During the 23rd Privacy Enhancing Technology Symposium, privacy experts Dr. Susan Landau, Dr. Carmela Troncoso, and Dr. Serge Egelman led a one-hour Ask Me Anything (AMA) session for symposium participants. PETS is a conference focused on privacy technology research, with publications ranging from censorship techniques to privacy perceptions. Audience members asked questions on issues such as academic ethical responsibility, establishing federal privacy laws, and inclusion of interdisciplinary research in conference calls for papers. 

Similar to the findings presented in a recent CSET data brief, The Inigo Montoya Problem for Trustworthy AI, the panelists emphasized that academics and policymakers have not yet established agreed-upon definitions for terminology surrounding key ideas within the privacy space, making it difficult for the two groups to work together effectively. Landau and Troncoso pointed out how language can be a barrier to enacting effective privacy policy and conducting interdisciplinary research, highlighting the importance of a shared language. Landau, the director of the M.S. in Cybersecurity and Public Policy program at Tufts University, emphasized the need for graduate students to learn policy language alongside the technical curriculum, noting that it is essential to understand policymakers’ vocabulary and mindset. Researchers are traditionally constrained to black and white problem spaces, Landau explained. “We think in binary,” she observed. “[Policymakers] don’t–it’s all gray.” When asked how the privacy community can get involved in policy, Troncoso recommended that researchers engage in policy conversations outside of academia to “get the language that [policymakers] speak, which is not our language.”

How Policymakers Can Engage with the PETs Community

With the conversation focused on how the academic community can participate in policy development, I asked the panel a question with the converse framing: what can policymakers do to better interact with the privacy enhancing technologies (PETs) community, or more broadly, the academic community?

Egelman suggested that staffers should be sent to conferences like PETS regardless of their technical background. Troncoso acknowledged that for both groups, participating in each other’s communities is difficult because each lacks the necessary knowledge to actively listen and participate as they do in their area of expertise. She encouraged both groups to be more open-minded and willing to become comfortable with the unknown, working towards mutual interdisciplinary understanding. Lastly, Landau reminded the audience to be eager to work alongside policymakers –as such collaborations are in both communities’ best interests and should be prioritized. 

When Troncoso was asked how she organized her collaborative work with the Red Cross, she encouraged researchers to “get out of our comfort zone” and attend events, programs, and meetings where we can ask humanitarian organizations what they need. This approach, she pointed out, allows researchers to build projects around these real-world problems versus trying to fit their research agendas into solutions for current challenges. The panelists addressed the obstacles in prioritizing these types of collaborations, as the academic business model pushes for high volumes of scientific publications in top-tier venues, as opposed to interdisciplinary work with lower scientific value but significant societal impact.

Law and Policy Research

In addition to the AMA session, PETS facilitated paper presentation sessions on 17 topics over the three day conference, one of which was law and policy research. This session was a collection of papers that  provided insights into current privacy law and regulation enforcement, as opposed to technical contributions in the privacy space. The following six papers on privacy policy were presented:

• SoK: Content Moderation for End-to-End Encryption: Sarah Scheffler (Princeton University), Jonathan Mayer (Princeton University)
• Data Security on the Ground: Investigating Technical and Legal Requirements under the GDPR: Tina Marjanov (University of Cambridge), Maria Konstantinou (Vrije Universiteit Amsterdam and Freshfields Bruckhaus Deringer), Magdalena Jóźwiak (Tilburg University), Dayana Spagnuelo (TNO)
• Evolution of Composition, Readability, and Structure of Privacy Policies over Two Decades: Andrick Adhikari (University of Denver), Sanchari Das (University of Denver), Rinku Dewri (University of Denver)
• Lessons in VCR Repair: Compliance of Android App Developers with the California Consumer Privacy Act (CCPA): Nikita Samarin (UC Berkeley and ICSI), Shayna Kothari (UC Berkeley), Zaina Siyed (UC Berkeley), Oscar Bjorkman (UC Berkeley), Reena Yuan (UC Berkeley), Primal Wijesekera (UC Berkeley and ICSI), Noura Alomar (UC Berkeley), Jordan Fischer (UC Berkeley and Drexel Kline School of Law), Chris Hoofnagle (UC Berkeley), Serge Egelman (UC Berkeley and ICSI)
• GDPRxiv: Establishing the State of the Art in GDPR Enforcement: Chen Sun (University of Iowa), Evan Jacobs (University of Iowa), Daniel Lehmann (University of Copenhagen), Andrew Crouse (University of Iowa), and Supreeth Shastri (University of Iowa)
• Researchers’ Experiences in Analyzing Privacy Policies: Challenges and Opportunities: Abraham Mhaidli (University of Michigan), Selin Fidan (University of Michigan), An Doan (University of Michigan), Gina Herakovic (University of Michigan), Mukund Srinath (Penn State University), Lee Matheson (Future for Privacy Forum), Shomir Wilson (Penn State University), and Florian Schaub (University of Michigan)