S1E7: Privacy Engineers: The Next Generation with Lorrie Cranor (CMU)

Show Notes

In this episode, I’m joined by Lorrie Cranor, FORE Systems Professor, Computer Science and Engineering & Public Policy at Carnegie Mellon University (CMU); Director, CyLab Usable Privacy and Security Laboratory; and Co-Director, of CMU's MSIT-Privacy Engineering Masters Program. We discuss the different tracks within the Privacy Engineering Program at CMU, privacy engineering hiring trends, the need for industry education, and Lorrie’s research outside of the classroom.

----------
Thank you to our sponsor, Privado, the developer-friendly privacy platform
----------

Lorrie explains how this next generation of privacy experts and engineers can work together to bring new architectures, innovations, and software to market. She describes the kind of hands-on work in which her students participate, including a capstone project sponsored by Meta that’s exploring ways the platform can integrate more privacy education into its UI/UX.

In addition, Lorrie shares her perspective on the job market for privacy engineers for recent grads and explains how CMU’s Certificate Program in Privacy Engineering aims to meet the high demand for experienced privacy experts with knowledge of privacy engineering concepts. We also get into her research on cookie banners and privacy “nutrition labels” for IoT devices.


Topics Covered:

• Lorrie’s professional background and what drew her into privacy engineering
• What candidates can expect from the Privacy Engineering Program at CMU 
• Insights into how people interact with cookie banners and potential solutions to improve the user experience
• Ways that we can bridge the hiring gap in our industry
• Different sectors outside of tech that are looking for privacy experts, including finance and retail

Resources Mentioned:

• Apply to CMU's Privacy Engineering Program (Applications due Dec 12th, 2022 for the next enrollment period)
• Learn about CMU's CyLab Security & Privacy Institute
• Learn about the CyLab Usable Privacy and Security (CUPS) Laboratory
• Review CMU's research on IoT Privacy & Security Labels.

Guest Info:

• Connect with Lorrie on LinkedIn
• Follow Lorrie on Twitter
• Learn more about Lorrie

Privado.ai
Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans.

Shifting Privacy Left Media
Where privacy engineers gather, share, & learn

Buzzsprout - Launch your podcast


Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Copyright © 2022 - 2024 Principled LLC. All rights reserved.

Transcript

Debra Farber  0:00 
Hello, I am Debra J. Farber. Welcome to The Shifting Privacy Left Podcast, where we talk about embedding privacy by design and default into the engineering function to prevent privacy harms to humans, and to prevent dystopia. Each week we'll bring you unique discussions with global privacy technologists and innovators working at the bleeding edge of privacy research and emerging technologies, standards, business models, and ecosystems.

Debra Farber  0:27 
This week, we welcome Lorrie Cranor, Professor of Computer Science and Engineering & Public Policy at Carnegie Mellon University; Director of CMU's CyLab Usable Privacy and Security Laboratory; and Co-Director of CMU's Privacy Engineering Master's Program. In this episode, Lorrie explains how the next generation of privacy experts and engineers can work together to bring new architectures, innovations, and software to market. She describes the kind of hands-on work in which her students participate, including a capstone project sponsored by Meta that's exploring ways the platform can integrate more privacy education into its UI and UX. In addition, she shares her perspective on the job market for privacy engineers for recent grads and explains how CMU's Certificate Program in Privacy Engineering aims to meet the high demands for experienced privacy experts with knowledge of privacy engineering concepts. We also get into Lorrie's research on cookie banners and privacy nutrition labels for IoT devices. Enjoy the episode.

Debra Farber  1:37 
Today, I'm delighted to welcome my next guest, Lorrie Cranor, Professor at Carnegie Mellon University and Director of their CyLab Security and Privacy Institute. Welcome, Lorrie.

Lorrie Cranor  1:49 
Thank you.

Debra Farber  1:50 
It's such a pleasure to have you on. I've been looking forward to this interview with you for a while because I have so many questions about how you're seeing privacy engineering shaping up as a discipline, especially given that you educate the next generation of privacy engineers and are also seeing the market for hiring privacy engineers. I imagine at least that that's the case - that you're hearing from a lot of recruiters.

Lorrie Cranor  2:15 
Oh, yeah, definitely.

Debra Farber  2:17 
Awesome. So first, I'd love to hear your origin story before we dive in to the work you're doing today. I know you've worn so many hats throughout your career as an engineer, researcher, a founder, and now a professor. Can you share a little about how you became interested in this field in the first place, and why did you choose to focus on privacy engineering?

Lorrie Cranor  2:41 
Sure. So I was, in the 1990s, working on my doctoral degree in Engineering and Public Policy, and I was interested in Internet policy issues, and I had attended The Computers, Freedom, and Privacy Conference. There was all the stuff about privacy that was really interesting to me, and so I started kind of looking into privacy issues of the 1990s. And then after I graduated, I went to work for AT&T Labs doing research, and within a few weeks of arriving at AT&T Labs, one of my colleagues told me that the World Wide Web Consortium, the W3C, was going to start a standards effert on privacy, and he asked me if I would like to go to a meeting and check it out. And so I had no idea what this was about, but I went to the meeting in DC, and it was mostly lawyers and policy wonks and here I was a newly-minted engineer and everybody looked at me and the one other engineer in the room and they said, "Can you build us this privacy standard?" And I didn't know better, so I said, "Sure," and I figured this would be a fun project to work on for a few months or something. I ended up spending the next seven years working on P3P - The Platform for Privacy Preferences, and I learned a lot more about privacy in the process. I had the pleasure of working with a lot of privacy lawyers and privacy law professors who, who helped educate me quite a bit about privacy. And in the process of working on this technical standard, I realized that it wasn't going to be sufficient to just have behind the scenes things working. We needed to have a user interface so that the end user could actually make choices and control their privacy settings and I started looking into that and ended up on a project at AT&T to actually build a browser plugin for privacy.

Lorrie Cranor  4:57 
And then at some point, the telecom industry started going downhill, and I decided that it was no longer fun to be at an industry research lab at AT&T and I started looking for academic positions. And I ended up at CMU and there were a group of faculty there who were very interested in privacy research. And so, I had the pleasure of working with colleagues on privacy research, and I said, "I'd like to teach a course on privacy." and they said, "Great!" I started teaching on privacy and we were getting more and more interest from students and from companies who would reach out to us and say, "Do you have any privacy engineers we can hire?" And so we decided to actually start an academic program and a whole master's program in privacy engineering - and this was 10 years ago at CMU - and we had to figure out what that meant, but it's really taken off and here we are.

Debra Farber  6:01 
That's amazing. Since I've been following privacy, data protection, and even privacy, technology and engineering, as of late, for over 17 years now, you know, you've definitely been on the periphery of the work I've been doing where I'm like, "Wow, what is she innovating on now? So I'm just so you know, kind of in awe about how you've helped the industry shift left kind of faster, or not faster, but before so many others have. Right? Kind of talking about where does privacy and engineering meet? And I guess, my next question for you is, what's that been, like trying to define what what is privacy engineering? You know, if people asked you, okay, you've got a master's program, and we'll talk about the program itself later, you know, but they asked you, what is privacy engineering? What is the privacy engineer actually do?  How would you answer them today? And I guess the throw in there a little wrench - how is that different from 10 years ago?

Lorrie Cranor  7:03 
So I think it actually isn't a lot different today and 10 years ago because I think the answer is that there are a lot of different things that different privacy engineers do. And, you know, I don't think there's there's just one profile. You know, when we started the program, we went to the companies that said we'd like to hire privacy engineers, and we said to them, "Well, exactly what what do you think a privacy engineer is, and what skills should we be teaching them?" And we got all sorts of different answers and a lot of "Well, we're not really sure, but hopefully they know a lot about privacy and they can talk to engineers. Okay, well, that's a good starting point.

Lorrie Cranor  7:46 
So I think we see there are some privacy engineers who do a lot of software development, and they are building things and they're very technical. There are some that are reading a lot of other people's code, and they're looking for privacy issues. There are some that are just kind of consultants on privacy issues. And you know, teams within the company can reach out to them with our questions and to get help on things. There are some that are doing user interface work and usability for privacy. There are some that are that are working a lot with the lawyers in the company and trying to bring the technical expertise into what the lawyers are doing. There are some that are building privacy tools to deploy throughout the company. There's just so many different things that privacy engineers do.

Debra Farber  8:36 
And so how would you describe the difference between - let's say, I, myself, have no engineering background - no formal training in engineering, but I follow the tech and I feel like I can talk tech really well. So, I call myself a "Privacy Technologist" because I can do that, you know, translating of the requirements in all those different languages: lawyer speak, business process speak, engineering speak. I just am not doing Applied Engineering. I don't know where...I don't know if it's a separate category or whatnot, but you know, how does someone like myself work with privacy engineers in an organization? You know, where are these different touchpoints with other privacy expertise...because you know it's a team. We've got to move it forward from different aspects of the business. Do you have any perspective on that from like, within an organization, how different privacy experts are even different privacy engineers, how do they work together to bring the market new architectures, innovations, software?

Lorrie Cranor  9:39 
Yeah. Well, I think privacy engineers really need to be very collaborative because there are a lot of different types of people and roles that they need to work with, and I think we train our students to like know...they don't get law degrees, but they know enough about the law that they can talk to the lawyers and they have enough of an understanding of privacy law that, you know, they understand that and they can figure out where they're going to run into issues that they need to actually go call the lawyers and say, you know, "We're working on this. Here's the issue. Tell us what we need to know about legal compliance here." Right? So, I think a lot of it is just kind of being familiar enough with what other people are doing related to privacy that you know, when you need to reach out and connect with them and bring them on board for what you're trying to do.

Debra Farber  10:38 
That makes a lot of sense. I mean, it's all about collaboration, and I guess each company is going to be different too in how they work. So, it's just a matter of making sure you've got all the right expertise across the organization, I guess, at the table.

Lorrie Cranor  10:51 
Yeah.

Debra Farber  10:52 
So, I know CMU has had a Privacy Engineering Program for years and there are several different tracks as I understand it - a master's degree and maybe certificate program. What are those different tracks within The Privacy Engineering Program where students can enroll, and then what does like... what do good candidates for admission look like?

Lorrie Cranor  11:14 
Yeah, so we started out with a master's degree program, and that was a full-time in-person program in Pittsburgh, which students could do in either one year or in 16 months with a summer internship. Then we added a part-time option, which students can do remotely. We have a few students who are in that program right now. And the the length of that program is somewhat variable, I think. You could probably do it in as little as two years, but that's actually a lot of work. So, I'm expecting it will take a little bit longer. And then, we added last year our certificate program. The certificate program is for working professionals and they can do that program and for weekends, and that's also a remote program we do Saturday and Sunday on the East Coast - and ends up being in the afternoon, West Coast, I guess in the morning - but we actually have people all over the world. So, we have people who are calling in from Europe and Asia, and for that program, obviously you're not going to learn nearly as much as you can an entire, you know, master's program if you're just doing it in four weekends, but it gives them a good overview of the field. And so, for our master's programs, we need people who have some technical background, ideally a degree in computer science or something related; but we've actually had a number of students who don't have that sort of degree. They might have, you know, communications or political science degree or something, but have gotten a lot of on the job experience in technology and have taken a few community college or online courses in in programming. So, we've had some of those in our master's program. For the certificate program, you do not need to have a computer science degree, but some familiarity with computer science and technology is helpful.

Debra Farber  13:15 
So that actually brings me to the, you know, brings us to a great segue as to what do the students kind of work on while they're in the program. So whether it's the privacy engineering program or as part of CMU CyLab, if you could highlight for us some examples of projects that students have worked on, that would be awesome. I just kind of want to understand, you know, the type of work they're putting out.

Lorrie Cranor  13:42 
Yeah. So our students take a number of courses, which are project based; and so they they work in groups, and they get to really dive into a privacy-related project. And then, they do capstone projects at the end of the program with an actual sponsoring company. So, let me give you a few examples. So, I teach a class on usable privacy and security, and I had a project team in my class that looked at the names for cookie categories that are widely-used. And these these cookie categories, a lot of them come from the the consent management platforms, like OneTrust, and so there are terms like "functional cookies" and "performance cookies." And they wanted to see whether people actually understand what these mean, and if they could come up with better terms that would be more intuitive to people. And so, they generated a big list of alternative names for four different cookie types and then did a study with crowdworkers to see if they could improve upon the typical names for something that people would understand better. And they were actually able to make some progress; and after the end of the semester, they told me that they were interested in working on this more. So actually, this semester, they are doing an independent study project with me and continuing to work on this; and I'm hoping - they're almost done - I'm hoping that they'll actually have some recommendations for what would be better ways of talking about cookie categories. So that's one example.

Lorrie Cranor  15:28 
For a capstone project, I have a team working with me right now and their sponsor is Meta. And Meta told them that they were interested in how they can put more privacy education built-in to their platform and, you know, what form should it take? Where should it be? And so the students actually ended up creating a mock-up of a social media platform (they decided to kind of make up their own rather than using an existing one), and they came up with different places that you could put some very short privacy education that either informs - so they have some education about how ads are targeted on this this hypothetical platform - or that gives you instructions. So, they have information about if you want to control people seeing your location on this platform, what do you do to control it? And they came up with different places that that could be on the platform and then they did a study with crowdworkers to see how easy it was for people to find the information, how much of it they actually understood, and so they're working on coming up with their recommendations right now.

Debra Farber  16:45 
That's pretty cool. So, in that last example, was it more about like visual cues around each of these that's embedded in the design that or was it actually about notice - you know like where you're putting text?

Lorrie Cranor  17:02 
Yeah, so it was it was actually both. So one issue is the location. So, do you do just put, you know if you have information about ads, do you put a button in the corner of the ad to like learn more? Or do you make a something that looks like a story in the newsfeed that's about how ads are targeted, right? Or do you just make people go to the help page or the settings page to learn this information? But they also looked at however it is, wherever you put it, then should the information be in the form of text or an infographic or a short video? So they've experimented with all these things, and unfortunately, I don't know the answer yet, because they're still analyzing the data.

Debra Farber  17:49 
That was gonna be my question. Yeah. That makes sense. Okay. And so, you know, how does the work of the Privacy Engineering Program... do they work directly with the CMU CyLab? Are they separate initiatives? Do they overlap?

Lorrie Cranor  18:06 
Yeah, so CMU CyLab - it's our Security Privacy Institute. It's a university-wide institute and we're kind of an umbrella over all things security and privacy at CMU. So, all of our security and privacy related programs fall under CyLab, but the students and faculty are in...they have a home department. So the privacy engineering students are in the Software and Societal Systems Department, but they're also affiliated with CyLab.

Debra Farber  18:38 
So, what would you recommend if you were talking to business leaders and they asked, you know, "What are the tenets of privacy engineering? What are you teaching your students today?" And I know, I'm not asking you to right now to kind of go through your entire, you know, coursework, but you know, if you had to sum it up, are you following kind of more NIST kind of viewpoint on how they see privacy engineering? Do you have a, you know, different framework? What are the tenets of, or the aims of privacy engineering outcomes?

Lorrie Cranor  19:10 
Yeah, so in our program, we want to give people a pretty broad view of privacy engineering, and make them aware of different frameworks, but not say, you know, we're teaching you the NIST framework and that's what you have to follow. So, we start their first semester, they get some background in security, some background in law, privacy policy, and every semester we have a seminar where we're bringing in guest speakers, and so they're getting, you know, kind of whatever interesting things are going on.

Lorrie Cranor  19:46 
And then in their second semester, they get my Usable Privacy and Security course. So they get some of that usability work so they understand how to do user studies, but actually, more importantly, how to ask questions about usability and work with usability professionals. And then they have a course that we call Engineering, Privacy and Software and that is looking at software engineering approaches to privacy engineering.

Lorrie Cranor  20:15 
Oh, and I left out the first semester, they also have what we called Foundations of Privacy, and that's our privacy algorithms course. That's where they're learning about differential privacy and things like that. And then they have optionally an internship, and then they do their capstone project. So those are kind of the areas that they also can take electives and choose what electives makes sense to them. So you know, along the way, yeah, they hear about different frameworks. They hear about laws in different countries. They hear about different technology and algorithms and tools and things like that, but, you know, we don't have a course on a specific framework or specific tool, but these things keep coming up.

Debra Farber  21:00 
Very cool. So I know, well, I know from you being connected to me on social media that you just want to an award. Can you mention what that is? I know it was from CMU.

Lorrie Cranor  21:12 
Yeah. Yeah. I won our Distinguished Professor of Engineering Award.

Debra Farber  21:16 
That's so awesome. Congratulations. I think that's amazing. And I know you've been doing some great work there for years and years.

Lorrie Cranor  21:24 
Thank you.

Debra Farber  21:25 
I'd love to hear a little bit about your own research and privacy. I know you've been working on cookie banners and privacy and security nutritional labels for IoT devices. Can you tell us a little bit about that?

Lorrie Cranor  21:39 
Sure. So on cookie banners, we've been looking at how to make them less terrible. I'm not sure it's even possible to make them good, yeah. Not only like...even if they're beautiful, nobody wants to have to interact with them that often.

Debra Farber  21:56 
It's so true.

Lorrie Cranor  21:59 
But we've definitely seen that they go from bad to worse. So we've been doing studies where we set up a fake e-commerce website, and we recruit crowd workers to come to our website, and we tell them, you have to check out our new website, put something in your shopping cart, and then we're going to ask you some questions. And along the way, they of course, encounter a cookie banner. And so we'll do the study where we'll we'll have like 14 different versions of the cookie banner that they randomly get one of them. And what we're interested in is what did they click on in the back? Or how do they interact with it? Or did they scroll past it and not interact with it? And then after they've done that, we asked them questions about it, and we want to see like, do they understand what they consented to at all? What do they understand about this? And so by doing this series of studies, we've we've actually gained a lot of insights about how people will behave with respect to cookie banners and some things that that could improve them. So that's one area.

Lorrie Cranor  23:07 
And then on the nutrition labels - so we've been working on nutrition labels here for over a decade. So, I remember back in the 1990s, when the Federal Trade Commission first started looking at privacy policies, and privacy advocates told them, you know, "These things are too long and no one will read them," and there were actually people at the FTC who said, "Well, we should make them like nutrition labels, and then they'd be short and people could read them." And you had these these government people who knew nothing about design who were just saying, "Make them like nutrition labels," but they didn't know what that meant. So we started looking at okay, well, what would a privacy nutrition label look like for a website? And we, we did iterative studies with design and user testing and came up with some ideas; and then we looked at that for mobile apps, and we came up with some ideas and wrote some papers about it. But the app stores did nothing for years and years. And then a couple of years ago, both Apple and Google started actually implementing privacy nutrition labels in their app stores and they didn't look anything like the ones that we had designed, but the idea was there. And so recently, we've started testing those to see what users understand about them, and unfortunately, we found a ton of problems with them. And so we're doing more work to try to figure out how to make them better.

Lorrie Cranor  24:43 
We've also looked at nutrition labels for IoT devices, looking at both the privacy and the security of IoT devices, and we have a proposal for that. And again, you know, we wrote the academic papers, but the industry didn't do anything with it. But, very recently, there's been a push starting at the White House to have these labels, and NIST has been looking at it. And my colleague actually went to the White House a few weeks ago, they had a summit, and they are looking at designing IoT security and privacy labels. And we've put our proposal out there as as kind of, you know, a starting point to look at.

Debra Farber  25:32 
Can you tell us a little bit about that? For instance, so I'm wondering, you know, what were some of the problems with the nutritional labels to begin with? And then when applied to IoT devices? Like, it's hard. There's only a small interface, if any, right? For most IoT, what is the proposed solution for being able to provide notice?

Lorrie Cranor  25:51 
Yeah, so for the IoT devices, we're not looking at something on the device itself. This is for at the time of purchase.

Debra Farber  25:59 
Oh, got it. Okay.

Lorrie Cranor  26:00 
So, it can be on the box. It can be on the website that you go to make the purchase. So, that's basically...this addresses the problem of, "I want to bring this thing into my home and I don't want it spying on me. I want to know whether my thermostat has a microphone in it," - all that kind of stuff.

Debra Farber  26:17 
That makes sense. So that reminds me of the work being done at the Privacy and Security Lab at Consumer Reports since they put out so much around, you know, how can you understand one business...company's business practices versus another and how do you do that, and so they come out with their Consumer Reports with their testing and all of that, and they have their Privacy and Security Lab, too, to test for that. Just curious, are you working at all with other labs or other organizations outside CMU to test the market on some of these things. You know, how does the...or does the research more inform public policy directly? Like CMU is, for instance, going to the White House to share the great research you've done.

Lorrie Cranor  27:05 
Yeah, so both. We actually have been working with Consumer Reports. We've been talking with them about our IoT label for a couple of years now, and one of my students who's graduated is now working for them as a consultant on on some of that work.

Debra Farber  27:25 
Oh, that's great!

Lorrie Cranor  27:26 
Yeah, yeah. And we've been partnering with them as we've been pushing our label design. We've been working with them on that. So that's exciting. We've recently also started working with some of the industry associations that are now involved with trying to come up with standards that meet the guidelines that NIST has been pushing out with the White House. So, we're hoping to get more involved with some of these industry groups as well.

Debra Farber  27:57 
Excellent. And the more heads to put together, the more traction we get in the market, the better I think it is for everyone. That's awesome. It's great to hear. So, you know, anecdotally, you know, I'm seeing as someone who just is passionate about privacy tech and privacy engineering, shifting left in organizations, you know, privacy innovation. Recently, I went ahead on LinkedIn and looked up, you know, who was a privacy engineer I'm not connected to because every now and then I want to expand my network and find people outside my network to, you know, follow and learn from. And so, recently, in planning to bring this podcast show to life, I knew I wanted to build, you know, an audience that included privacy engineers and so I did that I started looking for people outside my network that I could...that would be either great speakers or great just to learn from and share their research through this podcast. And I was shocked to see that even in the past three to four months, there's been an explosion of the number of people who brand themselves as a privacy engineer in their LinkedIn headings, you know. And, I'm just curious if you are seeing any data to reflect this, this anecdotal experience of mine, you know. What does the market look like for hiring for privacy engineers? What are you seeing and your unique position as a professor?

Lorrie Cranor  29:22 
Yeah. So I also have mostly anecdotes here. I'm definitely seeing an increase in the number of companies that are reaching out to me and asking me to distribute job posts to my students. I think that that used to happen a couple of times a year, and now I feel like every week or two I have a company reaching out to me. So that's definitely happening more and more. Although, I must say one of the things that I've also seen is that these companies say that they're looking for an experience to privacy engineer, and there still aren't a lot of actually experienced privacy engineers at this point, you know. And so I say, "Well, I can send it to my students." And they're like, "Well, do they have work experience? Can't you send it to your alumni? And I say, "Well, I could send it to my alumni, but they're all happily employed right now. So maybe you might consider some of these fresh graduates who are well-trained in privacy engineering, but they don't yet have work experience. I mean, some of them do, we do have some of our students who've come after working and they want, you know, a career change to privacy engineering. So they do have some. But a lot of our privacy engineering students don't have much, if any, work experience, and I think that they they do find roles and they're excellent at what they do, but there's some companies that are missing out on hiring them because they're insisting on people with work experience.

Debra Farber  30:55 
Yeah, and I think I think we're seeing the effect of just taking so long to shift left, you know, within organizations where the focus was on, for too long, the main focus has been on Legal  and GRC - governance, risk and compliance - where, you know, I've worked myself. Right? And in my own effort to shift left, and I don't want to say failing, but it takes just being too slow or, you know, having to just over and over make the business case for "No, you need to set up like a privacy engineering team and a privacy by design program" and, you know, like, that was kind of like, you know, met with a lot of dead stares - "But why? You know, are our competitors aren't doing this." Right? Yeah, but there are laws and how are you going to embed this into your business if you're not actually, you know, embedding it into your business And so, now all of a sudden when it's like, oh, wait, you know, Google's got hundreds of privacy engineers and Meta is hiring privacy engineers now in droves, and large established companies like Intel and Microsoft, you know, they've got privacy engineers. All of a sudden, some of these businesses have looked around, you know, see the cookie apocalypse going on in Silicon Valley, I think they're going, "Crap. We need some executive level engineer in here to set the work...and this is what my assumption is, right, based on what I've seen working in companies. And now you're like, "Yeah, but where are you pulling them from, right? You've not wanted to hire for so long that now you're bringing in...Where is the season privacy engineer that has all this great experience? I mean, there's only maybe like a few handfuls of people that I can identify that I'd recommend that have had years and years of deep privacy engineering experience. And they've...they figured it out as they've gone along, right?

Lorrie Cranor  32:43 
Exactly, yeah.

Debra Farber  32:45 
So it is a challenge for sure, and I wonder, you know, what are your thoughts on how can we bridge that gap? Because there's this greater and greater need in industry? And there are people I think who are really interested, right? I'd love to hear from you about, you know, are you seeing a lot more applicants to the privacy engineering programs. But, you know, how do we meet that need, right? It's been a problem for security as well, and I think it's going to be even tougher for privacy engineering since it's even a little more niche.

Lorrie Cranor  33:17 
Yeah, yeah. Well, we are seeing more applicants to our programs. And part of the reason that we introduced the Certificate Program was we heard from people who said, "I really need some privacy engineering background, but I can't take a year and a half off from my job and move to Pittsburgh to get a master's degree. Can I get, you know, something quickly?"

Debra Farber  33:39 
Yeah.

Lorrie Cranor  33:40 
So, thus our certificate program. And I think there are some other programs like that other organizations are offering as well. And, so I think we're gonna see a lot of that pop up. I think people are going to, you know, the IAPP and, you know, attending their events and doing some of their certifications in the hope of getting some of that knowledge. You know, my experience is that the IAPP is a lot better on legal stuff and legal compliance and not not that deep on the privacy engineering aspect, but they're growing in that area. We also...I was involved in starting a conference called PEPR - Privacy Engineering Practice & Respect - which is a conference specifically for privacy engineers that's not a research paper conference. It's all talks and panels about experience in privacy engineering; and that's also something that we've seen attracts both current privacy engineers, but also the up-and-coming who, like, "Let me go spend two days immersing myself in privacy engineering and learn something."

Debra Farber  34:54 
Yeah, I think that is really one of the few forums to bring all those who feel they're in the field of privacy engineering together. Like, I can imagine that being really valuable to your students to be able to meet with the practitioners in the field, and some of the people like yourself and Leah Kisner, who are defining the space. So, you know, that's...I know that's a really valuable conference, and I urge anybody listening to make sure they attend that this year. In fact, when is the next one? What month in 2023?

Lorrie Cranor  35:27 
I don't know if they've set the date yet, but it will be sometime next summer.

Debra Farber  35:32 
Okay. So it's a good summer conference to plan for. It takes place in San Francisco, correct?

Lorrie Cranor  35:40 
That's where we've been the past few years, and I think that's where it will be, but I'm waiting to hear from USENIX exactly where and when we will be?

Debra Farber  35:52 
Excellent, excellent. Then I feel like it makes sense to say the sister conference, so to speak, is - oh gosh, what's the security one - Enigma. And I believe that just happened, right? The Enigma conference was recently happened, but it was really more around security.

Lorrie Cranor  36:11 
Yeah - Enigma focuses on security. Yeah, right. That's also a USENIX conference.

Debra Farber  36:16 
Indeed. And I know that one. I've been to that one, and I've also gained a lot of knowledge there, and surprisingly, a lot of privacy overlap. I mean, much more of a focus on security, but there's some usable privacy that is discussed there as well.

Lorrie Cranor  36:29 
Yeah, yeah. In fact, I have spoken there about privacy. So yeah.

Debra Farber  36:33 
Well there you go. You know, I also have a question about your students and what's driving them. Are there specific topics that, you know, some of them have come to the program to really explore over others, or they're just, you know...for instance, I know if you're a data science or data science-minded person who was really interested in interested in privacy you might want to dive deeply into differential privacy. So that as an example, like, you know, that's more of a data science mindset. But are there some other other areas where you're just seeing a lot of interest? Maybe it's a privacy enhancing technology? Maybe it's a particular business, you know, vertical?

Lorrie Cranor  37:14 
Yeah, I think it's kind of all over the map. Yeah, people come to our program with all sorts of different backgrounds and all sorts of different things they're interested in. I guess, right now there's a trend towards interest in AI and machine learning. You know, it's one of the hot topics right now and so, people are interested in the privacy and fairness issues related to AI and ML. So, we definitely see some of that we also see people who are very interested in personal privacy and privacy enhancing technologies. You know, we have some kind of very civil liberties minded students. Then we have students who want to work for a big company, and they, you know, they like the idea of working for a Google or a Meta, but they're somewhat uncomfortable with some of the way, you know, those companies use data and they were like, I want to be a part of the team that's helping them do the right thing on privacy. So all sorts of motivations.

Debra Farber  38:17 
That's pretty cool, and it's good to hear that there are it is kind of all over the board, I guess. I just wanted to understand the trends, but it is good that they're not just like all-in on one area and then no love or attention given to some of the other important areas. And, you know, I think that's also a great aspect of the program is that it is bringing together so many different backgrounds, multistakeholder so-to-speak. You get a lot of perspectives from different lives lived and expertise brought to the table.

Debra Farber  38:50 
You mentioned a few companies, and I did as well, but you know, are there any particular companies or categories of companies like, I don't know, "Silicon Valley companies" could be a category, that are hiring privacy engineers? Are there other categories of companies that maybe should think about it but haven't really woken up to their need to be hiring people with this expertise?

Lorrie Cranor  39:15 
Yeah. So, I think the Silicon Valley companies are have hired the the largest fraction of our students, either directly or after a few years when they're ready to switch to a different company. They switch and I think there's a significant fraction of our graduates who work for Google at this point. But, we also are starting to see more students going into the financial industry, and like everywhere else. Like we've had students hired by the privacy engineering team at Nike. And at first year, like why why would a footwear company be hiring privacy engineers, but besides, you know, they have data so they need privacy, they also have wearables and privacy issues, right? So there are all sorts of companies out there that have need for privacy engineers, and I think more and more they're recognizing that.

Debra Farber  40:15 
Yeah, and Nike, where I'm in the Portland area myself, and so Nike's based here, and I can tell you they also bought a Metaverse company. So there's definitely a lot of data collected about individuals there, and yeah, absolutely a great point. There's a lot of wearables and I think we're gonna see that across like retail. I think we're gonna see a lot more wearables and need for all of a sudden retailers have not necessarily had the same need for privacy engineering or technologists, but all of a sudden, you know, they're thrusting themselves into the metaverse and, you know, or not just advertising in it with their products, but you know, actually creating a VR experience or even, you know, AR, then they're going to need people who understand kind of the nuances here. So, you're right. I mean, even your companies like Nike are actually much more data organizations, than they first appear. That's pretty cool. So, is there anything you'd like to leave our listeners with? Any words of wisdom or is there anything CMU is doing that you want to, you know, plug? Or any conferences coming up?

Lorrie Cranor  41:28 
Um, well, let's see. We've covered a lot, and you know, if anybody's thinking about a master's degree in privacy engineering or certificate, check out our website, which is privacy.cs.cmu.edu.

Debra Farber  41:44 
Oh, that's right. I just saw on LinkedIn just before our goal that you are doing a call for applicants because the the applications are due to was it December...

Lorrie Cranor  41:53 
December 12th for our full-time Master's Programs. The other programs, they're longer deadlines. But yeah, so we're in our final push right now to get students to apply for our full time master's program. And we also, you know, if you're interested in any of the research that I talked about, we have most of these publications on my lab website that you can check out at cups.cs.cmu.edu.

Debra Farber  42:22 
Well, thank you. I really appreciate you joining us today to educate us on, you know, what's going on at CMU and all the great work you're doing in privacy engineering. And I want to thank the audience for joining us today. Until next Tuesday, everyone, we'll be back with interesting content and with another great guest.

Debra Farber  42:44 
Thanks for joining us this week on Shifting Privacy Left. Make sure to visit our website, shiftingprivacyleft.com, where you can subscribe to updates so you'll never miss a show. While you're at it, if you found this episode valuable, go ahead and share it with a friend. And, if you're an engineer who cares passionately about privacy, check out Privado - the developer-friendly privacy platform and sponsor of the show. To learn more, go to privado.ai. Be sure to tune in next Tuesday for a new episode. Bye for now.