BT

InfoQ Homepage Podcasts Hoang Bao on Ethics, Privacy and Regulation in Software Engineering

Hoang Bao on Ethics, Privacy and Regulation in Software Engineering

Bookmarks

In this podcast recorded at QCon San Francisco 2019, Shane Hastie, Lead Editor for Culture & Methods, spoke to Hoang Bao who was the track chair for the Ethics, Regulation, Risk, and Compliance track.

Key Takeaways

  • Privacy and ethics are vitally important for people to focus on at the beginning when they are thinking about new ideas and starting on new products
  • Consumers of software products are far more sophisticated about privacy and data protection than they used to be
  • Software engineers need to consider the unintended consequences of the products they build.  As the builders, they are well suited to identify potential dangers
  • Ethical considerations extend beyond privacy to such areas as child safety online, the potential spread of misinformation and biases that impact the training of AI systems
  • Software engineers should consider signing up to a code of ethical conduct

Transcript

00:00 Introductions

00:00 Shane: Good day folks. This is Shane Hastie for the InfoQ Engineering Culture podcast. I'm at QCon San Francisco, 2019, and I'm sitting down with Hoang Bao.

00:15 Hoang, welcome, thanks for taking the time to talk to us today.

00:17 Hoang: Thank you, Shane. Excited to be here.

00:19 Shane: Hoang was the Track Chair and host for the ethics, regulation, risk and compliance track at QCon San Francisco, and that of course is what we're going to delve into in this conversation. But first, Hoang, tell us a little bit about yourself and your background, please.

00:36 Hoang: Well, I have been working in this particular field for the last decade. I went to school and really was intended to be a developer. I actually got both my undergraduate and my master’s in computer science.

00:48 And the goal then was to become an architect, someday. But you know, obviously that didn't quite pan out.

00:55 After I graduated, I was curious into what else is out there in the industry.

01:00 So I jumped into consulting with KPMG, one of the big four and focus on information governance.

01:06 From there, I moved on to Yahoo, to work on data governance and privacy for them. Helping them manage, I think at that time we were up to 1 billion users. So, a lot and a lot of data, well, a lot of fun, I think over 100 different products as well. I spent about seven years at Yahoo.

01:22 Afterward I spent time at Walmart e-commerce fascinating place. Learned a lot about e-commerce how the digital world ties to the physical world, how data flow between the two. How ethics, privacy issues connected there.

01:36 And then in my last position, I serve as the director for privacy assurance mentioned Netflix.  Also, a fascinating world, because you know, there you have viewing history, which is the regular data in the US. But Netflix outside of the streaming service that consumers are so familiar with, also has the business of studios.

01:56 So at the same time, Netflix is producing a lot of content across the world. There are production offices of course in LA, but also a large amount of offices in Europe, Asia.

02:06 So think about how to scale privacy, how to manage data flow from a technical perspective at a global level was also a fascinating challenge.

02:16 So I was able to set up the framework that built a strong team, and now I'm focusing more on my consultancy called Virtual Privacy. It is something that I do pro bono for non-profit and for startups, just to help these folks get more familiar with the privacy world, because I know being in this world and working with them before, typically, there's no funds for that, but  privacy and ethics is so important for people to focus on at the beginning when they are thinking about new ideas and setting out new ideas.

02:45 Shane: Let's talk a little bit about the track. What was your thinking? What was your intent? Ethics, regulation, risk and compliance, reading that it could be pretty boring, but it's really important stuff.

02:57 Designing the Ethics, Regulation, Risk, and Compliance track

02:57 Hoang: Yeah. There are many different ways you could have taken that particular track. And that's, I think, a lot of people's perception when they heard those four words as well. And you know, surprisingly in the recent year, I think just what happened in the news have helped me a lot.

03:12 I think Cambridge Analytica, Facebook, certain things have brought one of the ethical issues, which is privacy to the forefront. Consumers, people who are not as familiar are now asking me questions. I was like, Oh my God, that's very informed, very thoughtful. Whereas before I get questions like what is privacy engineering?

03:31 So the conversation has shifted, and I think helped me kind of formulate the track. So with this particular track, I choose to have a focus quote, unquote, on privacy, because that's the way to connect to the audience and it's most relevant to them.

03:44 I know a lot of companies are having that discussion internally.  A lot of software engineers, even though they are not working on privacy as a full-time job, I'm being brought into conversation about how do you manage data? How do you help us build this particular feature to comply with the GDPR, CCPA?

03:59 So I ground the track with privacy, but in addition, there have been ethical issues that I have witnessed over the last decade, that is also very critical, like child safety online.

04:12 Online there is a diverse space. There are many wonderful things on there, but there are also so many scary things on there, in particular for more vulnerable audiences like young children. So, children's safety, cyber bullying;  those are ethical issues that software engineers can get more involved.

04:29 Recently in the US and I think globally as well, misinformation and how it impacts society is also becoming very important and should be talked more about. It can sway elections allegedly.

04:40 So, yeah, like I also choose to at least communicate the array of ethical things that people should at least start thinking about and start considering when they do the job.

04:51 Shane: If you were to pull out a highlight from the track, what were some of the key things that happened?

04:57 Hoang: That is hard. You're asking me to make like the Sophie’s choice right here, like picking my favourite children.

05:04 Highlights From the Track

05:04 You know, I think at least the one running theme for me throughout the  track was that I was so privileged to have really great and thoughtful speakers, and I think the speakers really took the time to understand the audience that they are sharing the information with knowing that this is a technical audience.

05:22 I think all the speaker really took the time to take a very potentially philosophical discussion and add a lot of technical concepts around it. For example, I loved how Jean Yang, who talked about the software gap in privacy and compliance, she actually break it down in very precise manner about the solution that works while wrapping it all with the context.

05:45 I also love how Markus De Shon, for example, talked about quantifying these ethical issues from a risk lens and how you can put all of this in monetary value.

05:55 That is very important to make all of this applicable, right? Because you can talk about ethical issues with your executive until the cows come home and I think, you know, you might not get as much attention if you was to say that this particular issue is going to cost us X amount of money and here are the solutions that will not cost us that X amount of money.

06:13 So I think that thoughtfulness among our speakers as I shared in examples was a highlight for me and how applicable I think these talks were to the software engineering community.

06:24 Shane: Exploring some of those current ethical issues, what's out there? There are some of the headline grabbers, but what else is going on?

06:31 Privacy Challenges

06:31 Hoang: Yeah, I can start with my favorite mental soup, acronym soup. I think that a lot of folks have to have heard of GDPR, CCPA, I'm going to add a new one LGPD. So these are privacy and data protection regulations and I think this is probably top of mind in terms of ethical issues for a lot of companies and the reason behind it is that privacy has been in discussion for a long, long time.

06:59 When I first started working GDPR was not in place yet, they were not regulation, they were directive in Europe, directives. But I think what regulators and consumers have noticed is that a more loosey-goosey structure, like directives vs regulation wasn't working. So there has been more of a focus from regulators in holding companies accountable and, you know, consumers are also expecting more and more because as they become more aware, more woke in this conversation, I think the expectation is changing.

07:28 And the regulators is driving this through fines. So for example, with GDPR the fines are essentially a pretty substantial, it can go up to 4% of global revenue. And even recently, when the FTC applying Facebook, it was a $5 billion fine for a privacy violation. So all of that make privacy top of mind for companies who are doing business globally, who are handling personal data.

07:55 Because, you know, one, they don't want to have  a large fine and you know, the large fine is just the tip of the iceberg, right, along with that, of course, that's going to be in the news, that's going to generate questions from the consumer. That's going to erode ultimately trust and potentially reduce that adoption of your products.

08:16 So it's very important and the other thing that's kind of driving privacy conversation right now is that GDPR and CCPA and other regulation have asked company to provide consumer with certain rights when they are interacting with the companies. For example data access right.

08:35 That means if I am a consumer and I share personal data with Shane, inc, I can go to you and say that I would like for you to provide me with all the personal information that you have about me, and there are some expectation in term of how long it should take for you to send that to me. And so that's becoming a product feature at a lot of companies. That's where software engineers are they're getting looped into the conversation. Can you build me that particular feature? Can you track down all the data? Can you package it so that we can produce it?

09:08 Another example of rights that these privacy regulations that provides to a consumer, it's the right to be forgotten. I think that's also a fairly well known phrase by now, but that means I can, you know, again, write to Shane inc, and say that, you know what, I want to sever this relationship. I would like you to forget everything about me and that has to be done appropriately. 

09:30 Depending on, on how data is structured at different companies, architecturally such deletion can be really hard or costly.

09:37 Shane: Yeah. The data architect in me is going data integrity, structural - wow!

09:45 Hoang: Yeah, exactly. I remember, this is a few years ago, maybe 2011. So Facebook actually underwent an audit with the Irish data privacy office. I think the commissioner that was his name was Billy Hock, as a result they actually published all the findings, and they went into technical details as well.

10:03 But one of the things that really stood out to me when I was reading that, you know, hundreds of pages report was that Facebook couldn't delete data properly. The way that data was structured at that particular time, make it very hard for them to do actual deletion.  There was a soft delete, hard delete, and I think deletion approach or strategy back then was deemed inappropriate. So they had to go back, rehash it, do a lot of costly things.

10:27 So I think right now companies are also keeping that in mind, that as we build out structure how do we comply with these regulations? Well, our strategy doesn't even affect the, and you know, which might result in a fine, et cetera.

10:39 Shane: So that's privacy, which has had a lot of publicity and GDPR, and the other legislation definitely has brought this to the fore, but this whole lot else that falls under this ethics banner, what are some of the emerging issues or beyond privacy, what are some of the issues that we have to deal with as an industry?

10:58 Hoang: Yeah, and you know what? I think there are new ones popping up every single day.

11:03 I have to tell you a story. So my Masters dissertation was on my social network and I was trying to understand the top usability and the top sociability issue with these social networks. And when I was doing my particular research, I have 10 different social networks that we're looking at. One of them was a little known company called Facebook, and at that time they had 5 million users. So it was like 15 years ago. But, when I first did this research, most of this problem that consumer or people were having were more on the usability side, which mean UX, how they interact with the site, where the buttons right? What they're able to submit things.

11:42 So more interaction, the sociability aspect that I wanted to explore, which is, you know, are there privacy concerns, are there misinformation concerns? None of that was there yet, but over the years we see these ethical issues start popping up.

11:56 Child Safety and Cyber Bullying

11:56 So, you know, like, as you mentioned, privacy is the one that's getting the most attention right now, but in my work and some really great works of people like, for example, Megan Christina, who was on the panel, yesterday for the ethics panel. She did amazing work in child safety, trust and safety in general at Yahoo. And that's an area that is, I think needs a lot of attention because, as you know, more and more children, I think like today, kids are grown up with online environment,  and it's a pretty nefarious environment. There are wonderful things about it, but there are predators out there. How do we protect them from that? Where the predator is behind a computer, sitting all over the world, how do we set up control safety features to protect children on there?

12:45 And also, you know, sometimes it's not that nefarious adult predator, there's also an issue with cyber bullying. I think that has caused a lot of society to just shift as well. Like how do you manage conversations between children to make it a better environment for them to grow up in?  I think that's another issue that we really need to dig deep into to ensure that the next generation has a healthy environment, digital environment, to grow up in.

13:12 So that's one of the top things for me.

13:14 Misinformation and Trust

13:14 The other things that I'm still trying to figure it out what would be a good way to go about solving is misinformation. A lot of companies are working with this, you know, like trying to figure out why Facebook, Twitter, a lot of online information exchange and I think we've seen the impact of like elections being influenced by misinformation.

13:35 And it's a really tough call, but I think that's also another area that we need to invest more in as well. And the one that's also super-interesting, interesting for me, as you can see, like I say, it's hard to pick just one. It's the area of machine learning.

13:48 Bias in Machine Learning

13:48 What is super interesting is that machine or AI ultimately is created by us, by software engineering developers. So we are teaching these machines how to think, but we all have biases, like it or not. I think I have bias,things that  I might not even be aware of.

14:06 We are taking those biases, we're putting it into the product we're building and we don't know what the consequences of that might be. Sometimes we don't think through all of it, because time has shown that we're not aware of our own biases.

14:19 So I think that has an impact.

14:21 I think like you probably have seen news article about, I think recently the Apple credit card was called out for giving woman less credit than a man, even though when they had the  exact same financial account, otherwise.

14:34 There's been cases where people of different races were treated differently based on the algorithmic biases.

14:42 So I think that's an area I also need a lot more attention to as well.

14:46 Shane: These are areas that need attention. What does that attention look like? What do we do? So to create that healthy digital environment for children to grow up in, what do I do as an engineer? What do I do as an engineering manager?

15:00 A Code of Ethics for Software Engineering

15:00 Hoang: Yeah. So, I think a really good talk to watch to get more ideas around this would be Theo Schlossnagle's talk about ethics yesterday, the ethics landscape.  I think Theo has some pretty interesting ideas in terms of as professional how can we really engrain ethics into this discipline?

15:23 I think like he mentioned that ACM has a professional code of ethics. I think that's something that should be more focused on. People should pay more attention to, maybe adopt more explicitly as a profession of engineering.  Yesterday. We also had Bruce Edward DeBruhl, he is a professor at CalPoly and he spoke on the panel yesterday and I liked his focus on teaching all these up and coming future software engineers, how do you think about this? How do you structure a curriculum with ethics built into it?

15:59 So you really tackle these issues foundationally. Help, software engineers start thinking about this so that they don't go through most of their career and then having these as one-off conversations, it will make them more invested as well.

16:11 And I think the other good idea that I heard from Ayana Miller, she also spoke as well, and she has a really amazing background because she has worked at the FTC. She has worked at Facebook and Snap, and now she's at Pinterest, but she shared with the audience some approaches and getting attention in the company.

16:33 Like for example, you know, knowing when she spoke to executive about certain things, how to structure a buy in conversation with software engineers so that they can get the ethical issues addressed.

16:43 Shane: As a software engineer, let's tackle a hypothetical situation, I'm being asked to do something that I think is wrong.  How do I respond?

16:56 How to Respond to Unethical Pressure

16:56 Hoang: That is a great question, and I hate keeping to refer to the talk yesterday, but I think that's why I picked these talks. Theo's talk has a particular slide on how you do dissent when there's an idea that you do not agree with and I think it was an adoption of the IEEE,  how do you decide when that's an ethical issue that you don't agree with?

17:16 And if I remember correctly, there were several different steps, but the main step being, you need to make sure that you logically document your thoughts, your process, you articulate it well to  whoever you are  having that conversation with you have impassionate discussion, really focusing on the pros and the cons and take the emotion out of it. And make sure everything is clear and transparent in that conversation.

17:40 Because I think these ethical issues can get mucky because it can be quite philosophical, but I would recommend whoever is listening to refer to that particular slide, as I found it very helpful and I think the audience did as well, yesterday.

17:53 Shane: Really interesting stuff. Any final advice?

17:56 Advice for Software Engineers

17:56 Hoang: Yeah. You know, I think my advice is just be more involved because I think, you know, as creator and as builder, we are the one who are created these products that have these unexpected consequences to the world.

18:12 Some of them are amazingly beneficial, amazing, awesome.

18:16 But they're also, you know, these negative consequences. At the same time as  creators,  we are the closest to the issue and we have the most direct opportunity to impact ethics in the technical ecosystem.

18:28 So I would definitely invite software engineers to get more involved, think about how you can chat with cross functional team at your work, because that is where  some of these issues popping up.  For example, talk with your legal team on what they think a privacy or data protection issue is. 

18:46 Talk with your product manager so you can understand what consumer expectations are of how they should be treated when they're using your product. And, if you can, think about technical solutions, how you can help out with those problems, because I've watched the evolution, this conversation starts off in areas that are not within engineering.

19:04 They have started as a legal conversation or as a philosophical conversation, but I think what people have realized in the last decade is that those conversations by themselves are not enough.

19:15 We really need the builder, the creator, the software engineer in the room actively participating. And I also think it's a great way to build your career, as a plug.

19:25 So my advice for our software engineers  who are listening is please to get more involved, we need you in the conversation, and I think you want to have free time once you open yourself up.

19:34 Shane: Hoang, If people want to continue the conversation with you, where do we find you?

19:39 Hoang: For a privacy professional, I'm all over the place. You can find me on Twitter @hbao, so find me there. You can also find me on LinkedIn. Those are the two most relevant channel to reach for this conversation.

19:52 Shane: Hoang - thank you very much, indeed.

19:54 Hoang: Yeah, it's a pleasure -  thank you so much Shane for having  me here.

Mentioned

More about our podcasts

You can keep up-to-date with the podcasts via our RSS Feed, and they are available via SoundCloud, Apple Podcasts, Spotify, Overcast and the Google Podcast. From this page you also have access to our recorded show notes. They all have clickable links that will take you directly to that part of the audio.

Previous podcasts

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

ß
BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.