Ep.154 From Code to Contracts: Exploring Privacy in the Age of AI

In this podcast transcript, Jane Wu, an expert in the intersection of technology and policy, holds a conversation with Joe Toste about various aspects of data privacy, contracts, and technology trends. The discussion begins with Wu expressing her thoughts on the fluid nature of data privacy policies, stating that there is no standard set yet and everything is in constant motion.

Wu also discusses how they use AI in their everyday business operations, such as extracting transcripts from original content like interviews and asking the AI to generate show notes and surface highlights. They use this tool to gather relevant research and frame questions for their guests.

The conversation then shifts to the aspect of data privacy, a topic that Wu finds incredibly interesting and complex. She notes that it's essential to look for best practices for data privacy beyond one's jurisdiction, given the far-reaching impacts of certain laws and regulations. Wu mentions GDPR and California's CPA as examples of such regulations.

The discussion moves to the balance between privacy and innovation, a task Wu admits is complex. She argues that companies must not hinder innovation but must also be wary of potential liabilities. Wu suggests that companies must consider how a device can be misused and address those risks upfront.

The podcast then delves into the importance of contracts in technology and data privacy. Wu, being a contracts attorney, emphasizes that contracts play a significant role in tech and data privacy. She advises that it's important to understand the language in contracts and not dismiss any part as boilerplate.

Wu provides some advice for vendor partners, emphasizing the importance of doing what they say they will do, being fair about risk distribution, and clean drafting. She advises vendors to be clear and concise in their communication, and to shift away from old legalese into more understandable language.

Finally, for those interested in pursuing a career in technology and policy, Wu suggests getting a good foundation in technology and understanding how it impacts society. She also advises understanding current policy trends and finding the points where technology and policy intersect.

Overall, Wu's insights provide a comprehensive perspective on the intricate relationship between technology, policy, and data privacy, and the importance of contracts in this nexus.

Joe Toste [00:00:34]: Today we have Jane Wu, deputy director for data privacy and business operations at the city of Houston. Jane, welcome to the public sector show by tech tables.

Jane Wu [00:00:43]: Thank you. Thank you for having me.

Joe Toste [00:00:45]: I'm really excited. I still think you should have been wearing the Airpods. You would have been just looking super cool, but we figured out the audio nonetheless. But if you want to be a cool Silicon Valley public sector employee, those Airpods are definitely the go to.

Jane Wu [00:01:00]: I'll save the for next time.

Joe Toste [00:01:01]: Save it for next time. Okay, so I've never actually interviewed anyone on the data privacy side, so I think today's discussion is going to be pretty fantastic. But just curious, before we jump into all of that, what's like the 30,000 foot overview of what your role looks like and a little bit about your background.

Jane Wu [00:01:41]: Absolutely. So I took the long way to tech, started off in college as a computer science major, did a little detour, changed my major to biomedical science. And so after getting my bachelor's, I went to grad school, did a phd in genetics and biomedical science and thought, I really want to go back into technology. So looked at intellectual property, went to law school, focused on IP health law technology law and the started doing licensing for this day at e health in their IP and commercialization office. And then after that I thought I'd really like to be a little bit closer to my home, went to the city of Houston and was in their legal department as the IT attorney for a couple of years and decided I really wanted to see the business side of tech. So here I am in the IT department at the city of Houston. And so this role, I can describe it in maybe one or two words. It's data and protecting data.

Jane Wu [00:02:45]: So looking at processes, how we collect data, and also just safeguards for data, contractual controls, and watching the data privacy regulations in the industry and how they are constantly evolving in the legal landscape and the regulatory landscape, this is super fascinating.

Joe Toste [00:03:06]: Also, the fact that you've got more degrees than I ever wished to attain. I was never that deep into the school front, and I don't know how you found the time to do all that. It was very impressive. So you end up in the city of Houston. Love the, like, when you come to think about data and, like, go a little bit deeper, what inspired you to really pursue this career and maybe talk about the passion at the intersection between technology and privacy?

Jane Wu [00:03:36]: Yeah, so I love technology. Obviously, I took a detour all the way around. What I like about it is enhancing improvement. To be continuously looking for the next thing to benefit our lives, to streamline communications, to connect society. And the growing, constantly growing, evolving nature of tech is what draws me to tech. Now, privacy, on the other hand, when you look at the intersection between those two, when you advance in technology, especially now, this whole digital world, you've got a lot of data out there. And so you have to balance this benefits of tech in enhancing our lives with the risks and liabilities. And this is the lawyer side speaking, the risks and liabilities that come with.

Jane Wu [00:04:30]: Okay, as you're plunging forward, you also have to be mindful of, hey, here are some of the things that you need to look out for and to ensure that public interest is still in mind as you go forward.

Joe Toste [00:04:43]: Okay, so this is a fantastic segue I was thinking about this morning, and you just said it. So balance the risks and liabilities. How are you thinking about the risks and liabilities with generative AI? Right, yeah.

Jane Wu [00:04:58]: So if you're thinking about AI, artificial intelligence, Chat GPT comes to mind real quick. It's one of the things that I also am using in my day to day practice. But when you look at how they train and continuously train Chat GPT, as an example, I believe they stopped the training of the AI by open AI around 2021. And so anything one and now is being trained by interactions with users like you or me. And so when you think about these interactions now, every single interaction has an input or inputs that you're putting in, and that is being taught. It's teaching the AI, but not only is it teaching you're putting in data that potentially other users are pulling out in their outputs as well. And so thinking about how fast this AI can help you in doing your work, making your life more efficient, but what are you trading in, trading for that convenience? Are you putting in private information that now is potentially public? Are you putting in information that's confidential to your employer, to third parties that you have contracts with? And so all those concerns and liabilities and risks are there with every new technology that comes.

Joe Toste [00:06:26]: Yeah. Okay. So this is so fascinating around the privacy piece of what you put in. So the input that you're putting in, and I don't know. I don't even remotely will pretend to know I have an answer to this, but I don't know the stance or the security or the privacy policies that I think whether it's Bart or JGBT or some of the other ones out there, I don't know what their policies are, but I'm sure from what I'm just reading, on a day to day basis, everything's kind of fluid and in motion right now. I don't think there's, like, a standard that's necessarily been set yet. So that's a great point on the contracts. Yeah.

Joe Toste [00:07:05]: You put in private information and yikes, that's one. The inputs are fascinating. So we use it, and this is not related, really, I guess, to privacy, but we use it in the sense of, because you were mentioning, you use it on an everyday basis. We also use it on an everyday basis by taking original content, like this interview and extracting the transcript and asking it to write show notes to surface highlights, actually, for the intro call that me and you had. I said, hey, I don't know anything about data privacy. What questions should I ask Jane based on what she cares about? And just like, going, what research could you point me to? And then I love the disclaimer at the end. Right. Jane may or may not agree with any of this, but here are some.

Joe Toste [00:07:53]: And so, which I thought was so, but that's kind of how we take original content. But the privacy aspect is super fascinating. I'm just coming top of mind right now. Where are you going to look for best practices for this? Are there any research or podcasts or any other cities or states that you're like, hey, they're a couple of steps ahead, and we're looking to see how they're doing this?

Jane Wu [00:08:18]: Yeah. And that is a very complex but also common question. Right. Because this field is ever evolving. Where do we look? We definitely want to look outside of our jurisdiction. And so a lot of the times when people get into a body of law, they think, okay, I must look at my state's laws and all the federal laws that apply to this. And that's it, because everybody else is outside my jurisdiction. But with data privacy, what you see is even though there are regulations that really are meant for a certain geographic location, for example, GDPR is a big one.

Jane Wu [00:08:57]: California has a CPA. Even though technically they are limited to a certain geographic area or country or state, the impact of that law or regulation really is broadly reaching. GDPR is seeping into everything that we see here in the US, even the California laws. You see a lot of vendors saying, hey, California has these standards to protect the consumers. And so by not doing the same thing across all 50 states, we run the risk of looking negligent in the case of, let's say, a breach of information. So now you see a lot of vendors applying those laws and regulations across the board in their own practices. So outside jurisdiction reach. And so that's what we look at, is looking at the guidance of the forefront, the forerunners, I would say GDPR is a big one.

Jane Wu [00:09:56]: And seeing what the best practices are and looking at the impact and how people are treating data and processing data.

Joe Toste [00:10:06]: And I know this is going to be a tough one, but I'm curious, how do you think about organizations trying to strike a balance between privacy and innovation?

Jane Wu [00:10:17]: Yeah. And that is a complex task. Right. Because you don't want to slow innovation, especially for profit companies. You want to keep pushing. On the other hand, you don't want to get too far and find that you're risking your company for potential liabilities that you don't anticipate today. And so when you think of things like IoT Internet of things, a lot of companies push these devices out and likely in order to be the first on the market to be the first to provide this type of functionality. You can imagine potentially that the testing stage is not very balancing wise would be, hey, let's take a look at what this device is for, but what also can you use this device for that might be misused? And then looking at the risks and liabilities and addressing and ensuring that you've got a game plan in addressing those risks up front.

Jane Wu [00:11:20]: I think that would be, to me, the best practice, instead of letting something out there and then trying to pull it, you can't pull it back later.

Joe Toste [00:11:29]: Yeah. Once you put that out there, it is not coming back. No. Yeah, that's great. You nailed it. It's such a complex. Such a complex problem. And I don't even know how to, I mean, I guess I'm stoked that I don't really have to make a decision around that.

Joe Toste [00:11:47]: Other people much smarter than me get to go work on that problem. But yeah, between privacy and innovation and even security today, with everything you said IoT, which is great, and with everything being digital, even for wallets and everything, I mean, kind of a great example of this is at any one moment, I think with Chase the other day, or it was last month, June 1, something like that, and they had an error in the code and it just started like multiplying zelle numbers that you had sent. And so I woke up, my bank account was emptied, and I was like, that's cool. I clearly didn't spend all that money. That's awesome. And then my first thing is, I'm like, oh, is it ransomware? Is there a hack? Did something there happen? No, just the algorithm decided to go do something, right, which brings up very interesting questions around what do you put on the Internet? What should you put into, what are you feeding? Like we talked about earlier. And so, yeah, I think it provides a bunch of interesting questions and more and more, we're going to have a lot of interviews coming out where a lot of folks are tackling these very questions in different states, within different agencies. And the use cases are, I think, unlimited.

Joe Toste [00:13:01]: I don't know if that's, like, hyperbole, but I think there's just unlimited use cases with what this looks like across both private and public sector. But your background with technology and lawyer seems to be the perfect blend. Is that like an overstatement or. I don't know anyone else who has that background.

Jane Wu [00:13:19]: I mean, I see it as putting the two passions of my life together into one job, right? And so I'm a contract and an IT attorney at heart, but when I see things, I often see in liabilities and risks, and it's helpful at times with best practices, people can, entities can look at things as they develop. Design privacy by design. So when you first start something, already start thinking about how to design something up front that incorporates those privacy concerns, being transparent with the users on how you're going to collect their data, how you're going to use their data, and who are you going to give that data to, having those contractual standards control. So anytime you have a vendor or a collaborator or whatnot, to ensure that they also understand how seriously you take data privacy and confidentiality, and then they float that down to their subcontractors and then holding them accountable for contractual obligations, thinking about strong security on the cybersecurity side, whether it be fiscal, administrative, technical control, having all that. And at the end of the day, I think it's about education and awareness, because your weakest link is going to be the user, and if they are not aware of the risks and liabilities, it just takes one person to punch into chat TPT Social Security numbers of all your employees, and suddenly it's out there. So I think at the end of the day, it's a collaborative effort in having that awareness constantly put out there and to educate.

Joe Toste [00:15:03]: You can think about putting my Social Security number or someone else putting it into chat. GPT Jane, now I'm terrified. Now I'm like, you got me a little scared. So we talked about kind of generative AI, but curious, what are some of the other biggest trends in technology and policy right now that you're currently watching?

Jane Wu [00:15:22]: So AI was one of them. And then I'm also dabbling a little bit into the whole blockchain smart contracts idea, things like IoT and just how much exponentially that these devices have grown. Everybody has them in their homes, several hundreds potentially in your home. And then looking at just the policy evolution. For example, taking California. California had different iterations of their privacy laws. GDPR keeps coming up with more guidances. And so I tried to print GDPR out one day, and that thing was a good thick couple of inches.

Joe Toste [00:16:08]: Did you kill a couple of trees in the harming of this document?

Jane Wu [00:16:12]: I likely did. I even tried to do double sided printing, some leisure reading over the weekend.

Joe Toste [00:16:19]: Leisure reading.

Jane Wu [00:16:20]: So it's just one of those. It doesn't end right. It's constantly evolving, so you constantly have to keep looking at what are the changes, how does it impact society and what are the risks, or people that are identifying by use of these.

Joe Toste [00:16:37]: So that is fantastic. So what advice would you give to someone? Let's just take the future information technology professionals out of the University of Houston only because they showed up to the live event I threw in Houston. If you were talking to a senior there, what advice would you give to one of those kids who are interested in pursuing a career in technology and policy?

Jane Wu [00:17:01]: I would say, first, get a good foundation, right? You need to understand the tech. And not just, oh, I love to use tech, I love to buy the US python, but really understand how things work, dissect the technology and understand how things communicate, where does the data flow, all that stuff. And then also on the policy side, understand what are the current trends that you see in policy making, and then find out the relationship, where do they intersect? Where did they overlap? And then after that, it's, hey, now you look at, okay, you have the tech, you have the background. How does this impact society? Because at the end of the day, you need to align your technology and innovation with the good of society. You have to make sure that any liabilities and risks are reduced in your practices and your stakeholders understand the privacy realm and how to responsibly use data and technology.

Joe Toste [00:18:10]: That is really great. Okay, so if you're a future information technology professional listening to this podcast out at the University of Houston, or again, we actually have other college, other college kids. That was actually fantastic advice. And I love the question of how does this impact society, preferably for the good and the better and the betterment of society, which I think is a great question to start. And then from there I think it's because you're looking at what the problem is. And if for the problem, you can design a solution, whether that's in the marketplace or in the private sector. That was fantastic. Are there any other questions that I should ask you? But I don't know to ask other questions that, like, if I was in the data privacy world, that I should.

Jane Wu [00:18:54]: Be asking you, so how would you handle, there's a whole nother sector or subject matter on how do you handle contracts? Because I'm a contracts attorney. How do you reduce those risks? What should you be putting in your contract? It might get a little dry as I drone on about contracts. Do enjoy a nice, clean and well written contract. It's like I'm listening to a good opera, but thinking about everyday transactions. Because this is not just it, this is business world. In the business world, you're always going to have intellectual property impacts. You're going to have some type of software, application, hardware, something in your transactions. And you need to think about, it's not just buying a software, it's not buying some professional services, it's not buying hardware.

Jane Wu [00:19:47]: You're also buying intellectual property rights, whether it be licensing, you're buying potential risk of your end users using it incorrectly, and it's outside your licensing structure. And so when you're looking at contracts, you got to think about these things as well as what kind of representations and warranties you're putting into your contracts. So I see a lot of folks in their contracts saying, hey, the other party, you shall abide by these rules and you shall have absolutely no breaches and no, you should be absolutely perfect in your security. And at the end of the day, I'm now talking for the other side. But at the end of the day, we know that it's not going to be 100%. Security is not going to be 100%. There's always bad actors are looking for the newer thing on how to take what's not theirs or to breach a system. And so in contracting language, if you were to go that route in the legal side, it's crafting language that shows you have good faith that you are still endeavoring to do all these things, but don't put you in hot water.

Jane Wu [00:21:00]: So potentially saying things like striving to x, y and z with industry standard instead of, yeah, I promise 100%, I will never ever have any breaches or any unauthorized says blah, blah, blah. So it's looking at how you craft language and contracts and what is realistic and what is fair. And sometimes though, we have vendors come over here and try to balance the risk, meaning they want us to take the risk. But in those situations, you're looking at which party has the most control over the situation and who is more apt to take on the risk in that transaction. So it's a lot, it could be a lot for another day. But I would say when you're looking at tech and data privacy, contracts and transactions play a big part of it. Especially I can't imagine anyone doing some work alone. There's going to be some collaboration of some sort, some business deal.

Jane Wu [00:22:01]: And so thinking through about your contract language and really reading through instead of dismissing it as, oh, this looks boilerplate, really understanding the language in there.

Joe Toste [00:22:13]: Okay, so this is really good. That was not dry at all, because a couple of things come to mind. I'm thinking you mentioned a couple, but one thing topped my mind was the kind of top three pieces of advice that you would give to vendor partners, just in a general sense of like you said, reading a good contract is like listening to sitting to a good opera. So, yeah, I think I'd love to hear what you would maybe see as like the top three pieces of advice that you would give to vendor partners so that you can enjoy a good opera on the contract side.

Jane Wu [00:22:49]: Yeah. So one is do what you say and say what you're going to do. And so when you represent to me of all these security functions and obligations and say that you will do it, don't wait for an audit to have me find out. So in good faith, right, we should all, as technologists in good faith, we should want to protect data, we should want to use technology for the good of society. We wouldn't want anything to be misused. So that would be number one. Number two is now, I'm a little biased coming from the government side, but hey, let's be fair, because in a situation where we're engaging in a vendor, most likely they're the ones doing the work and we are trusting them to do that work and we are paying them to do that work. So you got to shuffle the risk according to what makes sense.

Jane Wu [00:23:48]: And so we have folks that try to fight us and say, hey, we should take pressure risks. For me, it's, hey, you're doing the work, you should take the risks because you have more control. So that would be my advice is let's be fair about this and let's work in good faith together. Three, let's see. Third, advice for vendors doing clean drafting. Clean drafting. This is more of a technical drafting advice. Communication is be clear and be concise.

Jane Wu [00:24:18]: And we're starting to see in the legal field, getting away from that old legalese into a more lay language, which I like. Because I tell you, I have to admit, when I ever see the word aforementioned in the contract, it drives me nuts, because there's just better ways to say things without bringing up old English into your document. Sango.

Joe Toste [00:24:45]: Okay, so this is really great. So I'm going to go down these three real quick. So do what you say, what you do, almost verbatim. This is a piece of advice that Rick Blanco, who's the CIO for Texas health and human services, sat at our live event at the Commodore last year as a piece of advice, both just internally of, hey, how do I grow my career? And you could take it externally if you were a vendor. But I think the more that you live by your word, the easier transactions become because people just trust you. And I get that there are contracts. My gut feeling is if you have the contract as a standard setting of expectations, but I would never sign a contract. You probably would never want the city to sign a contract if you couldn't actually shake the hand and know that they still would execute on what they say they're going to.

Joe Toste [00:25:43]: Right? So, yeah. And then number two, let's be fair. Yep, that's a great one. I think looking at who's taking the ownership piece, which is really an incentive piece, and there's a great. Do you ever heard of the author Naseem Talib? Does that name ring a bell to you at all? He wrote a couple of books. One of them was called the Black Swan back in the day. But he wrote one that's really good called skin in the game. And it's called skin in the game.

Joe Toste [00:26:13]: Hidden asymmetries in daily life. And I think you can get a lot of understanding of how people will respond based on partially incentives and how the kind of structure of that set up. So the vendor is taking 100% ownership, and they're trying to put some of that on the city. Again, that would make no sense. Right? And then number three, clean drafting. I love this aforementioned. So if you're a vendor, I mean, I'm like, man, this is like a pro tip right? Now. If you're like, hey, we want to do business with the city of Houston, you better be listening to this podcast episode, or Jane is going to crush you.

Joe Toste [00:26:50]: I say that in all lovingness. So something, and I don't know what this looks like, but at some point, this would be fantastic for you to give. This would be fun if you did, even did this at a live event, but it would be great for you to give, like, a presentation. Master class. You give this, like, 30,000 foot overview level, because I think that's a big one in the public sector. As far as, like, procurement, I think innovating procurement, I've heard a lot of from CIOs. And so here's a quick innovation. Remove the word aforementioned from your contract and make it easier to.

Joe Toste [00:27:24]: Right.

Jane Wu [00:27:24]: Yeah.

Joe Toste [00:27:25]: So, okay. This is fantastic. Jane, you're right. Now you have my wheel spinning in my head on this conversation. I think we could go a lot deeper. I would love to hear a master class from you. Whether you do it virtually or if you do it in person, I think there's a ton of value, but if you do it, make sure it gets recorded. That way you don't have to do it again.

Jane Wu [00:27:46]: You could call day about contracts and procurement.

Joe Toste [00:27:49]: Okay, this is super fascinating because we're going to have to get you for a good 90 minutes, two hour session. I think this could be really beneficial, but we don't have that time today. But in the future, we definitely want to have Jane come back on. Thank you for coming on the podcast. I love how we started with the generative AI piece and then moved to the contract side. Super versatile. Thank you for coming on the show and looking forward to releasing this episode.

Jane Wu [00:28:20]: Absolutely happy to be here, and thank you so much.