Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


[Podcast] Cyber & Tech Attorney Camille Stewart: Discerning One’s Appetite for Risk

Data Security


Leave a review for our podcast & we'll send you a pack of infosec cards.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

We continue our conversation with cyber and tech attorney Camille Stewart on discerning one’s appetite for risk. In other words, how much information are you willing to share online in exchange for something free?

It’s a loaded question and Camille takes us through the lines of questioning one would take when taking a fun quiz or survey online. As always, there are no easy answers or shortcuts to achieving the state of privacy savvy nirvana.

What’s also risky is that we shouldn’t connect laws made in the physical world to cyberspace. Camille warns: if we start making comparisons because at face value, the connection appears to be similar, but in reality isn’t, we may set up ourselves up to truly stifle innovation.

Choosing Convenience over Privacy

Camille Stewart

Hi, I’m Camille Stewart. I’m a cyber and technology attorney. I am currently at Deloitte working on cyber risk and innovation issues, so identifying emerging technologies for the firm to work with. Prior to that, I was a senior policy advisor at the Department of Homeland Security working on cyber infrastructure regarding to foreign policy in the Office of Policy. I was an appointee in the Obama Administration. And then prior to that I was in-house at a cybersecurity company. So I’ve worked in both the public sector and the private sector on cyber issues.

Cindy Ng

Thanks, Camille. Can you talk a little bit about privacy conceptually? Everybody wants privacy, it seems like a good thing, but why aren’t people picking privacy over convenience? Convenience, yes, it’s easy but what about privacy is not getting through to people?

Camille Stewart

I don’t think people are looking at the long-term ramifications, right? I know very recently we had the genetic testing case that helped lead to a killer, which is wonderful in that specific instance. But I doubt that anybody who sends in their genetic information, had it tested and figured out their heritage has thought about how that data might be used otherwise, has read the disclaimer that tells you how your data will be used whether it’s for research, whether it will be used by the police, whether it will be used to create new things.

And if anybody remembers Henrietta Lacks, her data was used to create all of these things that are very wonderful but she never got any compensation for it. Not knowing how your information is used takes away all of your control, right? And a world where your data is commoditized and it has a value, you should be in control of the value of your data. And whether it’s as simple as we’re giving away our right to choose how and when we disburse our information and/or privacy that leads us to security implications, those things are important.

For example, you don’t care that there’s information pooled and aggregated from a number of different places about you because you’ve posted it freely or because you traded it for a service that’s very convenient until the moment when you realize that because you took the quiz and let this information out or because you didn’t care that your address was posted on like a Spokeo site or something else, you didn’t realize that all of the questions to your banking security information are now all easily searched on the internet and probably being aggregated by some random organization. So somebody could easily take and say, “Oh, what’s your mother’s maiden name? Okay. And what city do you live in? Okay. And what high school did you go to? Okay.”

And those are three pieces of information that maybe you didn’t post in the same place but you posted and didn’t care because you traded it for something or you posted it and you didn’t think it through and now they can aggregate it because you use those two things for everything and now someone has access to your bank account, they’ve got access to your email, they’ve got access to all of these things that are really important to you and your privacy has now translated into your security.

Cindy Ng

I was just talking to my coworkers about this that it doesn’t come naturally to know not to answer these questions because you can online somewhere and let’s say you’re a part of a community you trust and you answer these innocuous questions and then you won’t necessarily have the foresight to know that it’s gonna come back and hurt you. How did you come up with the reasoning behind, “Oh, I probably shouldn’t answer those questions?” Because you kinda have to be a little skillful and have a bit of foresight or some knowledge to even think in the way that you do.

Camille Stewart

No, you’re right, there is a level of savvy that has to happen for you to think that way and a level of, like you said, foresight or a level of reaction, right? Most people aren’t thinking that way because they knew it before it happened but now that the information’s out there, they’re taking action. And I think there are a lot of people who are neglecting that.

So we all, just like organizations, just have to press it, have to make this vision become their appetite for risk. We as individuals have to do the same. And so if you are willing to risk because you think either, “They won’t look for me,” or, “I’m willing to take the hits because my bank will reimburse me,” or whatever the decision which you are making, I want you to be informed.

I’m not telling you what your risk calculus is but I wanna encourage people to understand how information can be used, understand what they’re putting out there and make decisions accordingly. So your answer to that might be like “Look, I don’t wanna give up taking Facebook for this or sharing information in a community that I trust on some social site but what I will do is have a set of answers that I don’t share with anyone to those normal questions that they use for password reset that are wrong but only I know the fake answers that I’m using for them.”

So instead of your actual mother’s maiden name, you’re using something else and you’ve decided that that’s one of the ways that you will protect yourself because you really wanna still use these other tools and that might be the way you protect yourself. So I challenge people not to give up the things that they love, like I mean, I would assess whether or not certain things are worth the risk, right?

Like a quiz on Facebook that makes you provide data to an external third party that you’re not really sure of how they’re using it, not likely worth it. But the quizzes where you can just kinda take them, that might be worth it. I mean, the answers you provide for those questions still are revealing about you but maybe not in a way that’s super impactful. Maybe in a way that’s likely just for marketing and if you’re okay with that, then take that or you go resilient the other way.

Artificial Intelligence and Legal Protections

Cindy Ng

I wanna talk about an article that an attorney wrote, Tiffany Li, she wrote about how AI will someday eclipse the intelligence of the human and whether or not AI will have legal protections and then she juxtaposed it with the case with the monkey and how a monkey took a photographer’s camera and took a selfie and there was a lawsuit with how we can use the monkey’s lawsuit as precedent for future cases such as AI and recently, the monkey lost the lawsuit. Not the monkey but PETA. I just wanna hear from your perspective, as a lawyer, how to think about it moving forward.

Camille Stewart

I mean, it remains to be seen how things like AI will translate, especially in terms of creative spaces. It will be hard to determine ownership if a machine creates a work. And I mean, they’ll come down to a final decision. We’ll have to decide that things that are created by a machine and solely by a machine, right, like if there are human’s input we might make one decision versus if it’s solely created by a machine, we might say that that is in the public sphere and anybody can use it and is not as anything that has any kinda attributable protection.

Versus if there is human input, we would decide that that is something that they can then own the production of, right, because they contributed to the making of whatever the end product is. It’s hard to speculate but there will have to be a line drawn and it’s likely somewhere in there, right? The sense that there is enough human interjection, whether that is from the input from whatever creative process is happening by the machine or in the creation of the process or program or software that is being used and then spit out some creation on the end, there will have to be a law or I guess at least case law that kinda dictates where that line is drawn.

But those will be the things that’s fun, right? Tiffany, and other lawyers like myself, I think those are the things that we enjoy most about the space is that stuff is unclear. And as these things roll out you get to make connections with the monkey case and AI and with other things that have already happened and new processes, new tech, new innovations and try to help draw those lines.

Cindy Ng

Is there anything we need to look out for that we’re not aware of? Or certain connections that are sorta in the legal space that people in the tech space aren’t aware of?

Camille Stewart

So I was gonna say, I don’t actually think it is safe to on a broad scale without some level of assessment, connect laws made in accordance with the physical world to cyberspace, I think it’s dangerous, because usually they’re not one for one. It is the place where most people start because it’s the easiest proposition to compare something that we’ve seen before with something in cyber. But they don’t always compare or don’t always compare in the way that we would think that they would.

And so it’s dangerous to make those comparisons without some level of assessment. And so I would tell people to challenge those assessments when you hear them and try to poke holes in them, because bad facts make for bad law. And if we take the easy route and just start making comparisons because on their face they seem similar, we may set up ourselves up to truly stifle innovation, which is exactly what we’re trying to prevent.

Cindy Ng

Can you provide us with an example of why it’s dangerous, because it feels like the natural thing to do?

Camille Stewart

No, you’re right, it does feel natural. I’m trying to think of something…I’m thinking more along the lines of likening something physical to something cyber. So let’s think about borders, right? So borders in a physical sense are very clear limitations of authority and operation. You can’t cross a physical border without being able to use a passport, a Visa, things like that and they can control physical entry and exit at a border, a different country can.

That is not the same as cyber-based. And to liken the two in the way that you use rules is not smart, right? It’s your first inclination to wanna try to stop data flow at the edge of a country, at the edge of some imaginary border, but it is not realistic because the internet by its very nature is global and interconnected and, you know, traverses the world freely and you can’t really stop things on that line, which is why things like GDPR are important for organizations across the world because as a company that has a global reach because you’re on the internet, you will be affected by how laws are created in different localities.

So that’s a very big example but it happens in very discreet ways too when it comes to technology, cyberspace, and physical laws. Or the physical space and laws that are operated in that way and so I would challenge people that when you hear people make a one for one connection very easily without some level of assessment to try to question that to make sure it really is the best way to adapt some things to the given situation.

The reason for example, Tiffany’s likening of AI to this monkey case, it’s an easy connection to make because in your head you think, “Well, the monkey is not human, they made a thing, and if they can’t own the thing then when you do that online and a machine makes a thing, they can’t own a thing.” But it very well may not be the same analysis that needs to be made in setting, right? The lines may become very different because none of us could create a monkey. So if I can’t create a monkey, then it’s harder to control the output of that monkey. But I could very well create a machine that could then create an output and shouldn’t I be the owner of that output if I created the machine that then created the output?

Cindy Ng


Camille Stewart

But that was my point is that likening things that on their face being the same, the lines therein might be different or they just might be different altogether because cyberspace and the physical space are not a one for one.

Cindy Ng

Cindy Ng

Cindy is the host of the Inside Out Security podcast.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.