Liina Kamm:
I spent my fellowship at Stanford University studying the US experience of adopting privacy enhancing technologies in private and public sector systems, including AI systems. I am a senior researcher at Cybernetica, an Estonian deep-tech company, and my research is focussed on privacy enhancing technologies (PETs), and machine learning (ML) and artificial intelligence (AI) both for ensuring privacy and using PETs to ensure privacy of ML models and AI systems.
Many of the more complex PETs have existed in theory for several decades. It has been possible to use them in practice for a shorter time, but this period has also lasted for tens of years. Unfortunately, in practice, organisations tend to use only the simplest, most error prone PETs (i.e., pseudonymisation and anonymisation), that often provide only the semblance of privacy. Naturally, there is a place for these technologies as well but, for more complex applications and very sensitive information, there are so many better choices. I want to find out what are the barriers to the adoption of technologies that offer better protection to personal and business data and how to accelerate the adoption of these technologies.
In 2023, our privacy research group in Cybernetica put together a concept and roadmap for the adoption of PETs in the public sector in Estonia at the request of the Ministry of Economic Affairs and Communications. For this we interviewed 18 government organisations to understand which technologies are already in use, and what are the issues and requirements that cannot be addressed by currently existing technologies. Estonia is digitally quite advanced, but even we do not employ PETs to the extent of their potential. The experience of Estonian government organisations can be extended to Europe with some modifications as all the EU countries need to adhere to the General Data Protection Regulation (GDPR).
However, this is not the case with the USA that has varied state legislation about data protection and where data may get treated more like property for which the ownership is defined totally differently from Europe. I went to Stanford University to find out, through a series of interviews and personal testimonials, how the Americans view PETs and why, even without a federal data privacy legislation, several of the government agencies and larger corporations have deployed complex PETs like secure multi-party computation, differential privacy and federated learning with homomorphic encryption.
California is on the one hand a good starting place to study PETs as it has the California Consumer Privacy Act, which in some regards is similar to the GDPR, but is still different. On the other hand, California does not give a view of the notions in states without any kind of data privacy act. While at Stanford, I met with several people from government agencies and from large corporations. I talked with the local cryptography research group to understand why and how they have deployed PETs in their research and for real world studies. In this regard Stanford is a great place for research as it is one of the top universities, and hence gets a lot of requests for solving complex real-world problems. The list of products and technologies launched through such collaborations is impressive.
While there I also attended several different events and guest lectures. It is a wonderful place for holding one- or two-day conferences and inviting top tier researchers and industry leaders to talk either in keynotes, panels or fireside chats as they often do not have far to travel and are able to attend in person. It probably helps that several of them are alumni of Stanford as well. There were always current topics being discussed in guest lectures, and even though some of these were not in my field, they were really thought-provoking.
The time I spent at Stanford was really intense. I was hoping to do more reading and write more articles on my work, but I ended up communicating and investigating more than I expected. I did manage to submit two papers and one of the interviews culminated in a proposal for (and acceptance of) a Dagstuhl seminar on the practical use of PETs for social benefit. I also hope to further collaborate with other interviewees in the future. At the end of my fellowship, I also got the opportunity to present my work to a US federal cross-agency task force on privacy.
I got a warm reception from Liisi Esse, the curator for Estonian and Baltic studies at Stanford Libraries and from Andrew Grotto from the program on Geopolitics, Technology and Governance. I could use an office in the Stanford Library. I know this is weird, but I have always had a dream of working at a library surrounded by bookshelves, and having an office behind the library stacks was magical. I did work in the many reading rooms in the library as well as Stanford Library has several different and increasingly cosy reading rooms.
I also managed to meet other Estonian fellows, students and people working in different companies while I was at Stanford. It was great to find out what others are working on and discuss our research directions. I think these connections will also last long after I return to Estonia. We travelled together to different parts of California. The nature and variety of California is amazing and I would encourage all future fellows to find a way to look around. I also went to San Francisco by Caltrain on several weekends and walked around the city for hours, and each time the city had so much new to offer. Even Stanford and the surrounding areas had very diverse and cool sights to discover.
I am grateful for the possibility to do my research at Stanford. I would be happy to go back and I wholeheartedly recommend the experience to all researchers whose fields of study align with the fellowship topics.