Reklaim Ltd. (MYID.V) Earnings Call Transcript & Summary

Welcome, everybody. Thanks for coming to the latest installment of the Killi webinar series. I'm Neil Sweeney, the Founder of Killi. If you're not familiar with Killi, we're an organization that is trying to democratize data for consumers by providing them with access and ultimately, compensation for their data. In today's webinar, we brought some of the leading thinkers as it relates to privacy really in the world. We're really excited about some of the debates that we're going to have here. So with that in mind, I'll introduce our panelists, starting with Dr. Ann Cavoukian, who we were joking about offline that she is the OG of privacy. Ann is recognized as literally one of the world's leading privacy experts. She is presently the Distinguished Expert-in-Residence leading the Privacy by Design Centre of Excellence and is also a Senior Fellow of the Ted Rogers Leadership Centre at Ryerson University. If you're not familiar with Ann, you should be, she used to sit on the Board of Sidewalk Labs, but most importantly is that she is the Founder of Privacy by Design. Privacy by Design was is pretty much implemented into every major privacy legislation around the world. I think it's been translated into 40 countries, and it's been now around for 20 years. So everything that we are building on today as entrepreneurs is really has a lot of -- we owe a lot to Ann in her work there. So thanks, Ann, for joining.

My pleasure.

Secondly, I'd like to introduce Enoch Liang. So Enoch is California-based lawyer and entrepreneur. So some of his -- some of the things that he's founded is that he was the Founder of LTL Attorneys. And then he was also the Founder of an artificial software company called LegalMation. Enoch is the CEO of The Data Dividend Project. If you're not familiar with The Data Dividend Project, again, you should be, it is the leading organization in the United States that is moving towards being a nonprofit. It might already be. Enoch, you can correct me if I'm wrong on there. The intention there is, again, to give access and rights to consumers, specifically around this notion of compensating for their data. Founded in 2020, Enoch was probably [ a friend of Yang ] at Yale Law School and together, they formed this company. So thanks, Enoch, for joining. Last but not least, Mark Mao. Thanks, Mark, for joining. Mark is the current Practice Chair of Intellectual Property at Boies Schiller Flexner, a litigation firm known for its efforts in such high-profile cases such as the USA versus Microsoft, and a number of individual actions specifically as it relates to Google, including the Google Publisher Antitrust Litigation. Prior to BSF, Mark founded and shared the data privacy practice at the national firm of Troutman Pepper. Mark is one of the country's better known scholars in data privacy law and is respected on both sides of the plaintiff and defense bar. He currently leads the privacy class actions against Google in Brown versus Google, which is litigation on private mode and Rodriguez versus Google, which is litigation on turning off Google's Web & App Activity. In addition to the firm's antitrust efforts against Google, he's a graduate of UC Berkeley Law School.

Okay. So now that we've gotten through the introductions, I wanted to start with Ann. And specifically dive into Privacy by Design. So I'm not sure if everybody is familiar with Privacy by Design. So if there's one thing that I want everybody to make sure that they get when they come in and out of this webinar is what is Privacy by Design. Let's talk kind of briefly about what those principles are. And it'd be interesting to know how it started and how it's evolved over the last 15 to 20 years.

Thank you, Neil. My pleasure. Privacy by Design was something I created when I was first appointed Privacy Commissioner of Ontario, Canada in the late '90s. And the reason I came up with this, you see, I'm not a lawyer, I'm a psychologist. So when I became Privacy Commissioner, I went to the office, they're all lawyers who rely on regulatory compliance after the fact. Once there's been a privacy infraction or a data breach, then you apply the law, get an appropriate remedy. And that's very valuable. There's no question. But I wanted -- I didn't want just that. I wanted a model of prevention. Just like a medical model of prevention. You can prevent the privacy homes from arising, not just address them after the fact. So literally at my kitchen table over 3 nights, I created a Privacy By Design and the 7 foundational principles. And then I went to the office and I tried to sell it to my lawyers, took a little while, but then it took off. And you see it's all about how do you prevent privacy infractions from arising. You don't want your data floating around. You don't want data breaches. You don't want these incursions into your privacy. If you can prevent them, that's what's ideal. So I came up with these 7 foundational principles. And I won't go through all of them because we don't have enough time, but let me focus on -- the first one, obviously, is be proactive, try to prevent the harms from arising. I'm going to focus on the second principle, privacy as the default setting. This is huge. This is the game changer. Because what it does is it saves the people, citizens, consumers. It says, look, you don't have to search through all the terms of service and all the legalities in the privacy policy to find the clause that says do not reach my privacy, I want privacy protection. And the thing is in this day and age, nobody has time to wait through everything to find the do not box. And so what I wanted to give them was privacy as a default pivot, which is automatic. It says to people, you don't have to search for privacy, we give it to you automatically. It's the default setting. We are only permitted to use your personal information for the primary purpose intended in the data collection that you consent it to. Beyond that, we're not allowed to use your information. And if down the road, a secondary use arises that would like to use your personal information for, we come back to you and seek your additional positive consent. This is a game changer. Builds trust like no other. And right now, there is such a trust deficit I can't tell you. So this is the game changer. And companies that have become certified for Privacy By Design is that it builds trust like no other, builds trusted business relationships. So that's an essential part of Privacy by Design. I'll just skip through a few of the others. One of the clauses basically is get rid of the dated zero-sum model of either/or win/lose. That's the prevailing view now. You're going to have privacy versus security or privacy versus data utility. And it's never privacy that wins in that and normally suggesting it should be that I assure that I'm not going to let it lose out. So I said, get rid of the versus. It can't be either/or, have a positive sum model, privacy and security, privacy and data utility. This is critical. This builds lasting relationships. And it strengthens your offering in a dramatic way. So it's absolutely critical. But I also want to be clear, security is essential. You can't have a strong foundation of privacy without a strong foundation of security, end-to-end full life cycle protection. While the terms privacy subsumes a much broader set of protections and security alone, in this day and age with daily hacking and social media abounding, if you don't have a solid foundation of security, full life cycle production, you're not going to have any privacy. And a right of access to one's information. I always tell those governments and companies, look, you may have custody and control over someone's information, it doesn't belong to you. It belongs to the individual, to the data subject. So give them a right of access to their information. And then companies that do this have told me, they love it because it increases the quality of their information. They say, "look, we've got information on thousands, hundreds of thousands of people. We don't know what's right, what's wrong." The individual does, you give them access to their own information, and they say, "no, no, no, that applied 2 years ago." That's no longer the case. Here's the correct information. It enhances the quality of the entire offering. So that's just a few of the essentials to Privacy By Design, but it's all about being proactive, embedding the much-needed protection into your offering, bake it into the code, make it an essential part of your operation, and you will have a much better privacy and security data utility. You'll have it all.

It's interesting because I think that, that one comment about it's not an either/or, you need both. And it's not just sacrificing one. And we often hear that, that it's -- you're sacrificing privacy for utility and that, that's absolutely bang on. I did -- when I look at Privacy By Design, the components that ring true to me are this notion around their -- what's ingraining in is this notion of respect and transparency. And I think I suspect that with Enoch and the creation of the Data Dividend Project, I believe that, that is an organization that accepts all the things that you're saying and subscribe to this notion of transparency and respect. So with that, Enoch, maybe taking from where Ann left off, it would be interesting to know how those things kind of found their way into the origin story of the Data Dividend Project and how it's come to be what it is today.

Well, Dr. Cavoukian, I couldn't agree more with what you're saying with your Privacy by Design principles, and thank you so much for your thought leadership from 20 years ago on these issues. Because I think they're just starting to be adopted on a mass basis in the United States. I would say that your Privacy by Design principles, I think, were very much incorporated in the GDPR in Europe. And they're starting to be incorporated with the CCPA and Prop 24 in California. And now you're seeing it has spread across other states like Virginia, which recently passed the bill. We have Florida and New York on the way. I will say that the entire principle of the government coming in after the fact and cleaning up the mess is very much a U.S. legal construct. And it sounds like it was a Canadian construct as well. And I'm so happy that, that a non-lawyer came in and said, No, no, no, you guys are looking at this all wrong, let's do the medical model prevention in the first place because by the time the mess happens, by the time the data breach happens, the cat is already out of the bag, and you can't put it back in. And your idea of the medical model of prevention, I think, is so important. And I think it's one thing that really distinguishes Europe and Canada from the United States. Because I think essentially what you're saying with privacy as the default setting is that you have to opt in to get targeted ads. You have to opt in for your data to be shared beyond the primary purpose for which you gave it, right? The United States model is unfortunately still an opt-out model. And so I think having an opt-out model is better than nothing, of course. But having an opt-in model will be way better. And I think you're seeing that now with Apple with App Tracking Transparency on iOS 14.5, where it's basically an opt-in for consent purposes to be tracked. But that's because Apple has the market power and the ability to do that. And a lot of what you're talking about, I think, is what Tim Cook has been talking about for the last couple of years to distinguish themselves from the Googles and Facebooks of the world. But from a legal perspective in the United States, I think an opt-in regime, privacy as the default setting is still going to be very hard, which is why you see the CCPA, the CPRA, Virginia, most of the bills being debated in New York and Florida, they're still opt out. And that's because of a [ core ] of United States first amendment model, which we don't have to get into here. But that, I think, is what led to kind of the rise of The Data Dividend Project. And that was a very long introduction into the origin story. But the origin story, I think, of DDP is this. I went to law school with Andrew Yang, actually at Columbia, not Yale, even though I'm sure Andrew and I would have preferred to go to Yale. But I went to law school with Andrew 20-plus years ago. And when Andrew Yang was on the debate stage, I think he was on 7 or 8 debates during the Democratic presidential primary. At every single debate, he made a point of saying, look, data is the new oil, you're giving it away for free. Big tech is abusing your data left and right. There's data breaches all the time. Nobody reads the terms of service. There needs to be a change. And so when Andrew dropped out of the presidential race, I think, in January of 2020, I reached out to him and said, "Hey, the positions that you were taking on the debate stage really resonated with me with respect to data and data abuses. So why don't we start an organization that can put some of those principles into action. And so Andrew said, I love it, let's do it. And that's what led to the launch of The Data Dividend Project in June of 2020. And The Data Dividend Project really builds on the authorized agent provisions of the CCPA. So not only do you have this bundle of rights as a California consumer when it comes to your data, such as the right to access, the right to delete, the right to opt out of sale and soon to come the right to opt out of sharing of your data, but you can also designate an authorized agent to exercise those rights on your behalf, right? And everybody is busy, nobody has time to go and read the terms of service and opt out of the 400 or 500 or 600 data brokers that are registered with the state of California, like there needs to be an organization that can do that on your behalf, and that needs to be a trusted organization, like you said Dr. Cavoukian with a trust deficit out there. And so that's what led to the rise of DDP. And so as an authorized agent for California consumers and hopefully nationwide consumers, once those laws are passed. I think GDP focuses on 3 areas: the past, the present and the future. So the past would be past abuses or data beaches when it comes to your data. And what DDP does there is it tries to get the word out and help its members sign up for the numerous class action settlements that are out there. Lawyers in the United States have done a decent job of pursuing in-class actions, those companies that are abusing or failed to protect your data. So for example, the Yahoo! data settlement breach was $100 million. The Facebook biometric privacy lawsuit in Illinois was $650 million. And the claims rate historically on those class action settlements is in the single digits, which means most Americans don't know. And even if they know, they don't bother filing a claim. So DDP wants to help get the word out about those class action settlements so that people can get compensation for passive uses of their data. When it comes to the present, presently, these companies are collecting your data and putting it to all kinds of uses that you didn't agree -- that you may have agreed to in the terms of service that you don't really know about. And so the idea is when it comes to present use of your data, DDP as your authorized agent will help you opt out of the sale and sharing of your data. And DDP isn't the only organization that's doing this. I know the consumer reports which is a venerable, long-time institution in the United States has -- is also testing the opt-out provisions for authorized agents under the CCPA. And so DDP is about to launch a mass opt-out campaign for its members to the data brokers registered with the State of California to help them opt out of the sale and sharing of their data. And then when it comes to the future, I think the future use severe data, I think DDP has probably 3 ideas in mind. The first is supporting and helping promote the ecosystem of Privacy by Design companies that are springing up everywhere, thanks to your thought leadership, Dr. Cavoukian. The second would be helping to lobby the passage of similar loss to the CCPA in other states beyond just California and Virginia and hopefully a federal law as well, now that the administration has changed. And then I think the third area is for those DDP members that want to receive a data dividend to help them with licensing negotiations as a data union so that they can receive compensation for the use and processing of their data. So that's kind of the past, present, future vision of DDP.

With -- Enoch, with the creation of The Data Dividend Project in 2020 same time as CCPA came in, we've now had an evolution of CCPA, the Prop 24. And in some of those conversations around that, there has been this debate around the notion of data being viewed as property. And I know, Mark, this brings home for you because it's been pretty foundational to a lot of the arguments that you've been making. What I find quite intriguing is knowing that property is written into the Constitution. What's the downstream -- what's the debate on whether or not data is viewed as property? And what's the downstream impact if it is recognized as property for anybody who is actually using that data today?

So let me just clarify for the record that although we are one of the team has been pushing this, I can't really take credit for the person that's really successfully made this argument first. And I would actually credit that to my friend, David Straite, who is on the Calhoun versus Google case. And they actually made that argument in the Ninth Circuit in California on the IMRI Facebook Internet tracking case earlier on in 2020. And although in that case, that case also referred to a California Superior Court or a state court case, which the higher court believed had established and founded that data had property right origins even before the CCPA, before the CPRA and really in common law in California, right? So let me just talk about those cases like for a moment because they definitely tie in to what Ann and Enoch were talking about. So the current flurry of cases that you have against Google have to do with the various type of controls in which Google has offered to consumers to supposedly collect or supposedly control data collection. And then you can read within the lawsuits as to what the plaintiffs are alleging that Google actually, in fact, actually does with that data. So in the 2 cases that I have, one is Brown versus Google, which is better known as the private mode case. The allegations there are basically that Google has made various representations regarding what it collects or what it does not collect when somebody is using either the private browsing mode on a non-chrome browser or using the Incognito mode in the Chrome or Android environment. And there are causes action there for wiretapping for violations of common law rights and also violations of essentially property rights, especially as they relate to the type of behavior, which is spoken there. And then we filed another action called Rodriguez versus Google, which relates to Google's controls and my account under a button called Web & App Activity. And whether or not Google continues to collect data when that button is turned off, right? Those of you who are familiar with the Google ecosystem, in the Android ecosystem, may know that whether an app activity is something that's offered both on an account level and also at the device level, right, especially for Android, and also various types of third-party ecosystems. And then you have Calhoun versus Google, which is where David Straite case sits and that has to do with Google's controls for the sync functionality. You may have seen that pop up, if you're an Android user. The case alleges that the breaches, whether or not Google syncs data anyways, even irregardless of whether or not you hit the sync button. And then there are a couple of other cases in which teams -- teams in which we've been working on against Google have filed such as the Hewlett versus Google case, which is the most recent one. That one is one in which you should pay attention to because that case is expressly about whether or not Google actually sells data regardless of whether you want to define on the CCPA in terms of its promises to consumers and users just when you buy a Google product or just generally on the Internet. There's also the antitrust cases filed by the regulators, which have some touch on all of this, but this relates exactly back to this idea that there are property rights definitely embroiled within the whole discussion over consumer controls. But I think debating this, there are some issues in which you kind of see the drafters of the CCPA kind of like get into and basically try to avoid, which is that there is the [ sector ] out there, which the defense bar has been talking about a while, which is at what point does the property right stop, right? And the reason why that is an issue for debate, in my personal academic opinion as a long-time scholar and author in privacy law is that, I would say that the U.S. as ideas on privacy is fairly unique as compared to other countries because we are kind of one of the first pioneers of the data sciences. And as a result of that, you had the days of MySpace, very early Facebook, Yahoo!, where the tech companies were really kind of like these early walled gardens where they said anything on our servers, our property, which started with your data, right? Because we were all still trying to figure out what the Internet was going to look like for us. And as that debate evolved as some of the other countries sort of coming in, they looked at this model and just thought that it was a law broken because why is it it's either the company's property, right, and I have no rights at all or it is mine to give up. And then as soon as I use any services, right, like I have to immediately give up all that -- all those rights. So you start seeing the Europeans, the South Americans and then eventually the Asians all kind of like jump in and say, well, like some part of this is either violated my fundamental rights, which is more the European dialogue, right? Or the Asian dialogue, which is as well, there is some national interest here, which needs to be staked out and carved out. And all -- as all of this started coming in, it also affected our policy. Not only internationally, but also domestically, where the literature now is people are looking at law with GDPR and saying, well, some of that really makes sense, especially the property right provisions. Why aren't we enshrining that? So you're having this pivot from major tech companies of moving from data as a contractual right to looking at the Europeans and saying, data as a fundamental right. And then we're trying to bridge some of that with the traditional concepts of law and property in the U.S. by talking about data as a property. And that's kind of how I would describe that. But when you're looking at the more recent opinion, such as the cases you were talking about, Neil, you can definitely see that the courts in California are saying, well, a lot of these rights. You can't say like they're new or they're only because of the CCPA, California Constitution, for example, has a right of privacy. And we believe that there are property rights and aspects of that for consumers and, therefore, that should be protected as property right?

So Mark, with that -- and don't get this wrong, so you can correct me if I do. Does -- is there an affiliation or a correlation between the notion of data being deemed property and data meeting compensation?

Yes. So that's a very interesting question because I would say between the age in which like it was clear at least from the perspective of the early tech pioneers like, oh, like anything in our server is our property versus -- that today, where we have a very strong and robust European view that data is a property right. I think, I would say in the last 7 or 8 years, what you're seeing in the U.S. law was this emergence of an attempt to create a licensing model for data. And what I mean by that is that if you were looking at some of like the early ERP and various type of like cloud systems like contracts, you see in there the licensor and the licensee, i.e., like the big data companies that were providing like B2B services like the Oracle, the Salesforce, by dealing with the smaller licensees or just basically their partners and customers and trying to define who owns that data, right? So they would basically define it in through traditional ways, I would say, during that era, which is that you have data as it is from the end user, i.e., the consumer or the user of the licensee system. Then you had data as it is part of the structure of the system that is licensed. And then lastly, you have data as part of the structure that is inherent to what the licensor had built, right? Like the cloud company as saying that part of that data is derived as a result of their proprietary technology, right? So you had all these companies and end users all struggling and arguing within these 3 different areas as to who and what owns what. And that is where these origins of a licensing model really came out.

Before I kind of take the concept of data as property, I wanted to bounce this off of the notion of smart cities, and I'm going to go to Ann on that shortly. But Enoch, just quickly before we pivot off here, I'm assuming DDP has an opinion on this notion of compensation as it relates to data and/or properties. Do you want to comment on that just before I move to the discussion of smart cities?

Sure, sure. DDP and Andrew Yang personally submitted a friend of the court brief, that's called an amicus brief in the United States in support of the plaintiffs in the Calhoun versus Google case. And that amicus brief argued that, at least under California law, that your online data should be your personal property. And the court judge co ended up ruling in favor of the plaintiffs and basically adopting the position that the plaintiffs and DDP and Andrew Yang stacked up. So I think it's pretty public in terms of what DDP's position is, which is, yes, you should have personal property ownership rights over your online data. And when it comes to the idea of licensing or data dividends, I think that DDP's position is also pretty clear, which is you, as the consumer, have the right to choose. If you want to be totally dark on the web and have never be tracked and never be served personalized ads and whatnot, then so be it, that's your right, that's your choice. And DDP will help you get there. But if you are okay, seeing some personalized ads. If you're okay of being tracked for some purposes, then you should be able to share in that value that's created. And so...

I was just going to ask one thing on that. The -- in that same brief that you submitted, just some clarity on the nondiscrimination prohibition. Is that does that brief and CCPA talk to this notion of, if you withhold data, can you be withheld from actually participating in the product? I think that, that's something that consumers have wanted to know because there's often this argument where companies will say, well, we need data in order to run our product. And that is this very blanket statement, which is if you don't give us your data, then we can't run our product. And that's always seemed a bit hollow. So I didn't mean to cut you off, but if you could maybe answer that at the same time.

Yes. You know what I've noticed, especially with a lot of the congressional testimony that big tech has been giving in the United States is, if they don't want to do it, all of a sudden, it becomes too hard. And our products will break, and we can't figure it out. If they do want to do it, these are the smartest people on Earth, nothing can stop them. So you've seen that a lot -- especially like Zuckerberg and Facebook when he's testifying to Congress. So I don't buy that argument. I think it's quite hollow. I also think that our brief to the court did not address that nondiscrimination provision, but the California Consumer Privacy Act contains a nondiscrimination provision that says, if a consumer decides to withhold their data or ask their data to be deleted, they can't be discriminated against by the company. So it remains to be seen how that nondiscrimination provision will be interpreted and enforced by the courts. I will note that the California Privacy Protection Agency, which was established by Prop 24, has now been named by Governor Gavin Newsom, and has started its work. And I believe It will be -- it will have jurisdiction starting January 1, 2023. So we're very excited to see how the California Private Protection Agency is going to be interpreting and enforcing these provisions of both the CCPA and Prop 24.

So data, big tech, surveillance over to Ann for sure. For those that are on here, if you're not aware, Ann was part of the Sidewalk. She was on the Board of Sidewalk Labs, smart city that Google was proposing to actually build in Canada. I'll let you talk to kind of the story there, Ann. But what's intriguing to me is, again, there seems to always be this very hollow argument, which privacy is getting in the way of technology and advancement. How do you build smart cities without surveillance? And how do these 2 things kind of coexist? Talk to us a little bit about that about Sidewalk Labs and your involvement with smart cities everywhere, not just in Toronto.

And I'm glad you mentioned that. I'm on the International Council of Smart Cities. And all of the smart cities in the far east, they're just full of surveillance and tracking and it's horrible. So when Sidewalk Labs came to me, they wanted to retain me and they want me to embed Privacy by Design into the smart city, they envisioned for Toronto, Canada. And I live in Toronto. So I love that. Because I would love to have all of the advances of a smart city with privacy, totally protected. So I agreed and we started working together. And at first, it was fine. They were fully into Privacy By Design. And I -- after I studied it, I said, look, the only way you're going to be able to retain privacy in a smart city is to de-identify at source, meaning the minute the data are collected, you have to strip out of all personal identifiers. Because you see in a smart city, the tech is going to be on 24/7. You're never going to be free from the tech that's collecting data and doing all this stuff. So it has to be stripped of personal identifiers. They went along with that, Sidewalk Labs, they are fine with that until further down the road when they had problems. And all of a sudden, they change here, too, they said -- and they never consulted with me on this, they said, "look, we believe in Privacy by Design and stripping data at source, but we can't make companies do that. We can't make them do that. So whatever is going to happen is going to happen." The minute they said that at a Board meeting 1 day, the next morning, I resigned. Because it was such a [ compound ]. And it was the one thing they never consulted me with me on. And the next day, I had calls from everybody from New York City, from Dan Doctoroff saying, "What's going on? How come you resign?" It was very simple. You cannot retain personal identifiers in a smart city. You will have no privacy. It's impossible, but you can -- there are all kinds of ways you can strip it very successfully. And then you can have total value of all the data and total privacy, win-win, you can do this. It's just that you get so many naysayers, Neil, and they say, well, oh my God, it can't be done. It's got to be either/or. And it's such nonsense. I'll never forget When I was at the University of Toronto doing my graduate work, Anatol Rapoport who as a creator of game theory, he was there. And I used to just [indiscernible] it. I loved it. And I -- but I was always an eternal optimist. I never knew why people embraced zero-sum instead of positive sum, the either/or model. And I remember saying Professor Rapoport, why would they prefer just to have 1 versus the other as opposed to 2 multiple interests being served? And he said, "Ann, it's simple. It's the lazy man's way out." Because it's much easier just to do one interest, just protect security or data utility, forget about privacy. He said, "the long-term returns are so much shorter." So I've never forgotten that, you can do multiple gains, positive sum, win-win, forget about the data zero sum, either/or model, and that's -- we're going to do that in my cities. Sidewalk Labs is gone, but I'm now working with the city of Toronto on the new ones. We will ensure that, that happens.

And internationally, are they having the same challenges regarding trying to balance those 2 things out? And is anybody -- is anybody leaning into the privacy side of the equation?

It's difficult to say. Clearly, the ones in the Far East, China, Dubai, they're not even interested in retaining privacy. I can't even point you to an example because it's just starting where we're trying to push privacy into smart cities. It will be a work in progress. There's no question, but we can do this.

Okay. And so maybe as a quick segue, over the last 16 months with COVID, this notion of COVID tracing and tracking has tended to attract a lot of attention from consumers who are wary about governments or others kind of having this type of health information, different situation, similar story. The idea of health passport has been discussed with vaccination rates kind of going up. Is this a similar debate? Because I know you're very involved in this notion of health passports and the creation. So I'd be interested in getting your feedback on that.

I'm totally involved, but not because I want to be. I totally oppose a vaccine passport. I completely reject them because what they will do in identifiable form, they will collect your personal information, your medical data. And it will be retained by government centrally. It will be shared with third parties unknown and your most sensitive personal information will be abused. I totally object to that. The reason I'm working on this now is because ID2020 is creating something they're calling The Good Health Pass. It's going to be a blueprint that they're going to offer to governments and organizations that if you have to do the vaccine passport or a Health Pass or something, at least use this model, which totally retains privacy. It's completely decentralized, meaning the individual has total control over their data. So if I'm traveling, if I go to the airport and they insist upon knowing that I've been vaccinated or whatever, I can reveal that to the person at the gate, whoever needs to see it in order to enable me to enter onto the plane, but then that's it. As soon as they get the information, they cannot retain it. I pull it back into my decentralized place. And I protect my data as much as possible preventing it from being centralized and distributed widely. With contact tracing, that when it first started, there was enormous opposition to it. 300 of the leading epidemiologist doctors all around the world in 26 countries, wrote letters to their governments saying, forget contact tracing, it's going to engage in surveillance and totally eliminate the privacy much needed for this information. So you have to embed privacy into the process. So we're trying very much to ensure that, that becomes a reality.

Interesting. So Enoch, I wanted to ask you a quick question. I don't know if you're available right at the moment. You turn the camera off there for a second. You talked about sort of doing this mass opt out. And I think one of the things that we've struggled with even at Killi when we look at the data landscape is that, it seems like it's rigged against the consumer. Where in the U.S., you have a federal do not call list, but you do want a federal do not track list. And that as the consumer wants to opt out of a platform, they are literally playing a game of whack-a-mole. They're going platform to platform. And with the amount of kind of technology and data collection happening in the background, a pessimist would say that the consumer is just falling further and further behind even if they were trying to actually opt it. So do you have an opinion on this notion of a federal do not track list? Or how do you get around that notion that the consumer has to go platform to platform in order to satisfy [ opt in ]?

Yes. This goes back to what I was discussing initially with Dr. Cavoukian, which is the privacy as the default setting. Obviously, in the United States, an opt-in model would be way better for consumers, such as Europe's GDPR, assuming that you can get around dark patterns and whatnot. But unfortunately, in the United States, we have Supreme Court case law that says that it has to be opt out. And so the game of whack-a-mole, I think, can be dealt with a few ways, right? The first way is coming up with something like the do not call list, but applied to data for do not track. And I actually know the technologists who worked on do not call at the Federal Trade Commission. His name is Ashkan Soltani. He has now come up with a product called the Global Privacy Control, which is a browser extension which automatically broadcasts an opt-me-out signal for every single website that you visit. So that's a nascent movement, but a lot of publishers have already signed on to it, like the New York Times, et cetera. And so I hope that Global Privacy Controls will grow into a browser extension that anybody can download for free and will automatically broadcast, do not sell, do not share my data for every website you visit. So that's one nascent movement that is starting to grow. But then that leads -- that only helps for the websites that you actually visit. Then there's a ton of websites and a ton of companies that are in the background that are collecting data on you when you don't visit them. And right now, I think the only solution is to have trusted intermediaries, whether it be GDP, whether it be consumer reports, whether it be some other trusted nonprofit that can come up and help consumers deal with that whack-a-mole problem.

One thing that kind of comes up quite often as well is that we find is that people tend to kind of lump the data market as kind of 1 big organism. And we sort of looked at the market really as there's kind of 2 -- there's 2 sides to it. There's the walled gardens and everybody knows who the walled gardens are and they tend to take a lot of the brunt of the criticism around data primarily, I think, because people understand who they are. And then there's what we would call headless data companies. And a headless data company in our definition is a company that actually has a profile is managing data, but has no UAC -- has no front end, has no way to interact with the consumer. Mark, Enoch, Ann, I guess when I look at the privacy legislation, specifically California, knowing that some of the largest data companies in the world reside in California are headless by nature, how do you remain compliant as a headless data company operating in California with no way to provide access to a consumer to allow them to edit, opt out, et cetera. That, to me, I find [indiscernible].

Sorry. Is that a question for me or for Enoch?

It's for either. I mean I would say -- I just -- the question is that if you do not have a consumer-facing product, knowing that the legislation is increasingly moving towards consumer inclusion, how do you remain compliant as a data broker or as one of those companies in just the state of California, never mind the rest of the United States?

Yes. So I would say that when we were talking with Andrew about this problem in the U.S. I think one of the things you saw early on, right -- I would say in a year or 1.5 years before GDPR actually became live is that you did see a couple of start-ups raise funding to try to create a universal. It definitely was not a licensing platform, but you were seeing the OneTrust and the various other companies try to create some type of unified, I would say, user interface platform for all tech companies, not being European myself. I don't actually quite know what happened with most of those start-ups. I know that they try to basically be more of a set of universal controls for different data and tech platforms. And I would say that, that is what you're seeing a lot of start-ups, for example, Killi try to do in the U.S. now.

Enoch, any comments on that or we can move on?

I would say that it's a problem. I mean you call it a headless data company. I referred to it as first party and third party, right? The first parties clearly have contact with the consumers, i.e., the walled gardens. The third parties are running in the background and have no contact with the consumers. And I think they prefer it that way, right? Like if consumers knew about all the third parties out there that are collecting and selling their data, and how wrong oftentimes that data is, right? Because they're not -- they don't have an interface with the consumer, so the consumer -- they don't have good quality data, which goes back to what Dr. Cavoukian was saying about the right to access by the data center, right? And so I think that these headless data companies need to have in order to stay compliant and also to help improve the quality of their data, they need to have some type of contact with the consumer, whether it's Killi, whether it's something else, that will get them consented, clean, verified data. Otherwise, I think that their business model is going to be very challenged by the rise of laws like the CCPA and Prop 24.

Okay. For those that are listening in, I'd invite you to put some questions into the Q&A. I think panelists, I'm not sure if you can or cannot see those individual questions, but we can -- some of them are directed to each of you, if you want to pick and choose 1 that you want. I'm happy to read them out. But maybe before we get to the questions, if I was the skeptic, which I'm not, and I kind of go around the room here, and I'd ask you, Ann, for instance, we talked about smart cities and the sort of this notion of surveillance and this evolution of technology, does the skeptic believe -- is the skeptic believe that technology and data collection is running at a faster rate than the privacy legislation and consumer awareness around data? And what's your comment on that regarding people who think that this notion of privacy is a waste of time and the technology is moving too fast?

I get that all the time. Surveillance is mounting. There's no question. Surveillance measures are escalating, et cetera, but so is interest in privacy. It's not just about privacy loss. I've never seen such elevated concern for privacy. It's now consistently in the 90 percentile, 90% of those surveyed in like 2 Internet research, et cetera, 90% concerned about their privacy, 92% concerned about loss of control over their personal information. So they're both growing. And it drives me crazy when people -- I mean, I tweet every morning I have a large Twitter following, and invariably, somebody will tweet back and say, lady give it up. That ship has sailed. And I say, get another freaking ship, you don't give up on privacy. Privacy forms a foundation of our freedom. You cannot have free open societies without a solid foundation of privacy. I am not willing to give up on that. My background, I'm Armenian, my parents barely escape the Armenian genocide years ago, freedom is critical to me. And this is what we have. But also, there's so many examples on the privacy side. There's now a decentralized identity foundation that was created several years ago, consisting of all the major players, Microsoft, IBM, et cetera. And they're focused on giving control back to the individuals in terms of decentralized identity. There's a whole SSI movement, self-sovereign identity. There's so much happening on the privacy front. Encryption end-to-end is growing. Homomorphic encryption is growing. You never give up on privacy. It's just going to get stronger. Yes, so as surveillance, but it's like a chess game point, counter point. We always move forward.

And with that, because we subscribe to that notion that what we struggle with is that we believe that amongst consumers that there is universal acceptance around this notion that they should be in the conversation regarding their privacy. And we don't subscribe to this notion that it's all one way or all the other. Meaning that the consumers have to control all of their data versus [indiscernible], a pendulum that sort of sits in the middle. What we struggle with is this -- is the conundrum of if there is universal acceptance amongst individuals regarding their participation in their data, why is there not universal action? And that's the part that we sort of struggle with. And I'll open that to you, Ann, but Enoch and Mark, if you have an opinion on that. Why is there this disparity between these 2 thoughts?

I don't want to take up all the whole time, but there is lots of activity taking place on this. I don't want to suggest that there isn't. I have never seen so much concern and action on the privacy front. So let us not present this sales model. It's not failed at all. It's growing dramatically. But let me turn it to Mark and Enoch.

Well, so the way I would explain it is that I think one of the problems we have is that as a nation, we do need to compete with other nations that care far less about privacy. And one of the advantages of not caring about privacy at all is one would argue that in some ways, you get to test the edge technologies much quicker than if you actually had cared about people's rights, right? So there is this innovation argument in there saying that, well, if you just care a little less, perhaps innovation will be driven faster. Somewhere in there is, I think, a straw man that needs to be taken down. Because I do think that if we believe in democracy, we obviously need to believe in people's rights. I think one of the problems there is -- I think, as Ann had put it, the lazier and easier way to think is just, well, let's figure that out later and let's not deal with it now, which is why the whole notion of Privacy by Design starts with the idea that at the beginning of the design, you need to factor in the privacy requirements for consumers right at the get-go because if that becomes the very basis by which you build your "IP", the IP needs to recognize that was built upon the backs of private consumer data.

Interesting. Enoch, any comment on that?

Neil, I was busy answering the other question. Can you repeat the question again? I answered a long question in the chat.

There you go. Good. multitasking. Really, the question was if there's universal acceptance amongst consumers regarding their involvement around their data, why is there not universal action? And what's preventing the disparity from these 2 points closing?

Yes. I think because -- I think that, Neil, you raised a point, which is if you look at all the surveys out there for consumers, consumers all say universally that their data is being abused. They all say that they're concerned about their privacy. But when it comes to solutions, they don't know what to do. And so a lot of us just -- we just hit accept, accept, accept on those terms and conditions because we don't know how to analyze this. And we're completely outgunned. I mean like you have Mark and I as intellectual property and privacy lawyers on this call, and I have to say that I don't even read those terms and conditions. And I doubt very many privacy lawyers do, much less lawyers, much less common people. Because you are completely outgunned. I mean we're talking about 60 page terms and conditions. And so I think that there's a sense of there's something wrong. I want more control over my online life and my privacy. I don't know what to do about it. And you're seeing the rise of grassroots awareness around this with the Cambridge Analytica scandal and documentaries like the Social Dilemma or Coded Bias on Netflix, which is receiving more and more recognition and awareness among society at large. And so the question is, I think the challenge for all of us on this webinar is how do you come up with something that is simple to use that isn't hard to understand. But that gives consumers control over their privacy and their online lives. And I think that the first company or the first group of companies to come up with that type of solution is going to be universally accepted and heralded and it's going to really change the way that we interact in our online lives.

One more question before we shut it down here. Again, taking the skeptical view of Enoch. And if I'm a skeptic, you must run into the notion of -- there's compensation and there's data or there's a dividend as it relates to my data. What's the response to those who say the amount of money that I can make is not worth it? And then it also kind of quickly like to debate the notion, is the problem actually the compensation around data? Or is the larger problem the access to the data first and that compensation is a consequence of actually getting access to the data?

I would say that on your first -- on the first issue you raised is that the framing is totally wrong. The idea that your data or access to your data is only worth a couple of dollars a month. Well, yes, of course, that's what the tech companies want you to believe because if they knew you and your data, especially on an aggregated basis, was really worth, then there'd be a revolution inside of Facebook and Amazon and Google, et cetera. And so again, this goes back to the big tech CEOs testifying before Congress. It's like if they don't want to do it, it's too hard. If they want to do it, nothing can stop them. These are the smartest people on Earth. And if they don't want to give you -- if they don't want to compensate you for access to your data, then it's worth pennies on the dollar. But if they get to keep the money for themselves and their $1 trillion valuation companies, right? So I think that they're talking out of both sides of their mouth. So that addresses your first question. And then your second question, I'm not sure that I understand, Neil. What do you mean by the access to your data versus...

Well, I think it's in combination with your response is that, I think it's a very -- this notion of get paid for your data is very flat, very linear, very transactional, lack sort of emotional kind of buy-in and it's going to be hard to scale. So we feel that generally that your -- if that is your sort of -- if that's the position you tend to sort of fix it on a very small percentage of the market, which runs contrary to what we just discussed in the last conversation. Well, you can't focus on compensation if it's only a narrow part of the market, when the majority of consumers actually have these concerns around data. When I look at the market, where I think that the conversation regarding payment for data rings hollow is that compensation is not even on the table unless you actually have access. And that, to me, also sort of speaks to that -- the notion of maybe it's privacy by default or Privacy by Design or opt in versus an opt out. I think that the gap in the market in the challenge between that notion of universal acceptance and a lack of universal action is that there is no destination where consumers can actually get access. There is no beacon or rallying point where [ as I continue sort of use as my sort of starting ] point. And so that to me is when thinking about data, I actually -- if you can move data and consent and compliance back to the consumer level, everything downstream gets better, fidelity, transparency, fraud, control, compensation. But really, to me, compensation is almost a byproduct of access and control. Without access and control, it's a fool's game to even consider compensation.

I totally agree. Sorry, this is predicated on people being able to access their own data and have control over its use in disclosure. Privacy has always been about personal control relating to uses of your data, and you start there. You can work your way to compensation, et cetera, that's down the road, but access control, absolutely critical as the first steps.

Yes. Sorry. So let me tackle your question also Ann's comments and Enoch's comment is kind of like 2 ways. I think that the data property model is actually not a perfect model. And let me explain why, right? Because very, very traditional property dialogue, at least from a legal perspective, there is this idea that you can forever revoke your property right, right? So I think some of the tensions that you're hearing within property enthusiasts is they feared that the dialogue of data as a property right means that once you conveyed away your "right", you forever forsaken that. And you can see the tension in this in a GDPR, some of the GDPR regulations, for example, where some of the DPAs are banning the -- banning cookie walls, for example, as like a blanket allowance, right? Or -- and how Prop 24 and the CCPA carve out that, yes, you can allow for compensation adjustment if the price of the services is reasonably related to the data that's being denied and opt out, right? But even there, there is still this carve-out for this idea that there is an immutable right somewhere in there that's beyond just "a mere property right." So I think that's the first tension that you kind of identified. The second tension I would say is that if you think of data as input in a way as a fuel, I think what you're hearing some of the companies say is that they're saying like, well, okay, and I think this is actually your question, Neil, right, which is that -- sure that may be a component. But the thing which uses that data in which that data is powered by is actually proprietary property. So if you translate into mathematics, it would be like x maybe the data, but the function, the F bracket, right, that is not consumer data and instead that is company data. And what is the fine line between once you derive the function from the X and Y, who owns that function, right? And I think that that's your question. So I do think that there is some tension there on those 2 issues, which I think makes this debate over data as property and immutable rights of data as a result of privacy by design. I think those are novel issues, which have yet to be fully resolved.

Ann, any comments on that?

No, I agree with Mark. There are indeed novel issues. This will play out. I am very optimistic because there is such a strong movement to -- in terms of self-sovereign identity decentralization protection of data and personal control, I think we can do this.

Great. I know we're running out of time. Ann, where can people follow you or find more information on what you're up to? Tell them where they...

I don't know if people want to follow me on Twitter. It's just @AnnCavoukian, like I have, of course, a website, globalprivacyandsecuritybydesigncenter.com, gpsbydesigncenter.com. And just e-mail me. I'd love hearing from people, and I always respond.

Great. Enoch, yourself and The Data Dividend Project, where can they connect with you and your team to follow along with all the things that you're up to?

Yes. datadividendproject.com is our website. @ddpforall is our Twitter, Instagram handle. And we're constantly posting updates about data privacy, data security as well as what GDP is up to.

And Mark, where can people find you [indiscernible] issue that they would like to engage with you? Or how can they connect with you?

No joke intended, but you can Google me and find me. There are not many of us Maos left.

Mark, would it be an Incognito mode when they -- when you're...

Right. And as far as I'm aware, almost 18 months into the various stuff with Google, I have not yet been deprecated on search results.

Okay. Good. You're not on Page 2. That's good. Okay. That's the fastest way to kill SEO is get you off on Page 1 and down to Page 2. Everyone, thanks so much for a great discussion. We can revisit this again in the future. It's a fascinating topic. All of you, thank you all for all of your help in this industry. And moving things forward, I'll let everybody go now. And again, hopefully, we can revisit this in the future for version 2 of Privacy By Design and where privacy is going. So thanks, everybody.

Okay. Great, Neil.

Thank you for hosting, Neil.

Yes. Thank you. Bye-bye.

Take care.