I’m Felix Bauer and I’m joined by Sebastian Eide here today. We met at the University of Cambridge, became great friends and co-founded Aircloak a few years ago – a technology startup that offers strong, automatic anonymization of database outputs. We help make sensitive data useful for society and economy without the negative privacy impact.

Privacy is one of the main challenges in our data driven world and the development of strong privacy technology is paramount in tackling the issue. That’s why I love writing and talking about it. Our field is exciting and important as heck and we’d love to share some of that excitement with you!

Proof

Ask us anything!

/EDIT: Gotta run – we will come back and answer questions though, so please keep on coming! Bunch of interesting ones open still as well. Thank you for the cool discussion!

Comments: 107 • Responses: 36  • Date: 

gwiggle541 karma

GDPR is one year old now, and has changed everything – or has it?

It's not often we see clickbait titles in an AMA.

I guess my question is, uh...has it?

felix-from-aircloak19 karma

Hah, sorry about that...

Obviously no. As I wrote somewhere above, it did serve the important purpose of putting privacy back on the priority list for everyone. Gartner proclaimed privacy to be one of the top 10 strategic topics for 2019. This is, I think, a win for everyone.

But those that didn't care before – I would say they still largely don't care.

John_Dinner23 karma

Is this an advert?

felix-from-aircloak22 karma

Nope. I doubt many of our customers are on Reddit anyway. I genuinely think it's an important and interesting topic to talk about.

webdoodle13 karma

Have you received any funding from any government, military or intelligence organization?

felix-from-aircloak23 karma

Yes, we have received funding from EXIST Research Transfer, which is coming from a European fund. This fund is "no strings attached", i.e. they didn't have any impact on our direction.

Is this something that worries you?

webdoodle19 karma

Anyone who is a gatekeeper to our privacy should have to disclose any potential conflicts of interest. I.e. follow the money.

felix-from-aircloak26 karma

Disclosing potential conflicts of interest is always a good idea...

In your opinion, should all privacy & security companies be crowdfunded?

How about large customers? If you follow the money, you might find companies be dependent on a few large contracts more than others. How much disclosure is needed?

I believe the way to do this is set your tech up in such a transparent way that no trust is needed.

ericgonzalez3 karma

While I agree with you in that setting up a no trust needed environment is great, I’d also suggest your larger client targets will never be ok with a simple declaration as such without compliance audits to back that up (both in the EU and US, in my experience). Feel free to PM if you’d like to talk about it.

Source: I’m in tech sales and have to deal with GDPR all the time.

felix-from-aircloak2 karma

Yes, of course we have compliance audits with clients. Public funding has never been an issue though. If anything, maybe a reason to trust us more.

SuperPronReddit8 karma

In the world of the internet, privacy is king, and companies like yours are the gatekeepers.

And the vast majority of those gatekeepers are failing miserably at protecting privacy. Not so surprising that people want to know where the funds come from, since we all know how strong arm governments have become.

felix-from-aircloak9 karma

Yeah, I understand the worries. What we try to do is keep everything as transparent as possible. We publish how our tech works, and we run the world's only bug bounty program for anonymization.

Our idea from the very beginning was that you shouldn't have to trust us. Our first product included a strong crypto proof, but it was incredibly difficult to build and sell, so now the process is a little bit more manual.

MeuPeuW8 karma

Hi, How do you manage consent to profiling? Even if you're a data processor, what are your advice to your client on this specific question?

Is your anonymization sufficient enough as to avoid being reliant on consent from end user? Or do you rely on any other legal basis?

Thank you for your answer

felix-from-aircloak5 karma

If you collect personal data (and process in general), you need a good reason for doing so. In practice, they mostly are performance of a contract, legitimate interest and ideally (informed, free) consent. Anonymizing data is a great way of freeing up those collected data for other use cases – but you need a good reason to collect them in the first place. We can't and don't want to free our customers from that burden.

Unfortunately, I don't have a go-to suggestion / solution for consent management, but there are lots of companies out there that help you with this. If I were you, I would use a robust technical solution!

thePopefromTV8 karma

Is it stupid to put a piece of tape over your webcam? Or is it stupid to not put a piece of tape over your webcam?

felix-from-aircloak12 karma

Totally stupid. Because you can use one of those guys instead.

Honestly, before we had them, I thought blocking your webcam was the most ridiculous thing. I've changed my mind significantly. It's weird, but it gives me peace of mind to know that nobody can watch me through there, even if I totally know my life is mostly boring as heck and it would be a pretty pointless thing to do.

The more you work in this field, the crazier examples of blatant privacy violations you see. We're kind of working towards a world where you don't have to add a sticker to your computer. I like this design by Huawei, for example (yes, I know, it's ironic).

Having said all that, the highest likelihood for someone watching me without my knowledge would be in case I forget to switch off one of the many video chat solutions we use...

TaviRider7 karma

Do you have a cover for your microphones though?

felix-from-aircloak10 karma

Nope. And they definitely hear more than my camera sees :|

F0sh1 karma

Is your computer uploading or writing to disk enough data to be using the webcam without you explicitly turning it on? Is it physically possible for the webcam in your computer to be used without the LED activating?

felix-from-aircloak4 karma

With mine specifically, I don't know – but in general, the "hardware interlock" that should prevent this could be circumvented in the past.

TaviRider5 karma

How does Aircloak define privacy?

felix-from-aircloak0 karma

We're optimists, not megalomaniacs. It's not our place to define privacy.

A good place to look, however, is the European Convention on Human Rights:

ARTICLE 8

Right to respect for private and family life

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

KingGax3 karma

I don't know much about GDPR, so I've always wondered has it actually done much other than forcing companies to pretend they care by making me click accept on annoying pop-ups to allow them to track the exact same data as before?

felix-from-aircloak2 karma

Good question! Check my answer above.

Talking about pop-ups: this stuff will change with the ePrivacy regulation)... if it ever comes!

inYOUReye3 karma

With the advent of GDPR came a huge wave of "ambulance chasers", companies and individuals who saw an immediate demand for a particular set of consultancy but whom neither have a solid legal background or qualification to their name. It's a huge grey area, but how can a small company know the advice it's paying for is reliable enough to hold up without spending £/$50,000+? Are there any qualifications or background accreditation we can look for before committing to further expense to ensure we remain compliant and third party accredited?

felix-from-aircloak4 karma

Phew, tough one.

First of all, GDPR isn't a complicated law. You don't need a law degree to read and understand it, and there is plenty of documentation and tips online.

Secondly, IAPP certifications are a good place to start. They are not super difficult to get, but if someone has them, you can assume they have some idea.

Lastly, if you're in Europe, do make use of your local privacy authority! They are not only there to fine you, but also to consult you!

eldestsauce3 karma

How didn't anyone notice that King Théoden became a 150 year old invalid overnight?

felix-from-aircloak5 karma

Maybe they didn't have access to his Facebook profile? This wouldn't have happened if predictive policing was allowed!

525760783 karma

So, has anyone been fined since GDPR was introduced? Has it really helped the public?

MeuPeuW5 karma

Google has been fined by French supervisor authority in January. I bet some other will follow

felix-from-aircloak4 karma

Correct, this was the biggest one! Thanks CNIL :)

In total, €56M of fines have been handed out, but the biggest part of this is to Google.

It did help the public beyond that, though – because companies have to actively look for solutions and privacy by design in their products now!

twigpigpog3 karma

Companies are clearly more concerned about privacy since GDPR was put in place but there's obviously a lot of new rules/regulations that AirCloak must adhere to.

Would you say GDPR has been a blessing or a curse to you and AirCloak, professionally speaking? Would AirCloak still be in demand (or have even been created at all) if GDPR didn't come about?

felix-from-aircloak9 karma

Let's start this one from the end: when we came up with the idea for Aircloak, we didn't even know about GDPR. It was born more out of the idea that logically, mathematically there must be reliable ways to analyze data without profiling.

As much as I hate to admit it, GDPR has of course been a very positive development for us, since it introduced draconic fines for companies that don't adhere to it. Having said that, I think it's a super important development - it put privacy on the map pretty much everywhere and made a political statement that treating our data right is more than a nice to have.

Why do I hate to admit it? Because we want to enable new work with data, not 'just' be a solution for regulation... Thankfully some customers are truly leveraging the possibilities strong anonymization can give them.

Matt468453 karma

Draconic fines? Are you implying you don't agree with the fine? What would be a better way to enforce GDPR, if so?

felix-from-aircloak1 karma

Sorry, I'm not a native speaker – maybe draconic has a more negative ring to it than intended. They are strict, but sadly this seems to have been the right way to go.

ThurmanatorOmega2 karma

what is your opinions on the new pokemon direct?

felix-from-aircloak2 karma

I'm ashamed to admit I haven't played Pokemon since Red / Blue... More of a PlayStation guy these days.

ZentraliTee2 karma

What are your precautions to prevent becoming evil?

felix-from-aircloak1 karma

We surround ourselves with brutally honest team members and people with a conscience. Even our investors are good guys & gals!

I personally took the decision to never lie again at last New Years. Like, not even in small things. I haven't always managed, but most of the time it's working.

Crucially, we try to set things up in a way so that becoming evil wouldn't help us much.

the_bananalord2 karma

How are small companies with a handful of customers (like, less than 10) in the EU supposed to be able to comply with something so overbearingly large and vague?

felix-from-aircloak1 karma

One can argue that regulators don't usually pursue small companies yet. The clear issue with this is that in the end it's up to the regulator to decide – if they dig deep enough and they want to hurt you, they will most likely find breaches in nearly every organization. I'm worried about this too.

Having said that, in practice I would recommend you to inform yourself well, do your best and document your decision making process. If shit happens, then you can point to this and show you did what you could. Note that I'm not a lawyer and this is not legal advice – just some notes from the frontlines.

the_bananalord1 karma

Great answer. Thank you.

Follow-up question if you have a minute: where are small businesses supposed to find resources to work towards compliance when they don't have their own legal department to consult?

felix-from-aircloak1 karma

As mentioned elsewhere, privacy authorities are actually supposed to consult you, so that's a possibility. They are however currently overrun, so much so that some of them have stopped consulting altogether. Online representations help – I've found quite a lot on the UK information commissioner's office site, for example.

Work groups are great, too. As a German IT firm, we're part of Bitkom's privacy work group. Lots of great contacts and advice in there.

CalvinsStuffedTiger2 karma

How do we get normies to care about privacy? If the only people that take action are enthusiasts, criminals, journalists, dissidents, etc then the anonymity set is dangerously small

felix-from-aircloak2 karma

The whole point is that they shouldn't have to care. Just as much as I don't know anything about dangerous substances in my food or my clothes, because I can trust the government to take care of this for me (I hope!).

The way we try to tackle this is by providing a product that is easy to use and gives benefits to our customers, so that they use anonymization and do something for normie protection as a side effect.

himan8fd1 karma

Do you believe that quantum computing is the end of encryption?

seanprefect3 karma

I believe the answer is no

Crypto guy here, this is mostly correct. However there are many complications.

There are two types of crypto broadly speaking symmetric and asymmetric. The first the encryption and decryption keys are the same and in the latter they're different.

Quantum computing is the end of a style of asymmetric encryption called Diffie-Hellman which relies on the fact that you can't (as of yet) easily factor the product to two large prime numbers. However there exists a different type called elliptic curve that it doesn't affect

that said, everything that WAS encrypted by DH will be reversible and several governments have been intercepting data for years so that they may do that when the tech is read.

felix-from-aircloak1 karma

Good stuff, I just learned something new. Why is elliptic curve encryption not affected?

felix-from-aircloak2 karma

I know much less about this than I should, but I believe the answer is no. I'll ask Sebastian to answer.

EvilButterfly961 karma

What has the business environment been like for GDRP? How hostile/cooperative have companies/governments been and how does this cooperation/hostility manifest?

felix-from-aircloak1 karma

The only hostility I experienced was in conversation with young fintech organizations, who didn't want to hear that they might have a problem (plausible deniability). Otherwise, conversations have always been very professional.

memelukkikala1 karma

What seems to be the biggest challenge in GDPR compliance?

felix-from-aircloak1 karma

I think the biggest challenge is even understanding in which cases you're compliant and in which you aren't...

LeftHandedIsRight1 karma

How do you feel GDPR and other regulations vary around the world? What do you think is most restrictive? Do you feel GDPR is focused more for consumer protection, business to business, ir both? The reason I ask, California’s new law seems to be heavily weighted for consumers.

felix-from-aircloak2 karma

CCPA is taking GDPR as a benchmark, as are many other new regulations world wide. This is not by accident: Europe (specifically Germany after 1945) has always been quite strong on the privacy regulation front.

I don't know enough about international privacy laws to rate them in terms of restrictiveness, but as a whole, GDPR certainly counts as one of the strictest ones. If you comply here, you're probably fine in many places around the world.

GDPR is definitely aimed at consumer protection!

Dad3651 karma

Besides this being a free ad for your company. What do u expect to get out of this ?

felix-from-aircloak2 karma

Cool conversations :) Maybe more people that look into the topic and solutions!

xlikem1 karma

How do you see advertising companies changing? Especially performance marketing / affiliate marketing was struggling with the new GDPR. Basically third party cookies, fingerprint and HTML 5 storage is not allowed to be used anymore to collect anonymous data and link it to a number generated internet user etc. also Retargeting needs to get your approval nowadays.

My question is, how do you expect those online advertising companies changing as this is mainly the biggest revenue income for websites and services?

felix-from-aircloak3 karma

It's tricky, and I guess that's the main reason why we're still waiting for a new ePrivacy Regulation).

Personally, I'm hoping for

  • more contextual advertising that can run entirely without user profiles.
  • more appreciation of the value of content and an internet where users pay for great content with money instead of their data. (Side note: if you can choose between paying with data or with money, then privacy becomes a luxury, which is a horrible idea!)

chaeyoungssi1 karma

Just curious, how did you manage to get funds for your business? Did you do any form of business planning to attract investors? How did you manage finances at the start?

felix-from-aircloak2 karma

We're all just curious after all...

We initially got funding by a government grant, then some prize money (Cisco IoT Security Grand Challenge), and eventually VC money. Yes, you have to come up with some kind of business plan I'm afraid. Everyone knows you'll never stick to that plan – but they still want to see that you thought it through once.

Apart from that: be authentic, open, and have a good story!

diogenes_sadecv1 karma

ELI5, what is Aircloak?

diogenes_sadecv3 karma

was hoping for an answer, but i did the research and I'll answer myself. It's Cambridge Analytica except you don't look at personal information.

Two follow-up questions. What does patented Aircloak technology do that a consultant or the potential client can't?

Would your technology be useful for a software company that does targeted advertising or is that impossible to anonymize?

felix-from-aircloak2 karma

I don't know what "Cambridge Analytica except you don't look at personal information" means. I sort of hope we're not that...?

Our tech works a lot quicker and more flexible than a consultant or potential client (usually) can. That means: if you just have one data set to anonymize once, to create a report or something, then you're probably better off doing it yourself (it'll not be as safe, but cheaper and easier). If you plan to do many things with anonymous data in the future, it might make sense to talk to us.

Single data points are, by definition, impossible to anonymize. Fun fact though: We started out trying to make targeted advertising completely privacy aware, so that no third party would ever get information about users. This is possible, but back then (2012), there was basically no demand at all and so we never followed through with this. Paul Francis, one of our co-founders, had worked a lot on this idea back then.

diogenes_sadecv2 karma

That may have been an unfair statement.

Had you existed at the time and had FB cared to act ethically, you would have been the people Facebook called to anonymize their data before it was collected by CA. Is that more accurate?

felix-from-aircloak1 karma

I like that one ;)

felix-from-aircloak2 karma

Aircloak sells software. Our customers install that software where they also have their big computers running. When they want to learn something about the people data on their computers, but without learning something about single people, then they can use Aircloak to look at the data. Aircloak is like a pair of glasses that then only lets you see the big picture, but not individual data sets.

britboy43211 karma

If I run a call centre, a customer calls, and on the operaters screen the customers address appears when they call up the customers details even if the customers query doesnt require that data to be available to the operator, has that company just broken gdpr?

felix-from-aircloak1 karma

Phew, too many variables to say. It might well be that the company hasn't technically broken GDPR (they might have consent from the customer, for example), but if there's truly no benefit in knowing the address I'd say they did ignore the principle of data minimization. They should change their process.

mweb321 karma

What is Aircloaks mission statement and ultimate long term goal?

felix-from-aircloak1 karma

Aircloak will be the global brand for state-of-the-art privacy technology and the safest, easiest and best way to deal with personal data.

Dohgdan1 karma

Have you looked into turning your start up into a worker coop? They have some great benefits.

felix-from-aircloak2 karma

We haven't... I'm not sure which problem that would solve at this point.