The Shifting Privacy Left Podcast
Shifting Privacy Left features lively discussions on the need for organizations to embed privacy by design into the UX/UI, architecture, engineering / DevOps and the overall product development processes BEFORE code or products are ever shipped. Each Tuesday, we publish a new episode that features interviews with privacy engineers, technologists, researchers, ethicists, innovators, market makers, and industry thought leaders. We dive deeply into this subject and unpack the exciting elements of emerging technologies and tech stacks that are driving privacy innovation; strategies and tactics that win trust; privacy pitfalls to avoid; privacy tech issues ripped from the headlines; and other juicy topics of interest.
The Shifting Privacy Left Podcast
S2E37: "Embedding Privacy Engineering into Real Estate" with Yusra Ahmad and Luke Beckley (The RED Foundation)
My guests this week are Yusra Ahmad, CEO of Acuity Data, and Luke Beckley, Data Protection Officer and Privacy Governance Manager at Correla, who work with The RED (Real Estate Data) Foundation, a sector-wide alliance that enables the real estate sector to benefit from an increased use of data, while voiding some of the risks that this presents, and better serving society.
We discuss the current drivers for change within the real estate industry and the complexities of the real estate industry utilizing incredible amounts of data. You’ll learn the types of data protection, privacy, and ethical challenges The RED Foundation seeks to solve, especially now with the advent of new technologies. Yusra and Luke discuss some ethical questions the real estate sector as it considers leveraging new technology. Yusra and Luke come to the conversation from the knowledgeable perspective as The RED Foundation’s Chair of the Data Ethics Steering Group and Chair of the Engagement and Awareness Group, respectively.
Topics Covered:
- Introducing Luke Beckley (DPO, Privacy & Governance Manager at Correla) and Yusra Ahmed (CEO of Acuity Data); who are here to talk about their data ethics work at The RED Foundation
- How the scope, sophistication, & connectivity of data is increasing exponentially in the real estate industry
- Why ESG, workplace experience, & smart city development are drivers of data collection; and the need for data ethics reform within the real estate industry
- Discussion of types of personal data these real estate companies collect & use across stakeholders: owners, operators, occupiers, employees, residents, etc.
- Current approaches that retailers take to protect location data, when collected; and why it's important to simplify language, increase transparency, & make consumers aware of tracking in in-store WIFi privacy notices
- Overview of The RED Foundation & mission: to ensure the real estate sector benefits from an increased use of data, avoids some of the risks that this presents, and is better placed to serve society
- Some ethical questions with which the real estate sector needs to still align, along with examples
- Why there’s a need to educate the real estate industry on privacy-enhancing tech
- The need for privacy engineers and PETs in real estate; and why this will build trust with the different stakeholders
- Guidance for privacy engineers who want to work in the real estate sector.
- Ways to collaborate with The RED Foundation to standardize data ethics practices across the real estate industry
- Why there's great opportunity to embed privacy into real estate; and why its current challenges are really obstacles, rather than blockers.
Resources Mentioned:
- Check out The RED Foundation
Guest Info:
- Follow Yusra on LinkedIn
- Follow Luke on LinkedIn
Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans.
Shifting Privacy Left Media
Where privacy engineers gather, share, & learn
Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
Copyright © 2022 - 2024 Principled LLC. All rights reserved.
Are we using biometrics? Is that the right thing for entry? I mentioned that one before. If you're an employee, what if you don't want to use your face. . . you don't want your employer to have such a detailed set of data around your facial makeup. Should they be forced to provide you a different mechanism to enter into their building? Or does experience kind of trump that? These are the types of things that we do - keep on top of what's coming out, and then provide some guidance off the back of that on how that could be achieved in a more ethical way.
Debra J Farber:Hello, I am Debra J Farber. Welcome to The Shifting Privacy Left Podcast, where we talk about embedding privacy- by- design and default into the engineering function to prevent privacy harms to humans, and to prevent dystopia. Each week, we'll bring you unique discussions with global privacy technologists and innovators working at the bleeding edge of privacy research and emerging technologies, standards, business models and, ecosystems. Welcome everyone to Shifting Privacy Left. I'm your host and resident privacy guru, Debra J Farber. Today, I'm delighted to welcome my next two guests: Luke Beckley and Yusra Ahmed.
Debra J Farber:Luke is the Data Protection Officer and Privacy and Governance Manager at Correla, a company that processes gas consumption data across the UK consumer market on behalf of gas suppliers. For over 25 years, Luke has helped organizations understand their data to enable the data they process to work for them and, more recently, to enable that data with great governance and compliance with the prevailing data protection laws. He's also the Chief Compliance Officer for Hope4, a charity based in Moldova that helps victims of human trafficking, and he's worked as a Data Privacy Consultant to the East London Business Alliance, which helps social enterprises and small charities with their data privacy obligations. Yusra Ahmad is the CEO of Acuity Data, which specializes in delivering sustainable change by leveraging the full potential of data analytics and decision making across an organization's entire operations. With a proven track record of supporting a range of FTSE 500 clients to realize their strategic objectives to the use of data, Yusra believes that ethical data management is key to every organization's survival in this digital age.
Debra J Farber:So, Luke and Yusra have been working with The Real Estate Data Foundation - and combined that's known. . .like if you condense that, that's known as The RED Foundation - not to be confused with the AIDS Foundation that goes by the same name that, like Bono, is connected to. So, let's just separate those two ideas right here. And then, The RED Foundation, they shift that conversation left and ensure the data points generated by 9.84 million people on a daily basis is done so with privacy and transparency at the center. The RED Foundation is a sector-wide alliance that enables the Real Estate folks to benefit from data. Yusra currently serves as the Chair of The RED Foundation's Data Ethics Steering Group and Luke serves as the Chair of the Foundation's Engagement and Awareness Group. So, you can see why we have both of them on the call today. Welcome, Luke and Yusra!
Luke Beckley:Thank you, Debra. Thank you very much for inviting us on; and, as you've already mentioned, I am one of your super fans, so it's a privilege to be here. Thanks.
Debra J Farber:Yes, yes, I have to admit, Luke is definitely one of my super fans. It's one of the ways I've gotten to know him - through conversations on LinkedIn, and it's not just because he's a super fan that I invited him on. He's got plenty to talk to us about in his field of expertise. That's how we connected - through a lot of engagement on LinkedIn. I guess we'll just dive in. So, it appears that the real estate industry is seeking to leverage a lot of personal data at scale, and it feels like we're entering a perfect storm where the scope, the sophistication, and connectivity of data is increasing exponentially. While this may bring advantages for real estate, obviously has a lot of new challenges. So, can you share with us some of the current drivers for this change?
Yusra Ahmad:So, Debra, thank you so much for inviting me on your podcast, as well. I'm really excited about having this conversation with you and Luke. So I've worked within the real estate industry for coming up to about 20 years now. [Debra: Wow] Yeah - it's getting there. Right? I probably shouldn't mention those numbers anymore. When it relates to the drivers for change. . . I mean, certainly I started off in this industry working on space and occupancy management; and so data, for me, has always been an integral part of the way that you do business in real estate, and any organization. Right? When we talk about the drivers for change, I think there has been a slight step change recently, and a lot of that has been driven through technology disruption, ultimately; and this increasing desire to digitize the way that everything functions, in particular, in real estate. But, there's a number of other things, I think, that have been going on in the background. One of them, from our perspective, is ESG. Now, Luke and I have been working on a number of different things outside of RED Foundation as well, but what we're also seeing is is that, as organizations become much more focused on driving their diversity and inclusion agenda, their environmental impact agendas, et cetera, there's a heavier reliance on data, not only because regulation, especially here in Europe, is demanding, but also just from a social responsibility perspective. You need to understand what your status quo is before you can make that change. What we're increasingly finding is that some of that data is missing, and it's missing because it's not captured or it's not captured in the right way or the right structure, and within that there is an element of sensitive data. So, whether that's PII or whether that is data that can somehow be linked back in order to identify a particular organization, or a particular organization deems it to be sensitive. So this kind of issue around trust emerges as a result of ESG. Going beyond that, I think there's,
Yusra Ahmad:additionally, we talk about this concept of 'workplace experience' quite a lot. It's been something that I've certainly heard about over the past decade. At the very least, it's a move towards agile working. It's a move towards more flexible working environments, but it's also impacted by the change in the workforce dynamics. By that I mean the younger generation coming into the workforce having a completely different set of needs than we certainly have been trained to accept, I suppose, in a more traditional or conventional way, but also things like COVID and the lockdowns. That's also changed what the opinions or the attitudes of people who may have traditionally accepted the need to be in the office nine to five, five days a week, or sometimes seven days a week, because I've met those people as well. So all of that in order to become more efficient and to create this workplace experience again.
Yusra Ahmad:That is a very data intensive type of activity and type of service which also relies on sensitive personal, potentially information, with the rise of sensors in order to track occupancy and that type of stuff. The next I would mention - and I'm going to leave it there for now, but there are many more drivers - is something that I'm incredibly interested in, which is 'smart city development.' Ultimately, that means the digitization of real estate as a whole. Whenever I say 'smart cities,' I get a bit scared that people think of it as some sort of Jetsons episode.
Debra J Farber:Oh, be careful, this might be the name of the episode now.
Yusra Ahmad:Well, there is a temptation to think of it in those terms, but the reality is that most capital cities, most metropolises across the world, are already smart cities.
Yusra Ahmad:And, again, in order for you to provide that digital experience, for you to be able to navigate across a city in the way that we have become used to, through an app, through your phone, whatever it is, that requires data right and that requires digitization of a particular asset. And so, as our built environment becomes increasingly more advanced and more digitized, again, this is the rise of data and the need for data, and I'm sure we'll talk about this a little bit later on. But, this then kind of kicks in this concept of how do you ensure that you are managing this data in the most ethical way possible? A lot of that is really not just to do the right thing, but so that people you're collecting data about, who are the people you're delivering services, to trust you with that information, so that there is this unspoken tradeoff - you give me the service and I give you the data that you require. But, there's a gentle person's agreement that you're going to do the right thing by me and make sure I'm protected. So, a few thoughts for you.
Debra J Farber:Yeah, that is really helpful for contextualizing the state of the industry and what's changing, why we're even having this conversation today. Right? Luke? Do you have anything to add to that?
Luke Beckley:I don't think there's very much more to add to that. I think that's very comprehensive. I think there's almost an awakening that's happening in the real estate industry. They've been collecting data points - and we'll get on some of those shortly about what data has been collected - for many, many years; but, not in any way using that data to drive the best use of their assets.
Luke Beckley:And, I think this - and you just touched on it - this is one of the things that she and I converse on very frequently: "How do we bring all of the obligations - the compliance elements, the privacy elements - together with the actual volume and different data points being captured in a way that actually allows those developers and those assets to be utilized in the best way possible? I think a lot of that, as you just mentioned, is the driver that kicked off through the unfortunate circumstances of Covid. People's return to work suddenly made them realize how they wanted their spaces to work for them. So, there's a whole heap of social proof and pressure building as well as an awakening and awareness of all the different data points that have been captured and how that can converge with that social proof. Now, you need for better spaces and better use of spaces in a environmental way and for the benefit of the individuals using those spaces. It's a really interesting and dynamic and great place to be kind of, what we feel is, at the start of that awakening process.
Yusra Ahmad:I would also add to that. I think there's an element of play that's within the industry as well. I'm not sure if you would agree with me, Luke, but there's this sense of, as there's new technology coming out, real estate - not only operators but occupiers -want that for themselves. I certainly have been through a few rounds where, when AI came out, when big data came out as concepts, straight away, everyone was like, "well, let's use that. And it's almost as though the industry is trying to grapple with these technologies and then thinking about the use cases afterwards; rather than the use case ahead of time and then what works for us, which is a completely different challenge that I end up having to do.
Luke Beckley:Yeah, I 100% agree with that, though. You know I do, and that has always been the case.
Debra J Farber:You know, that's fascinating.
Debra J Farber:Oh God, I have so many questions, but I want to make sure we actually stay on a track too.
Debra J Farber:What comes up are questions around ethics and motivations, and real estate, generally, has been such a market where it's worth whatever someone's willing to pay for it.
Debra J Farber:So, you know, I wonder how much revenue - like any business in corporate America - is going to be driving the use of these technologies before they're ready. Like you said, if they're asking you to think of the use cases later, but let's start playing with the technologies, then it almost feels like a lot of that would be experimenting on people in real time to see what works, which is not recommended for ethical tech innovation and deployments. But, before we even get that far, my brain is going off in different directions based on what you just brought up, let's talk about what types of personal data these real estate companies are collecting and using, or want to collect and use in the future, and for what purposes.
Luke Beckley:The answer is a vast array of data is being collected, and possibly some things that individuals using the spaces and all the companies themselves don't necessarily consider personal data or think about. So, you range from people's access into buildings you go through. As Yusra's already mentioned. they capture data through the various sensors that try and help drive the smartness of the building. You've obviously got CCTV and surveillance cameras -
Debra J Farber:- I was just going to say, "obviously - alking about the UK
Luke Beckley:. . . in the world. So, I know there are big real estate companies with private / public spaces that have got large CCTV operations in place, and then you've got the actual individual records of the people who are in the building. You've got medical records - special category of data. For example, a lovely thing called PEEPS, which is 'Personal Emergency Evacuation Plans.' They need to be held by landlords and all the occupiers because, obviously, if you have people with a specific set of needs in an emergency situation, you need the Facilities Team to understand what those needs are and react in a way that enables you to get that individual out of the building quickly. But, that's a special category of data, and inherently, real estate organizations have been quite bad from a privacy perspective about how that is captured, stored, and secured. So, the array of data is just enormous and ever changing. Yusra's already touched on it -
Luke Beckley:the sharing of that data then becomes an even more complex requirement. So, for example, when you're trying to do energy efficiency and you want to look at occupiers and landlords, suddenly you're into a access control, sharing of data. That brings this whole plethora of additional complexities that we'll touch on later. I mean, that's just a brief issue of review, but, as you can imagine, t hose sets of data are quite voluminous in their own right.
Debra J Farber:Yeah, yeah - in fact, also, what comes to mind is exact location data. I know many retail establishments, for instance, make use of location data for analytics purposes, like how many people came through? I don't need to necessarily identify them, but like how many people - humans; let's identify that that's a human and how many came into the store on which days, so that we can better staff our store on those days, or for whatever inputs or whatever analytics purposes that they have. How are retail establishments putting protections around that location data, if at all?
Luke Beckley:I think the answer is: badly. And, I think back to the point about use case testing is possibly fairly valid. So, you're right. What happens is Wi-Fi installations in stores, for example, or in retail assets, potentially have the ability to track individuals around that, as they're pinging the individual access points, if you sign up to that Wi-Fi, you're effectively allowing them access to your location data for them to track you around the store. And again, something Yusra and I touched on and talked about last week was, walking past individual stores who have also had that data shared with them. So they're enabled in a manner to present you with an "Oh, I'm walking past X retail store and here I popped up and said I get X points on my loyalty card," right, so I think there's a wide use of that and a drive towards using that for the analytics purposes you mentioned.
Luke Beckley:But, I think there is complexity, both from a transparency perspective about exactly how that data gets used that is not necessarily being grasped that well. So, I think there's a lot more work that can be done around real explaining how geolocation and / or Wi-Fi location pings are being used and can be used. Yes, I get it. Ethically, you're trying to get the composite, providing the best experience for the consumer. But, that's not necessarily translating into the transparency about that data being used and for whom it's being shared with to drive that experience and whether the consumer even wants it. There is a whole heap of work to do.
Debra J Farber:But, you get points. You get 10% off your toothpaste, for giving up your privacy.
Luke Beckley:Debra, we can go into this offline. I can assure you, it is much more scary than you think.
Debra J Farber:Oh no, I could assure you, I know how scary it is. [Luke: I'm sure you know.] So, the argument here, is it that the privacy notices are insufficient? Or, are you saying they're sufficient, but nobody looks at them and it's not part of the consumer experience? Or, to drive them to look at it? Or, in the awareness about how their data might be used and secured and maybe shared anonymously? Or, is it shared direct identifiers? Is it the practice that we want to change? Is it that we just want to make it clearer to consumers? Or, are they really just not even embedding the requirement appropriately into, you know, whether it's the Wi-Fi's notice. . . .
Luke Beckley:I think it's a combination of all of those, but predominantly the first two you mentioned, which is: 1) the complexity of privacy notices - especially here in Europe and the UK - a plain and simple, straightforward language is meant to be used, but what you also find, or tend to find, quite often, is very complex and very long privacy notices with not necessarily very user-friendly language used to actually detail exactly what's happening to that data; 2) Then, the second thing is - and I think we'll touch on this a bit further into the conversation - the education and awareness from a consumer level about being able to really understand and read those privacy notices, even if they're in plain language, to understand what the potential impacts of that data sharing really is. So, there's an education piece that needs to be done, but I think there is also a clean up of transparency piece definitely required.
Yusra Ahmad:I think, if I can just jump in - I think we're, in a way, a little bit lucky though, within the UK and across Europe, because we do have the benefit of GDPR, whatever some people might think about it. At least it's a starting point in terms of providing some guardrails in terms of how organizations behave. And I'll do a little plug for RED Foundation here. Right at the start of our RED Foundation venture on the Ethics Committee, we wrote a piece specifically around consent - which is at the heart of this conversation - and I guess the challenge is that, whereas part of GDPR states that "consent must be explicitly given by the data provider to the processor, etc., the reality is that how can you consent if you don't know what you read or if you've just flicked through it in order to get to the bottom? This is no comment on anyone, because I've done that many a time myself - just give me the Y file; I'll sign anything. But, the reality is would you even understand it if you read it, if you're reading hundreds and hundreds of pages?
Yusra Ahmad:However, what I would say is that this situation is getting better because there is increasing onus on organizations to simplify the messaging and to articulate the key points of these long-winded, historically complex documents, so that we make things easier for individuals before they click, "sign." I mean. At the end of the day, though, if you're, if you're holding them hostage. . .and I'm not going to say where, but I've definitely been in one of these massive shopping malls where you lose signal to your telephone and the only way to be able to communicate with the world is to sign up to their Wi-Fi. Some of that, that's where ethics come into play. Is that really appropriate? Is that really fair? I guess, that's the question.
Debra J Farber:Yeah, that's a really great point. I mean, I don't think it's fair. Just a personal antidote here - or anecdote - I feel like I slurred that to say "antidote," but anecdote. I was actually a subcontractor on the Target breach, like the set of consultants that came in to assess the current state, what the future state should be, recommend changes, etc. So, for weeks I was flying to Minneapolis to help Target at headquarters with the Tiger team of other folks, and one of the things that we did was just start cataloging all of the potential areas of data collection. One of those things was the brand new Target Wi-Fi agreement, saying that you would be gladly tracked - well not gladly. In exchange for Wi-Fi, you'd have this experience and then they'll be tracking you around the store and all that. Who would ever think - this was years ago, so close to a decade ago at this point, maybe 9 years - who would ever think that in signing up for Wi-Fi in a shopping experience, that that would mean that you've consented to have all of your movement tracked as you're going around the store? Which, is exactly what you're saying has now been propagated across other buying experiences. I just don't think that your everyday person, if you ask them on the street, has any idea that this is going on, even if they did consent to whatever the disclosure language was when being prompted for Wi-Fi. I think there is definitely a transparency issue and it's kind of crazy that nine years ago, this was my experience as it was just coming to market. I feel like at that time, Target was avant-garde in the space of leveraging that kind of tracking technology compared to a lot of other retailers in the space.
Debra J Farber:I'm wondering, also, is it only constrained to retailers, or are there other real estate deployments of tracking technology? So, I'm thinking giant convention centers and when you have 100,000 person conference or 20,000 person conference, are there people being tracked? Are you agreeing to Wi-Fi and being tracked - your physical location, movements throughout that experience?
Debra J Farber:But then, I think about something like where you're told you're being tracked, and you're told that it you know what the purposes are and when they end - something like when I worked for Amazon and I went to their Amazon Go store, where you literally walk in the store; there are no checkout lanes. They just recognize you're a person and what this person's doing the whole time. And then, when you check out, it knows what's in your cart because there's sensors on the ceiling and all that that's tracking and it knows where you are, what you bought, or what you're taking out of the store with you. It just charges your account and it's a seamless experience; and theoretically, the lines are - well, there aren't really lines. Right?
Debra J Farber:So, I've seen something like that where you are aware going in; the whole concept is you're being tracked through the store, but then when you leave, the question is what information is still being retained and how's that being used and is it being shared is still there. But, at least there's an awareness, because the entire point is that you do everything by yourself. There's nobody checking you out, right? So, anyway - what I'd like to talk about is The RED foundation. I'm assuming most of my audience, like myself, has not that much awareness into the real estate industry and how they're dealing with these issues overall; so, what data protection, privacy and ethical challenges does the Foundation seek to solve for today? And then, how are you approaching those issues?
Yusra Ahmad:Well, if I can jump in, maybe I'll take a step back and talk a little bit about what The RED Foundation was set up to do. So, The RED Foundation - the initial premise was to create a platform within the real estate industry, focusing initially within the UK, because the founder of the Foundation was based here, frankly. So, that's why it started here; but, it's to create a platform whereby we can come and discuss data-related issues. And so, the Foundation is broken down into 4 different committees, an overarching committee and then three subcommittees - one which is populated by a number of different universities within the UK. Another which is all focused on data standards. As we know, without data standards we really struggle to structure, manage, and produce quality data; and that's a significant challenge for us within real estate. I'll talk about that another time, but my biggest challenge was the fact that individual datasets aren't structured to be integrated with each other, so it makes life very difficult when you're trying to report against the whole life cycle. And then, the final committee, which I've only just recently taken over as Chair, is the Ethics Committee. Now, as part of that, we have got, I think it's about six different ethics principles, which we are advising organizations to sign up to. So, these are: 1) accountable; 2) transparent; 3) proportionate; 4) confidential and private; 5) lawful and 6) secure principles around managing your data. So, it's all very simple. It's all aligned with GDPR guidance as well as other guidance that's come out through legislation here in the UK and Europe. What I would also say is that this is a pan- real estate platform, so everyone that's joined is doing it gratis. So, we are volunteering to be a part of this; and we are representing, or we joined at the very least to represent, a wide subset of the industry. So, we have software providers, real estate consultancies, developers, occupiers, lawyers, academics; it's a significant subsection of the industry that's being represented. So there's, I think, approximately about 60 of us in total and it's growing and we are welcoming more organizations that want to be a part of the conversation.
Yusra Ahmad:So, within the ethics piece, what we've essentially been doing is to try to work out how we can ensure or provide guidance to the industry on what ethical data management actually means. To your question, Debra, what are these blind spots that we have? Now, my background has been predominantly within the occupier space and so immediately, I think my inclination would be "Well, actually, within real estate, we capture very little personal information and that's very specific." But the truth is is that that's inaccurate. Luke already talked about, like wrote that off right at the outset. But I think what we're actually trying to say is that there's no one within - we don't believe that anyone in - the real estate industry is doing anything unethical. But what we're trying to propose is that we are mindful in terms of the way that we approach data management. That means ultimately, distilling it down into one sentence, make sure that you're always capturing as much as you need and no more, and only for the time period that you need it. Ultimately, that's the core of it.
Yusra Ahmad:I think what tends to happen is, and we touched on it a little bit at the start, this excitement about possibility without a use case, and so the amount of times I've heard, "Well, why don't we just grab a bunch of really smart data scientists, get them in a room, throw some data at them and see what comes out? Oh, no, no, no, no, please don't. That's not the best or most efficient, or even actually the most ethical, if you like, way to go about it ultimately, because what you should do is you should have a very specific reason for capturing some of this data and a very specific viewpoint on what you want to do with it and then use it for that particular purpose, and if you need it for something else, especially if you're capturing personal information, then you need to go back and reconfirm the consent for you to use that data in the way that you propose to use it. So, beyond that, what I would also add is is that it's really important to drive home this viewpoint that as real estate becomes more digital, as we start to ask more things of our technology, our need is going to change. So one of the things that I've been hearing about - I'm not sure how many people have actually started incorporating this into their assets - is the ability to use biometric entrants into a particular building.
Yusra Ahmad:So, just as you would open your iPhone with your face ID, you'll be able to walk into your office with that same face without having a badge, as you historically would do.
Yusra Ahmad:And that means that you're giving away more of your data. And there's implications with that. Right? Ultimately, if you're now, you are going to be putting demands on your employees in order to provide you with that information or allow you to use it in that way. So, what we're really doing is, within this steering committee, we've actually established a playbook and that playbook has got a number of case studies within it, talking about a number of case studies and how data was captured, why it was captured and how to make sure that you're ethical in the way that you're managing that data. And the view is is that as these use cases or case studies come about, we can make that information available to a wider audience. So as you're reading through, you can go oh, I never even thought of that as a particular potential issue in the way we're using data now or in the future. So you can grab some guidance or advice. I'll stop with my monologue now.
Debra J Farber:Oh, that was really great info. That was super helpful for contextualizing it - what The RED Foundation is working towards and why. I really appreciate that. What are some of the ethical questions, Yusra, that the real estate sector needs to still deal with?
Yusra Ahmad:I think the first one is "hat does ethics mean to us, right? So the first question that we were trying to touch on is this one of consent. Now, when we talk about real estate, in my mind, I straightaway go into the fact that there are so many different sectors. Today, we talked about Retail, but we haven't even touched on Residential. One of the most interesting, specifically for me, case studies that we looked at was within Residential Care Homes.
Yusra Ahmad:In particular, it's this complication between, I suppose you would say, providing people with freedom, but capturing or invading their privacy in order to provide them with that freedom. So take, for example, an aging population as we know that we are, more people are gonna be going into residential care homes. If we were able to incorporate sensors or cameras into units that tracked, monitored them, they were able to identify when an individual needed help before they were able to ask for it. Let's say, for example, they fell and a sensor was able to notice the fact that this individual's had an incident and someone was able to visit, well, actually, you're giving them some freedom. But where does that line kind of stop? And I think, as we become, as technology advances and as we're able to offer these types of services and experiences,
Yusra Ahmad:I think there's always a question of "Is that right? How do we make sure that we're protecting consent? But also, how can people change their minds, and I think that's slightly overlooked. In a lot of the use cases I'm seeing, you provide your consent in order for your data to be tracked? 1) should it be captured to begin with, because do you actually need it in order to provide that service? 2) Second of all, how are you capturing that consent for that service? But also, in the same instance, how are you allowing people to opt out (but not an opt out in terms of not providing you with the consent); it's being able to retract that consent once it has been freely given. I think, being able to keep that in mind in everything that we're doing, I think that's a challenge. Right? Because there's so many different ways that you could be reaching that in a way without even knowing.
Debra J Farber:Yeah, and there's also seems to be so many different forget even the use cases, like the very specific use cases but different stakeholders, right, you've you already mentioned. You've got Owner versus Occupier, and so what are the different rights? But then you think about Employer versus Employee and how much monitoring in that space that theE mployer can and should do of their Employees. Then, you've got like the retail organization - I don't want to say 'versus,' but like the opposite perspectives here. Right? So, you've got the Retailers of a space, but then you've got the Temporary Licensees of the Public coming in to look around the store and maybe buy some things, and you know, so on and so forth.
Debra J Farber:You've got Services where you might be going to the dentist or doctor, and like what are they monitoring beyond what you know? I feel like there's all of these different stakeholders involved in just the tracking, sharing and taking up space or being in these spaces. Are you coming up with different use cases around ethics and then coming up with standards based on different stakeholders? How are you approaching the fact that there are multi stakeholders involved here?
Yusra Ahmad:You're absolutely right. There are a number of different stakeholders and the issue is as well is that an individual can take up multiple different roles. Right? We're almost always doing musical chairs with these roles, because we could be everything at the same time. What we are trying to do is look at it from the perspective of different sectors, but also different stakeholders within the sector, and trying to understand what do they need and also how they can go about achieving that balance. Ultimately, I guess the challenge is is keeping on top of not only the regulation, which is lacking in a way. . . I shouldn't say lacking, I think it's developing; but, I think the other aspect (which is more of a challenge) is keeping on top of the technology as it evolves. I sort of you know, tongue- in- cheek, sort of mentioned how we have this desire to look at new tech and innovate the back of that. We should absolutely be doing that, first of all, just to make that clear. I think we should be looking at what's coming up - and ChatGPT, I think, is the newest toy in the box - but, what we have to be careful with is that, as we're leveraging these types of things, is, to your point, to start to look at it from a different perspectives. What are the different ways that people could be leveraging this type of tech, but also providing some steers or guidance that leverages the regulation we do have but also provide some practical guidance as to what that truly means, and I think that's a really delicate balance.
Yusra Ahmad:I'll give you another example, but it's really from a city perspective. Very similar to your reward example that you mentioned earlier - when you're looking at a city that is densely populated, lots of traffic on the road, you know people are struggling to get from one side to the other. It's really rather an unpleasant experience, and I've experienced a few of those. I won't name them, but there is this ambition to capture location data, people's movements, et cetera, and be able to redirect them. So, on the face of it, that becomes such a wonderful idea, right? Just as Google Maps redirects you when you're driving, right, - best route here or there - what if it were to go further? If you're looking for a restaurant for the night, it actually tracks the busiest areas and redirects you somewhere else and provides you with rewards for going to somewhere that's a little bit quieter.
Yusra Ahmad:These are the types of things or experiences that I think we have to start to foresee, capture and assess for their ethics, essentially. This is the challenge with ethics, right, which is why I can't give you a direct answer the question of ethics is really not. . . there is no one right answer. I mean certain things, there is one right answer: right or wrong. But, most of the time it's a question of, on the balance of things, which is the 'right' / 'best' thing to do or which is the 'most sensible' thing to do.
Yusra Ahmad:Is it sensible to give someone a great experience or an easier experience? Yes, but should they be manipulated into going somewhere that they otherwise might not want to go? I don't know, right? It's all about consensus of wider society in terms of what is right or wrong, what the best thing or what is the common consensus of what we should be doing. This is why it's so wonderful to be on the Steering Committee, because we can debate some of these things out and say and think about things in a slightly different way to what we are potentially programmed to do or what our instincts would say. So yeah, it's fun; it's interesting. I don't think we've captured even a fraction of all of the types of areas or the question marks that we should be looking at, but I think the challenge is always going to be that we're going to need to be keeping up with whatever is happening within the wider world or within industry.
Yusra Ahmad:Are we using biometrics? Is that the right thing for entry? I mentioned that one before. If you're an employee, what if you don't want your employer to have such a detailed set of data around your facial makeup. Should they be forced to provide you a different mechanism to enter into their building? Or does experience kind of trump that? These are the types of things that we do is keep on top of what's coming out and then provide some guidance off the back of that on how that could be achieved in a more ethical way.
Debra J Farber:That's really, really fascinating, and thank you for restating those use cases, or not restating them, but sharing them with us.
Debra J Farber:Maybe, Luke, you could talk a little bit about what it'll take to ensure that real estate companies start leveraging privacy- enhancing technologies for data capture and sharing data in a privacy- preserving way, beyond security controls like biometrics, which makes sense that there might be people who are afraid of giving them, and that's a great conversation that you just had, Yusra, around that tension and how you have to think on balance and think about what your ethics are - which is the point of those ethics: to create tension in the org so that you can actually be like, "oh, this is important, we have to figure out what our value system is, and then the ethics is the approach to getting there to the set of values, which might differ slightly across depending on who the stakeholder that you are, at what time and at what you think the future should be. But sorry, I started out saying, Luke, I would love to understand your opinion on when the real estate industry will start leveraging PETs.
Luke Beckley:So, just to go back on a couple of things that Yusra's mentioned and just add one more group into the RED Foundation, which is the Engagement and Awareness group, which I am the Chair, and I have the wonderful job of getting people like Yusra to talk to you like this, which hopefully is worth receiving. But, interestingly, those words, engagement and awareness, I think are crucial in the process of getting the industry, the real estate industry, not to rush into - and I think, as Yusra's touched on it - rush into the adoption of what is the newest and shiniest tech, because it might make what is perceived to be the experience of the different stakeholder easier, slicker, quicker. And then there are a whole heap of the additional obligations around that, of course, like we've talked about, the case studies and the case law that keeps testing the various different elements of the regulation. I think it's what we're trying to do - one of the key principles and our driver for next year - try and take those ethical considerations that Yusra so wonderfully articulated and push those out to the real estate organizations who are looking at adopting, for example, any form of biometrics / facial rec into buildings. This has been talked about - I've been part of conversations over the last X number of years, 7 years or so, where this has been brought up on an almost annual basis. "Well, can we just put facial rec in? And then, of course, what happens is it goes beyond just the use for access control Sooner, or then it goes into the digital place making, making that whole environment and experience better, not only for the employer but potentially for visitors, potentially for individual occupiers, consumers in the public spaces. And so it's the principles, the overall principles of the GEPR, which is what we still operate under, still currently operate under in the UK; and that's another totally different subject for another day. I think it's really educating the real estate industry - and the like, I said, the whole plethora of real estate players - on how those ethical considerations need to be taken into account and then how the privacy- enhancing tech can be applied to that. And, all just the principles - adopt them properly.
Luke Beckley:Storage limitation - if you are going to go down the facial rec route, you don't need to store the actual recognition picture for longer than what? A half- second? Nanosecond? It's got to do the recognition then should be deleted; but, these considerations don't get taken into account. It's the speed of access; it's the ease of access. All of those elements are considered first before the actual ethical question of its use - whether it is actually allowed under the regulation or the law in the first place
Luke Beckley:because, again, as Yusra mentioned, there are definitely easier routes to allowing people access to the building. For example, putting a digital pass on their phone. Right? Still don't need the facial rec piece, so what is the recognition piece for other than to enhance the experience? I think it's. . . there's a step before the application of the technology, which is the education and awareness piece for the real estate industry. I think we need to engage with them on the ethics questions and then start educating them on the various privacy- enhancing tech that is available, which, for me, is the foundation of building trust with those stakeholders. That seems to be a word that doesn't get used very often but is, I think, fundamental to how people engage with those spaces and with the assets.
Yusra Ahmad:A couple of years ago I had the privilege of attending an Evanta event, which is a Gartner company. They organize events for CDOs. This is cross- industry, from television to charities to real estate, all sorts of organizations being represented. They were all struggling with the same ethics question. It is by no means, I think, a unique challenge to real estate. Everyone is capturing more and more data. I think everyone is seeing some massive, huge fines, like hundreds of millions of dollars worth of fines, walking out the front door. They're saying well, how do I, as a CDO, make sure I protect my organization from that type of exposure? Here's where we are.
Debra J Farber:Yeah, that makes a lot of sense. It makes me think. I just want to bring up, because we've been talking facial recognition and then you described a use case where maybe we'll just use people's faces for them to walk in - a camera looks at them as they walk into their workplace and determines whether it's you or not? I just want to make the distinction that there is a difference between "facial identification. Is this person who claims to be Debra Farber, Debra Farber? Righ? That's a one-to-one try to match versus facial recognition.
Debra J Farber:where you're looking at a general population of people, people are walking in - who is this person? Oh, we have a giant database of millions of people. This is Debra Farber. That's facial recognition. That's different from identification, right? Where you're just, it's the very authentication of the human, because you already have a facial print somewhere for that employee. In some ways, I think it could be less scary to just walk people through the technology in an easily consumable way that they can understand and then opt in for. I also want to ask, a lot of these things around employees in the UK and Europe is different from the United States. I'm going to ask real quick if you can maybe talk about the role of Works Councils in approving some tracking technology within organizations. I think Works Councils are like unions, but they operate a little differently on your side of the pond. Are you able to enlighten us there with what that process is like?
Yusra Ahmad:To be honest, I think Works Councils are a lot more stringent on the continent, the likes of Germany, Switzerland. My interactions in the past, my sphere has crossed past them. In Europe, they've been a lot more challenging. I think, in the UK, where you have unions, not every type of job is unionized; they tend to be much more for public services.
Luke Beckley:Public services definitely are very union- heavy, in the UK at least.
Yusra Ahmad:Again, it depends on which part of the sector that we're talking about. If you're talking about things like logistics, for example, if you're moving more into the construction type of space, I think that's where you start to encounter some of those making sure that you engage with the Works Councils, or the unions as we call them here, and describing your need and also the articulating the impact specifically that that is going to, whatever it is that you're trying to achieve is going to have on employees or the individuals in question. As you move further, I think, into the occupier side of the fence, a lot of the focus tends to be on more of the white collar, I suppose, type of services. I think it becomes a much more equal balance of individuals. You probably don't encounter the unions as much as you would otherwise.
Debra J Farber:That's helpful. Thank you. I really just didn't have as much insight into Europe generally when it came to unions and works councils. That actually helps shed some light that you refer to them as unions, even in the UK, like we do here, and that they might operate slightly differently from the rest of the continent. So, I learned something, thank you. I learned many things, but thank you for that.
Debra J Farber:So, Luk e, we're talking here a lot about the industry generally and how approaches are required to gather the stakeholders and let them understand, educate them and their communities on all of this data collection and how to balance with the right controls to preserve privacy, whether it's through PETs or security controls or architecture and just different ways of thinking. Well, since this is a show aimed at privacy engineers, I'm curious if you have guidance for them as to are there opportunities basically for privacy engineers to work in the real estate sector? Obviously, you can't have privacy enhancing technologies deployed and deployed appropriately without experts in that field to understand the space and appropriate ways of deployment and what's worked for others in the past and maybe taking a look at research and all of that. Is there appetite right now for privacy engineers to be hired into real estate companies or even occupiers of that space's overall approach to privacy in their space.
Luke Beckley:I've definitely got appetite for it, if that helps. I think there is a huge need for privacy engineers in the real estate space. I think we are . . and again, back to the reason The RED Foundation was set up and founded was the perception from the people who were part of that organization that the real estate industry is behind other sectors in understanding both how to leverage the data correctly, be processed the data in an ethical and secure way. Of course, then the next layer on is "well, how do we make sure that we protect the privacy and data elements for the various stakeholders that are involved?
Luke Beckley:As we mentioned earlier, we captured quite a lot of personal data, but the rush to just adopt technology to enhance experience is, in my opinion, a huge opportunity for real estate companies to take on board privacy in engineers, listen to their input in conjunction with those who are talking through the ethical questions about some of the processes that some of the real estate companies want to take on board and are implementing, and to really drive the enhancement of the technology that is ultimately going to build that trust with the real estate companies, the housing associations, the residential developers, all of those different stakeholders are ultimately trying to build a product that is trusted by their potential purchasers and all occupiers, but the tech at the moment isn't supporting, in my opinion, the privacy enhancing elements sufficiently.
Luke Beckley:So I think there is a huge opportunity there to try and bring privacy enhancing tech and engineering into this space. I, for one, am desperate to take on a privacy engineer in a slightly different field to real estate, because I still think there's been I've got the same challenges in a different field and then that's where I'm going to podcast, but I think there is huge opportunity for the privacy engineering space in the sector.
Debra J Farber:That's great to hear. I don't see too many roles, at least stateside, for retail hiring. Well, maybe not just retail, but let's say the real estate industry in general hiring. I really do hope to see more of that. I am curious, though compared to other industries, guess the assumption would be that there's not that much software in the real estate industry, but that's probably not true these days.
Debra J Farber:You know, I even look at something like WeW ork, to either to visit somebody that's there or, I even for a short time had like a small office in one of them. You know, even then, while you wouldn't think software was a big part of their value prop, there was this WeW ork website app thing that you could all connect to and kind of almost a little bit of a local social networking thing for those who are WeW orkers, and also guidance of their different properties, and so there was some software involved. I remember - this is years ago, so I was poking around - going they can improve here. But, I'm wondering, you know, is privacy- by- design and engineering generally, like baking into the software development life cycle, something that's important to the real estate industry, or is it more around privacy enhancing technologies and deploying that across their analytics stack. Like. Just give us a little sense of that, if you could, for software developers.
Luke Beckley:So, that particular type of application and or engagement is definitely becoming more prominent. So I'm conscious of a number of developers who are running their own apps to enhance the community, basically of occupiers and themselves in the different spaces that they've got, trying to bring consumers to the retail elements of the different spaces and trying to bring that all under one hood of a particular app that's relevant to that particular space. I'm also trying desperately to avoid names. So, I think you've got two tiers really. The first one is definitely trying to drive the development of the technology but try and take into account the prevailing data protection laws. Okay, so we're looking at it from a high level data protection perspective and what will allow a risk based level of compliance to be gathered before deployment of said technology.
Luke Beckley:That lower layer, that more base layer for me, the privacy- by- design element and the introduction of the privacy and enhancing tech, I think is still very much in its infancy, because it feels like we're still in a retrospective, retroactive, reactive scenario in order to try and bake that, in which Yusra and I have had numerous conversations recently on the ESG thing we mentioned earlier - where we're trying to make what looked like small changes further down the line, actually result in huge cost, huge time consumption, and then the ROI of that change suddenly doesn't get baked into the ROI of the actual end product.
Luke Beckley:And so it comes, "Let's not do the privacy enhancing tech bit. Are we as compliant with the law as we can be with the tech stack as it currently stands? Yes, we are. Then we're good to go". I think there is, as I've said, the opportunity for privacy enhancing tech in conjunction with a deeper understanding of, and need to embed, privacy- by- design from the start of the development of these kind of applications, where you're bringing community together, you're bringing occupiers together, you're bringing the space utilization under one banner. I think is in its infancy.
Debra J Farber:Great well, it sounds like a lot of opportunity. I would love, as we close today, if you could tell us how people could get involved with The RED Foundation. Are there any resources that you'd like to point them to? How can they collaborate?
Luke Beckley:Yeah, so we are on LinkedIn, so we will drop the information. We've also got a website, so we can pop that across as well and I can go into the show notes. Obviously, Yusra and I are more than happy to get contacted from anybody via LinkedIn and talk to anybody about getting involved in real estate and tech.
Debra J Farber:Excellent. Well, I'll definitely put that information in the show notes. Y Luke, any last words of wisdom before we close today to share with the audience.
Luke Beckley:That's definitely up to you, Yusra.
Yusra Ahmad:Words of wisdom. There's so many things, right? I think that there is - and following on from your conversation just now around opportunity - there is a huge amount of opportunity where it relates to data, where it relates to real estate tech, the prop tech sector, and cretech sector, whichever way you wanna call it. It's growing year on year and it's significantly sizable. W ith that there are implications; there's challenges, I think.
Yusra Ahmad:If we bring it down to the most basic viewpoint, the more that you start to digitize your property, the greater risk that you open yourself up to from someone, a hacker somewhere, logging in or breaking into your space and creating some real- world damage, potentially. So, from a privacy perspective, I think there's definitely opportunity there; but, what I also think is is that we shouldn't allow that to deter us from innovating and progressing because these are obstacles rather than blockers. We just need to find a way to jump over them, and there's smart enough people to be able to do that and create some new exciting experiences for us. I would say. So, come with plenty of ideas and an open mind, and there's a lot of stuff that we can be doing here, a lot of things we can do.
Luke Beckley:Yeah, exactly, and start - you're right - and start seeing privacy and privacy enhancing tech and privacy- by- design, not as a blocker. It's a great way to finish. Not as a blocker but as a builder for actually doing the right thing, building the right tech, providing the right experience, and building the customer trust.
Debra J Farber:Yeah, to me it sounds like we really need to threat model for both privacy and security, prevent the criminals - "criminal hackers. I say this my fiance is a hacker, an ethical hacker - he does that for a living.
Debra J Farber:So, I always wanna mention that these we should say "criminal hackers, not just hackers, as if they all are criminals. Have the right controls. If you're doing your threat modeling, you're figuring out those use cases - not just for security, but threat model for privacy as well where you could uncover what in your environment, the potential harms that the use cases would have to people, as well as to your assets. Continue doing that to uncover what the potential threats are, because they're gonna constantly be evolving and changing. So, it's not a 'one and done' compliance thing. It's an ongoing part of managing your tech stack today. If you build it in ,privacy in by design, you'll be more proactive, you'll be more agile when you go to market. You're building privacy into your MVP. You're not waiting till later to figure out, now that you have all this technical debt, how you're gonna have to redo things and re-architect things.
Debra J Farber:Someone I respect very much in the ethical AI space space, Chowdhury, talks about that. how adding to one's car - yeah, it's for safety, but it gives the user trust in your overall system. So, you end up driving faster when you know you have breaks and have these guardrails built in and safety around the car actually doesn't slow you down; it makes you faster. I feel the same way about privacy- by- design or even ethical AI. You build this stuff in from the beginning. It's now market- ready to be consumed by those who do care about safety and privacy and security and humans and not just users and nameless analytics stats. Right? The protections are real and the entire economy and the companies that might be more visible and might likely get fined and have different regulatory bodies concerned about what they're doing, they're gonna be very careful about their downstream - the companies they work with, the technologies they work with. So, if you wanna sell to larger organizations that know they have regulatory scrutiny on them, you'll get through the sales process faster if you proactively have been thinking about privacy rather than coming to market with a product or service in the real estate space and then expecting that it's just gonna be consumed and then finding out you have to fix all these things. Right? So again, it's all about increasing ROI. Privacy is not a blocker iI\f you actually think about it early and embed it into design, architecture, and software development, and DevOps.
Debra J Farber:So thank you, Luke and Yusra. Thank you so much for joining us on The Shifting Privacy Left podcast. Until next Tuesday, everyone, when we'll be back with engaging content and another great guest or guests. Thanks for joining us this week on Shifting Privacy Left. Make sure to visit our website, shiftingprivacyleft. com, where you can subscribe to updates so you'll never miss a show. While you're at it, if you found this episode valuable, go ahead and share it with a friend. And, if you're an engineer who cares passionately about privacy, check out Privado: the developer- friendly privacy platform and sponsor of this show. To learn more, go to privado. ai. Be sure to tune in next Tuesday for a new episode. Bye for now.