privacy By Design in Practice
● When developing a new “product” requires going through a privacy analysis and doing a PIA
○ “Product” is: business process/project/activity that proposes to use customer data in a new way.
■ Incorporating a data questionnaire into the product review process, will help your counsel
identify whether a new PIA is required.
○ While designing, Privacy counsel made suggestions on how to minimize and mitigate privacy
concerns
● The plan and the mitigations are documented in the PIA
Privacy Impact Assessments
21. Page 21
Personally Identifiable Information vs Personal Data
Whereas the European Union uses the term “Personal Data” in its laws and regulations, the
United States’ laws and regulations use the term Personally Identifiable Information (PII).
While PII may refer to information such as name, address, or birthdate, Personal Data is broader
and may include things as broad as social media posts, transaction histories, and IP addresses.
Definition: As defined by Airbnb, Personally Identifiable Information (PII) is any data that personally identifies or may
be used to personally identify an individual.
The U.S. Department of Commerce defines PII as “any information about an individual maintained by an agency,
including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social
security number, date and and place of birth, mother’s maiden name, or biometric records; and (2) any other information
that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
PII differs from Personal Data in that
Personal Data captures a wider range of
information.
22. Data Mapping and Data Tagging
● As companies grow, the amount of data they collect and the data architecture changes very quickly
● Data Inventory is a multi-team effort
○ Product Managers
○ Engineering
○ Data Science
○ Security
○ Legal
● Data must be tagged and mapped appropriately, so that we can know what data we have, where it’s
stored and how it might be used.
Behemoth Task
24. Data Subjects Rights
● The right to access their personal data and obtain various other information, such as the purposes of
the processing and who the personal data has been disclosed to
● The right to rectify inaccurate personal data
● The right to erasure
● The right to data portability, i.e. to receive their personal data in an easily transferable, machine-
readable format
● A right ‘not to be subject to’ a decision based solely on automated processing, including profiling,
which produces legal effects concerning him or her or similarly significantly affects the data subjects
● A right to object to personal data processing.
27. Data Breaches Case Studies Lessons learned
Action Summary Damage Lesson
UpnProxy
vulnerability
● exposed more than 45,000 routers to exploits linked to the
EternalBlue malware created by the NSA, potentially
exposing millions to hacker attacks
● Targets routers with vulnerable implementations of Universal
Plug and Play to force connected devices to open ports 139
and 445. This allows the obfuscation and routing of malicious
traffic to launch denial of service attacks and spread malware
to other devices. This exploit in routers has led to around two
million networked devices, such as laptops and smartphones,
being open to attack.
● The attack relies on two exploits, EternalBlue, a backdoor
developed by the NSA to target Windows computers; and its
“sibling” exploit EternalRed, used to backdoor Linux devices.
TBD - Scanning for
vulnerability
- Testing for
vulnerabilities
Cathay
Airlines
● personal data, from credit card details and passport numbers
to physical addresses stolen by cyber criminals
British Airways ● had its website breached and data belonging to 380,000
customers stolen.
28. Data Breaches Case Studies Lessons learned
Action Summary Damage Lesson
Marriott (2018) exposed the personal information of some 500 million customers TBD - these significant
breaches is
indicative of how
important it is to
have robust
security and data
handling policies
within an
organization.
- they also highlights
how it can be difficult to
get ahead of motivated
hackers and cyber
criminals on a mission to
steal data and sell or
exploit it in nefarious
ways.
29. US Federal Trade Commission (FTC) Case StudiesLessons learned
Action Summary Damage Lesson
Uber Technologies,
Inc.(Oct 2018)
- Inadequate Internal Access to User Personal Data.
Despite Respondent’s representation that its practices would
continue on an ongoing basis, Respondent has not always
closely monitored and audited its employees’ access to Rider
and Driver accounts since November 2014. Respondent
developed an automated system for monitoring employee
access to consumer personal information in December 2014
but the system was not designed or staffed to effectively
handle ongoing review of access to data by Respondent’s
thousands of employees and contingent workers.
- Security Statements in privacy Policy Inaccurate. “Your
information will be stored safely and used only for purposes
you’ve authorized. We use the most up to date technology
and services to ensure that none of these are compromised.”
“I understand that you do not feel comfortable sending your
personal information via online. However, we’re extra vigilant
in protecting all private and personal information.” “All of your
personal information, including payment methods, is kept
secure and encrypted to the highest security standards
available.”
- 2014 Data Breach
- 2016 Data Breach
Consent
Agreement w/
FTC
-Prohibition
Against
Misrepresent
ations
-Mandatory
Privacy
Program
-Privacy
Assessments
by a Third
Party
(reporting
period for the
Assessments
must cover:
(1) the first
180 days
after the
issuance date
of the Order
for the initial
Assessment,
and (2) each
2-year period
- implement reasonable
access controls to
safeguard data stored in
the Amazon S3
Datastore. For example,
Respondent: i. require
programs and engineers
that access AWS to use
distinct access keys,
instead permitting all
programs and engineers
to use a single AWS
access key that
provided full
administrative privileges
over all data in the
Amazon S3 Datastore;
ii. restrict access to
systems based on
employees’ job
functions; and iii. require
multi-factor
authentication for