Patricia Thaine of Private AI: Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information
We practice what we preach and we don’t store personal data. We even deploy in our clients’ environments so we don’t have to process personal data within our cloud environment. We insist that any data sent to us is always stripped of personal information first. I sleep very easily at night with this decision.
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Patricia Thaine.
Patricia Thaine is the Co-Founder and CEO of Private AI, a Computer Science PhD Candidate at the University of Toronto, and a Postgraduate Affiliate at the Vector Institute doing research on privacy-preserving natural language processing, with a focus on applied cryptography. She also does research on computational methods for lost language decipherment. Patricia is a recipient of the NSERC Postgraduate Scholarship, the RBC Graduate Fellowship, the Beatrice “Trixie” Worsley Graduate Scholarship in Computer Science, and the Ontario Graduate Scholarship. She has eight years of research and software development experience, including at the McGill Language Development Lab, the University of Toronto’s Computational Linguistics Lab, the University of Toronto’s Department of Linguistics, and the Public Health Agency of Canada.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Montreal, surrounded by different languages. Portuguese and Spanish at home, French at school, and English everywhere else. I liked to play more than I liked to study, but my father made sure I learnt my maths well and learnt how to read as early as possible (thanks to his teachings, I learnt by age three and a half). There were always Legos to play with, dolls and cars, ample books on the bookshelves, and my parents gave me free reign of my time, which I spent mostly playing pretend. I have a brother who is nine years older and a sister who is seventeen years older, so I had lots of people to learn from, but not many kids my age to play with, making me more than a little awkward at school. At six-years-old I learnt what patterns were and fell in love with them. I’d draw lots of aesthetically pleasing patterns, but also really loved pattern matching puzzles. And it’s so interesting how much learning relies on pattern-matching.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
I wanted to be everything at one point or another: doctor, actor, diplomat, author, researcher, professor, fashion designer, pilot. The sky was the limit. I realized that what I really liked was mixing different disciplines and diving deep into them, and also maximizing my understanding of how the world really works. No one particular story inspired me to pursue entrepreneurship, but I am a huge fan of certain business leaders: Satya Nadella whose book I read almost as soon as it came out, Melinda & Bill Gates for their philanthropic leadership, Arianna Huffington whose interviews I always learn interesting things from. .
Can you share the most interesting story that happened to you since you began your career?
There have been so many, from when I was 21 years old. I was present when President Obama addressed Chiefs of Police at the International Association of Chiefs of Police. I presented a poster on acoustic forensics at Interpol in Lyon in my early 20’s to heads of forensic labs. I got to talk about my business ideas to Vinod Khosla, but I think most interesting of all is the day-to-day at our startup where our highly skilled and highly motivated team is building some of the best privacy tech in the world.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There are so many people, including my parents, my husband, my son, my friends and siblings, and my PhD thesis advisor. My husband and my mother are my superheroes. Their unwavering support and willingness to always be there to help, understanding just how hard it is to build a company, and doing anything they can to make things easier for me. My PhD thesis advisor, Professor Gerald Penn, has supported my ambition to start a business ever since I told him about it when I was finishing off my Master’s. He said I could do both a PhD and found a startup. He’s also been unwaveringly supportive.
While I was working from home during the lockdowns, my husband, who is a high school teacher, would often teach classes with our then two-year-old sitting on his lap so I could meet with investors and prospective customers or code without interruption. Once, he even got him to fall asleep on his lap while teaching students an introduction to psychology and frequently using him as an example when discussing human development.
Are you working on any exciting new projects now? How do you think that will help people?
We’re working on lots of interesting projects at Private AI that are geared towards processing massive amounts of data in a privacy-preserving way. One we’re focusing on quite a bit over the next few months is perfecting our synthetic personal data generation model, which replaces names with fake names, locations with fake locations, and so on — so very natural pseudonymization. The cool thing about this is that, not only does the data become more private and secure than if personal data were just removed (because it’s very difficult to tell what the original data was from the fake data), but we’re also doing research that’s showing how this more natural looking data prevents downstream model accuracy loss for a number of natural language processing tasks.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I’m not a fan of giving general advice, because of how different every person is. But what’s worked for me is finding a way to have fun doing what I do. It doesn’t feel like work and doesn’t feel as exhausting if you’re enjoying yourself. Also, finding an external party (coach, psych, therapist, or friend) who can help keep you stay grounded in reality and help de-gaslight or disambiguate situations. Oh, and lots of plants really help liven up a space. But most of this is useless to prevent burn out if you’re not getting enough sleep.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
That very much depends on the sector, location of the business, and the business’s customers. Several multinational corporations choose to comply with the strictest of regulations to maximally avoid headaches. For now, their go-to tends to be the GDPR. The main thing to keep in mind is that if you don’t need the personal data, don’t collect it! It’s only going to get you into trouble. If you do need the data, make sure you get positive consent from your customers (not implied consent) to use their personal data for every specific purpose it’s meant for. You also need to keep meticulous track of where you’re storing said data so you can delete it upon request or answer to access information requests.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
The most prudent thing to do is to delete personal data as soon as you possibly can. Ideally, you’re not collecting it in the first place. We have some customers in the machine learning world who set a time limit to storing data even if personal information has been stripped away. If their data ever got leaked, that would hugely limit their exposure and liability.
In the face of this changing landscape, how has your data retention policy evolved over the years?
We practice what we preach and we don’t store personal data. We even deploy in our clients’ environments so we don’t have to process personal data within our cloud environment. We insist that any data sent to us is always stripped of personal information first. I sleep very easily at night with this decision.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
That’s it, we just don’t store data that contains personally identifiable information. Our entire mission is around helping others do the same.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
The GDPR and any of the data protection regulations inspired by it are HUGE. These have affected all of us for the better, really drilling into what it means for companies to responsibly store and use our data. The GDPR instigated the creation of new tech that was so necessary to ensure that companies could even figure out what personal data they were storing and who they had consent from and for what purposes. The European Commission’s draft law on IoT device security is also worth keeping a close eye on. If passed, it is bound to force manufacturers to adapt to the very real cybersecurity threats of the 21st century and once again cause massive innovation. As for any concerning legislation, I think what’s most concerning now is often ignored in regulations: auto manufacturers can resell your data without your positive consent, and facial recognition can be used when you don’t expect it to be used and without your positive consent.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
They most certainly have matured. One example is that the GDPR requires you to know all the personal information you have stored about a specific individual so you can easily answer access to information requests and requests to be forgotten. Some companies now help make that possible. I cannot recommend any, as I haven’t tried any of these tools myself, since we don’t collect personal data.
But on our end, at Private AI, we enable massive processing of semi-structured and unstructured data (text, images, video, and mixed media) to redact personal data and to identify which personally identifiable information is present — this was absolutely not possible to do before with the high levels of accuracy we reach.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
They have not changed the way we operate. We continue to scan our code daily for vulnerabilities, we enforce strong passwords, use password managers, and have multi-factor authentication enabled, and most important of all: we do not store data that contains personal information within our servers.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
- Make sure you’re allowed to use the data you’re collecting
- Minimize the amount of personal data you collect.
- Beware of using personal data when training machine learning models.
- Keep track of all of the personal data you’ve collected.
- The right privacy enhancing technology for you depends on your use case.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
Privacy is one of the most important issues humanity is grappling with at the moment, as we enter a more technologically advanced and interconnected future. It’s up to each of us to bring up misuse of personal data within our organizations, and up to each leader to empower their employees to discuss and implement privacy best practices. Cybersecurity attacks are not a matter of if, but when. And there’s no better prevention than having an entire organization looking out for their users.
How can our readers further follow your work online?
They can follow what Private AI is doing on Twitter or LinkedIn, or they can follow me on Twitter or Medium.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
