Privacy in Action: Jeff Jockisch, Data Privacy Researcher

In our interview with Jeff Jockisch, data privacy researcher, we discussed his work with privacy-focused datasets as well as his approach to privacy.

The privacy community is growing every single day. It’s in large part thanks to the work of privacy advocates. They’re bringing the subject of privacy to the forefront by increasing awareness on the importance of privacy, making complex privacy issues accessible to all, and providing guidance on how one can best protect their privacy.

Jeff Jockisch is one of the people leading the conversations online. If you listen to any of the leading privacy podcasts, chances are you’ll come across an episode featuring Jeff.

Jeff Jockisch is a certified data privacy professional. He works at the intersection of privacy and data. As a data privacy researcher, he advocates for privacy rights using data to find patterns, trends, and relationships. You can follow Jeff on Twitter.

Interview with Jeff Jockisch

Startpage: Fill in the blank “Privacy is ____”

Jeff Jockisch: Privacy is more important the scarcer it becomes.

Look at our shared history of privacy. Privacy as a concept wasn’t crucial until life became modern, technical, digital. We didn’t always value privacy highly because we didn’t need privacy as much – for the most part, no one was watching us. It wasn’t until 1890 and a Warren & Brandeis law review article that people began to talk about a ‘Right to Privacy.’

As humanity moved to cities, crowded into tighter spaces, and then jumped into cyberspace, almost every step in our evolution has taken additional privacy from us. The development of the telephone, the camera, and the printing press had profound impacts on us. Eventually those technologies began to eat away at our privacy. But nothing prepared us for the digital world.

Now our activities are being tracked, stored on the Net in what are essentially immutable records, while trackers of every type conceivable suck up our digital exhaust 24 hours a day. Machine learning systems then process that data and use it to enhance and, more and more, put parameters on our lives. AI can impact who you meet, what news you see, what jobs you are offered, what schools you get into, whether you get a loan and at what rate, and even how long you get sent to prison. 

Clawing back some of our privacy is essential.

Startpage: On a scale of 1 to 10, how private are you?

Jeff Jockisch: Given what I know about surveillance, I should be a more private person. I’m probably at about a five on your ten-point scale. I understand the risks I take posting on social media, sharing more than is prudent. But I balance that with stringent password security, device security, phone and app security. I also use VPNs, encrypted messaging, some private search, and some private email. 

I’m also actively looking for better ways to share data without losing control of it. There are some remarkable new technologies I’m playing with as part of the Data Collaboration Alliance.

The good news is that for all of the surveillance tech that surrounds us, there is also a concurrent rise in privacy-enhancing technologies. This is getting a lot of attention in the VC world.

Startpage: Why is privacy important to you? In your personal and professional life?

There are many reasons privacy is important to me. I’ll explain two. 

I’ve done a lot of content moderation in my life – reviewing user-submitted questions and posts. This can be insightful, energizing, valuable, and at times, completely soul-crushing.

I was at ChaCha for many years. It was a question and answer service, a text-based search engine with a significant teen and young adult audience. People are incredibly open about what they will text, maybe even more so than what they might ask of a traditional search engine because SMS is so intimate. Curating that content was eye-opening, not just because of the subject matter, but the raw emotions and details of their lives it exposed. It doesn’t get more private. That information, used in good ways and in bad ways, can be life-changing.

The second reason privacy is important to me is that our dwindling privacy contributes to the widening rich-poor gap. I know that’s a provocative statement.  

My argument is essentially this: As our lives have moved online, our property rights and privacy rights haven’t moved with us; they have deteriorated.

Privacy is often treated as a property right rather than a human right, especially in the U.S. 

But even property rights in cyberspace for consumers are more shallow than in the physical world. Most of our transactions are not actual purchases – – they lack the right to transfer, to resell. Often we are only renting. 

In our digital world, we are getting less, without any fundamental understanding of how that power shift happened.

Startpage: What does a data privacy researcher do?

Jeff Jockisch: I like to think I let my curiosity and skills collide in areas where few others are looking. Let me give you an example. In April 2021, it was revealed that Facebook lost the personal information of over 533 million Facebook users from 106 countries. But it turned out it wasn’t legally a ‘breach’ based on U.S. law, so they didn’t have to do anything, and they had no liability or responsibility to their users. Meanwhile, in the months since, spam and phishing attempts have skyrocketed. Coincidence?

As a result of this event and many other breaches, I started some deep analyses of the U.S. State Data Breach Notification Statutes to see what was going on.

Thus far, I’ve done three studies:

• State Breach Statute Scoring: A study of U.S. breach notification statutes across four major metrics: Notification, Personal Data Coverage, Harm Triggers, and Fines & Enforcement. It provides a broad picture of how laws differ and which states better protect their constituents.
• Breach Trigger Analysis: A deeper dive into each law, inspecting three components; what I call the Data Trigger, the Harm Trigger, and the Significant Risk Trigger.
• State Data Breach Law PII Analysis: A deep dive into each state law to examine which combinations of data trigger breach notification, the data elements covered, and whether there are exceptions for public data, etc.

I’m a person that thinks in datasets. When I study something, anything, I think about how to structure the data about it. When I started studying for my CIPP/US certification, I created databases of privacy terms, privacy books, privacy laws, privacy court cases, luminaries in the field, privacy non-profits, data brokers, privacy-enhancing tech companies, privacy podcasts I was listening to… the list goes on. 

I realized that I liked creating these privacy-focused datasets, that they had value to other professionals in the field.

My Privacy Podcast database, for instance, has grown and almost taken on a life of its own. Part of the reason this grew was that it’s hard to search the subject matter of podcasts you might want to listen to too. Try searching for ‘privacy podcast’ and see what you find. Or search for ‘privacy’ within a podcast player. The results are pretty poor. Search engines haven’t figured that out yet. 

I now track over 100 privacy-related podcasts, curate that dataset, add new ontology, promote the shows I like, rate them using an algorithm I developed, and even do things like track guest appearances. There is a lot more I want to do with the data.

Startpage: You have an extensive background in marketing. Can marketing and privacy co-exist? If so, how?

Jeff Jockisch: Sure, marketing and privacy can co-exist. You have to be ethical. The privacy problem only grows out of control when marketers use the tech they know they shouldn’t. Privacy problems in marketing are not new; they’ve just snuck upon us in the form of free software.

Subliminal ads were not ok back in the late 1950s when that tech popped up. The equivalent today is Dark Patterns and surveillance adtech.

But there are plenty of ways to do marketing with privacy intact. Contextual advertising works. We did that at ChaCha effectively, as do you at Startpage. Another way is to obtain explicit consent from the consumer. That works, though I think we are coming to the end of the Notice and Consent Era. That is a failed policy model, as anyone clicking on Cookie Notices and Privacy Policies all day will tell you.

Startpage: As Director of Content and Tools at ChaCha Search, you’ve had the experience of working on a search engine. How has that influenced you in your use of search engines?

Jeff Jockisch: So, I do know a heck of a lot about searching and search engines. ChaCha was a search engine itself in the Question & Answer space, and we built a sophisticated database and information ecosystem on the back of about 4 billion searches.

To get to those 4 billion answers, to build that database, we had to start by sending questions to humans. Humans are expensive. We needed to make our human ‘Guides’ as efficient as possible by doing things like:

• Pre-categorizing the questions (we used both humans and machine learning for this)
• Sending the questions to ‘Guides’ who were category experts (when we didn’t have a match in the database or a pattern match to a feed)
• Providing category experts with tools like custom search engines that could quickly surface high-quality reference answers.

But for all of my knowledge, I think my day-to-day search use is probably a lot like everyone else. Perhaps I know more search operators, understand how those results are getting to me and why, comprehend how to manipulate those results, recognize how to find what I want far better than most people, perceive ahead of time what searches are going to fail… But when it comes down to it, we all have to start at the search bar.

Startpage: What motivated you to create Privacy Coffeehouse?

Jeff Jockisch: Privacy Coffeehouse sprang from a conversation I was having with my good friend Punit Bhatia. We were lamenting how it would be nice to put on an event, but everyone was getting webinar fatigue. We wanted to do something different, something that encouraged and empowered the privacy community. 

One problem with the webinar format is that the learning you receive is often formal or explicit knowledge. When you have looser interactions like the Privacy Coffeehouse, there is more opportunity for sharing tacit or implicit knowledge. That tacit knowledge sharing, where professionals can impart personal wisdom, experience, insight, and even intuition, is very powerful.

We came up with an event that was more like going to a bar or a Coffeehouse; people could wander around and converse. It turns out there are some tremendous new platforms such as Wonder.me that let you accomplish this. The growth in the event has been pretty astonishing.

It didn’t occur to me at the time, but I think Privacy Coffeehouse sort of runs a little bit on the gas that powers Clubhouse. It allows more democracy, more interaction. Of course, Clubhouse doesn’t empower everyone to speak as readily as the Privacy Coffeehouse does, and it has some documented privacy issues, but it has some similar interaction frameworks.

Startpage: How do you envision data privacy in the future? 1 year, 10 years, lifetime?

Jeff Jockisch: I like to think I can see the future… but I’m not too fond of hedgehogs. See Superforecasting by Philip Tetlock. 

Given that caveat, here’s what I think. Data privacy is here to stay as a new profession. It will grow for the next 10-15 years, probably exponentially. 

Where the profession of privacy ends up is uncertain. Does it stand alone and retain a seat at the table as a CPO? Does it ultimately roll up under Information Security or Legal? How does it interact with the new ESG movement?

I’ve just started working with Gabe Gumbs and K Royal on a project to define and expand the concept of Privacy Engineering. We think this has three key elements: Privacy, Security, & Ethics. If this ontology makes sense, and I think it does, would that imply Privacy, Security, & Ethics need champions and ‘seats at the table’ in an optimally functioning

organization?

I’m also involved with ForHumanity and its efforts to control the downside risks associated with A.I. I don’t think we can think about the future of privacy without considering where A.I. is going. Machine learning systems will process our personal data. Constantly.

Machine learning systems ingest data and shoot out results. It might generate marvelous insight. Or it might hide bias and obscure explainability. There are ways to mitigate bias, improve explainability, and make A.I. systems trustworthy, but they are unlikely to happen without regulation.

Startpage: Do you use any privacy tools? If so, what are your favorite privacy tools?

I use a lot of privacy tools, and yet it’s never enough. I should be using more. 

There’s a concept thrown around in the privacy world known as the ‘privacy paradox’: people SAY they value their privacy, but they don’t ACT as if they value it. Professor Daniel Solove has done a great job in dismantling that paradox. The fundamental problem is that we often place the burden, the responsibility of privacy, on the consumer, and that cost is high. If choosing privacy was easy, as Apple recently made it, virtually everyone would prefer it.

I should add this caveat on privacy to your audience: There are many effective steps we can take to hide from surveillance capitalism. It’s not rocket science, although marketers are getting better (and sometimes playing dirtier) every day. Protecting your privacy people intent on finding you: stalkers, enemies on the internet, especially law enforcement? This is an entirely different level of privacy and one that is hard, nearly impossible to obtain today. 

If you are trying to hide from more than adtech, check out Kevin Mitnick’s book ‘The Art of Invisibility’ to get a feel for how hard that is becoming. It’s a great introduction and is a little behind the latest tech.

• Search Engine: I do a lot of searching and use a lot of search engines. I checked my logs, and I average over 175 searches a day, not including video searches. Today, too much of that is Google. I’m now using Startpage for about 50% of my searches and virtually all of the searches that I might consider sensitive.
  As you know, default settings matter. This trips me up, too, as many of my searches are contextual right-click searches. In addition to changing the default search engine in your browser, there are generally more items you must edit to change your context menus, where that’s possible.
  Luckily for me, I search so much for research and clients; understanding what relates to my personal interests is hard for adtech to discern.
• Browser: I was a Firefox guy for a long time. Then I switched to Chrome for speed. I’m ready to dump Chrome, but I’m locked into the ecosystem somewhat, as two of my three primary machines are a Chromebook and a Chromebox.
  I’ll soon migrate to Brave or Opera because both have native support for decentralized DNS. Your users interested in privacy technology should check out developments in Web3 like Unstoppable Domains if they want to stay on the bleeding edge.
• Email: Truthfully, my Email use is all over the map. I still mostly use Gmail, which is a problem that I need to solve. But I have accounts with Microsoft, Yahoo, a few based on websites like PrivacyPlan. And I have private accounts with Startmail, Tutanota, and Protonmail. I need to get a grip and a plan! Security through obscurity and complexity isn’t working for me here!
• Messaging: I still do too much SMS, but I’ve moved about half of my texting to Signal. Signal may not be the perfect privacy-enhancing messaging app, but it’s the best mix of privacy and penetration at the moment—network effects matter.
• VPN: I’ve been a NordVPN user for years and I was excited to see veteran web security guru Troy Hunt join their team. Surfshark is also a good choice to maximize security.
  Don’t skimp on your VPN. Whatever VPN you use, do whatever you can to ensure that it doesn’t log user data or information. If it isn’t logged, it can’t be sold or shared.
• Password Manager: I’m a BitWarden user. For something this important, I think open source is an important distinction. BitWarden also has a completely usable free version. I love the fact that it includes an excellent password and PassPhrase generator.
  Everyone should be using long PassPhrases instead of short passwords. Size matters (at least in passwords). Longer is more important than adding a bunch of entropy with weird characters and numbers. Most people (and the majority of sites) don’t get that. If you do it right, passphrases are harder to crack by a longshot and easier to remember.

One additional tip I would give your users who want to be even more secure, for banking and perhaps also healthcare, don’t do these functions on the same computer where you surf. Create a separate machine, maybe even a Chromebook, as they are harder to infect at present and only do banking and healthcare on that machine, nothing else. You might even install a separate password manager just for those accounts.

Startpage: What Big Tech company knows you best?

Jeff Jockisch: They all know too much about me. Facebook not from my use of it but from my family-social graph. Amazon from my purchases. LinkedIn from my resume, my professional-social graph, and a heck of a lot of posts over the past year. Google because, well, they are who they are.

Startpage: Would you rather share your search history or replace your smartphone with a 90s Nokia for 1 week?

I would give up my phone for a week because that would be great for my mental health. I’m sure I would regret that decision for the first two days, but then the bliss would sink in.

My search history would be pretty revealing if you could figure out what was mine and what were simply the thousands of things I was researching for a job or a client or because it popped into my head. There is so much signal in my search history; the ad targeting can’t focus effectively.

This question does remind me though of how one little search or phone call can get you into trouble. When I was in high school on the debate team back in the 1980s, another guy on the team, let’s call him Bobby, researched Russian troop strength for an argument we were making. This was pre-internet, so it was all library work. But Bobby couldn’t find any good stats. So he called the Kremlin and asked around. The guy had a lot of drive and inventiveness. He may have ended up working for a government agency.

But what was scary to us at the time: a couple of days after his call, U.S. government agents showed up for a chat… Wanted to understand his phone calls during our Cold War.

People are listening now. They always have been. The tech is just different.