Having planned for our wedding day for more than a year, it’s strange now (not in an unwelcome day) to think that it is behind us.

My partner and I were married on August 3, 2024, surrounded by so many special and wonderful people from our lives. No words could really do justice to describing the emotion of the event. In fact, the entire weekend was filled with more laughs, hugs, tears (happy tears!), and general joy than I can could write about in a million words. But this post isn’t about all of that. Instead, I want to take an opportunity to say thank you to all the amazing experts, vendors, planners, and doers who helped make the day work.

As a manager I have to make multiple decisions every day, and even I was shocked at how many distinct and difficult decisions went in to putting a wedding together. Everyone I include here represents the outcome of at least one of those decisions, and every single one I can recommend. In addition to showcasing my gratitude, my only other hope is that what I put here may also help someone else trying to navigate that maze of event planning in a way that makes things just a tad easier.

Early in the process of wedding planning, my good friend Mark (also a member of my bridal party) imparted some valuable advice: “Something is going to go wrong during the wedding. And it is going to be ok and you should not let it ruin the day.” He was not the only person who would advise us both on the inevitable collapse of some part of the day, and we believed them all. “I’m not planning so that everything goes a certain way,” I would say, “I’m planning so that we know how to bypass the things that go wrong.”

Late in the evening following the wedding, when everyone was making merry and dancing, Mark and I reflected back on these conversations. Mark, in his very Mark way, looked at me with a fake pout and a happy look in his eye and sarcastically lamented… “I don’t know how but I don’t actually think anything went wrong.” It feels needlessly boastful to confirm that he was right, but I take little credit for any of that. In fact, if we were to break down responsibility for our wonderfully unmarred day, I’d credit my partner and I with only about 5%, and that solely from heeding the advice of friends like Mark and consciously deciding that there was nothing that could happen on those days worth getting upset over. Another 5% I’d owe to pure luck: for instance, that we ended up somehow avoiding the rain that had been long forecast to drench the entire weekend, or that mere weeks after a major failure of most airline systems, we had shockingly few guests with flight delays, and no cancellations.

However, the beautiful grounds and amazing team at Hawkesdene are the real driving force that made our wedding weekend something special.

I couldn’t imagine a more perfect backdrop for our wedding than Hawkesdene, a large private estate in Andrews, NC, less than 2 hours west of Asheville. My partner and I have often said that we’re people who would roam through the mountains all day, and then get dressed up for a fancy dinner and an evening at the theatre. Between its hiking trails and its art collection, Hawkesdene gave us an opportunity to get married in an environment that was just as eclectic as we are. And it was just as big of a factor that Hawkesdene had space aplenty so that we could host most of our friends and family all together, maximizing the opportunities for people to connect and minimizing time (and risk) moving people from place to place.

Not only was Hawkesdene perfect from a location perspective, but the staff were above-and-beyond. Working with Rob (owner) or Jami (manager) in the months leading up to the wedding ensured that we always had all the information we needed to make informed decisions (so…many…decisions) and that we felt prepared when the weekend finally came. Then, when it did, the entire team was an absolute pleasure to connect with. Jami and Ashley seemed to stay three steps ahead of anything that may have even created the potential for an issue, answering questions we didn’t know to ask and taking what sometimes was a nascent picture even to us and making it reality. Special thanks also to Jaylan, who not only was always ready with a smile and a kind word, but also operated as cart pilot for any guest who wanted to join our group at the Hawk’s Nest lookout but was unable to make the hike on their own.

No review of Hawkesdene could be remotely complete without comment on the food. From the first vendor we connected with, it was clear Hawkesdene had a reputation for amazing food, and they did not disappoint. Every meal we had was spectacular, and from mouth-watering appetizers through particularly decadent desserts, nothing was left to be desired. Even the special meals for those with allergies or restrictions were top-notch, and I was particularly grateful for the venue’s willingness to alter their general menus to accommodate for my own restrictions. Finally, the kitchen’s willingness to engage on our cocktail and mocktail preferences was a special bonus, even making fresh cucumber juice and strawberry syrup to have on hand.

From beginning to end, we truly couldn’t have asked for a better wedding venue than we got with Hawkesdene and we both recommend it without any reservation.

Venue is of course not the only choice for a wedding. Let me cover a few folks, some of whom I barely got to interact with directly, but each of them without which the day just would not have been the same.

Emily Sibitzy, who served double duty in the bridal party, was the graphic design mastermind behind our menus, programs, and the keychains we gifted all our guests. I was lucky enough to meet Emily during a summer working Legal Aid in Roanoke, and she has never ceased to amaze me with her ability to make the world look beautiful. Her work bridging our natural themes with an art deco style set the perfect tone for the entire event.

Flowers were a difficult thing for us to think through while trying to be both environmentally- and economically-conscious. I was thrilled when we found Harpp Flower Farm — a local flower farm with a focus on sustainability. From our first communication, Holly was engaged with the opportunities in our bright color palette.

She helped me figure out what floral elements would have the best impact and worked to get a sense of our style. The resulting bouquets and displays were vibrant and full of a variety of textures that provided a lovely natural touch across every part of the day.

Cake was another thing we struggled with. We decided early that we would forgo a large cake in favor of a lineup of cupcakes where we could include a larger number of flavor options, but still wanted something small as a centerpiece. After something of a cupcake odyssey, traveling from Asheville to Georgia sampling way too many bakeries in a 24 hour period (can you say “sugar high”?), we landed on Homespun Hobbies, just up the road from Hawkesdene.

The little cakes all got rave reviews — in fact, despite ordering more than 2 cupcakes per guest, we only had a small handful left (which were very much enjoyed by the two of us in the couple days after the wedding).

This next section I want to dedicate to the ladies at Make Me Up Georgia, who went above and beyond working with folks in the wedding on hair and makeup. Outside of the team at Hawkesdene, the ladies of Make Me Up were easily the people that I personally interacted with the most, and they made the entire process a true joy. With both the bride’s and groom’s sides being mixed gender, with an array of styles, preferences, and ideas, it certainly felt like a lot for two people to be able to handle. But Ariana and Melissa made it seem effortless, listening to every different person to create a look that reflected their unique personalities all while keeping on schedule. And indulging us the little dog who wanted to hang out, too.

Not only did everyone feel like a million bucks right out the gate, but it stayed that way all night, no matter how much smiling, eating, or dancing we all indulged in. And in between styling, curling, priming, and finishing, they also offered advice, insights, and assistance to us all getting ready that was absolutely priceless. It was easy to see why they came as a recommended vendor; these are absolutely the people you want coming to help you get ready for a big event.

Another major rave goes to DJ Craig Loveland at Loveland Productions. Music is really important to both of us — we started compiling playlists and discussing music choices nearly as soon as we started thinking about the wedding itself. Working with Craig we realized we had found someone who knew how to capture the exact combination of joy and fun that we were looking for. He took the time to get personally acquainted with our musical tastes and gave a lot of space for us to provide thoughts and input.

From hitting the marks to enhance every part of the reception, through his ability to seamlessly shift the dance music from “day” to “night”, Craig could not have been more in tune with what we were hoping for. And I would be so bold to say the guests felt the same — the dance floor stayed occupied from the moment it opened until the moment that we finally had to pack it up.

No post of gratitude would be complete without a word about the folks behind the custom wedding dress I was able to wear down the aisle. Finding a dress that made me happy ended up being one of the most difficult tasks in the months before the wedding. Perhaps one could say that I have my own idea of fashion, and visiting store by store and looking at (what felt like) a hundred designer websites, I didn’t think I’d ever find anything that felt distinct.

Enter, the folks at Zoya’s Atelier, outside Washington, DC. The stylists at Zoya’s talked to me about what I had liked, what I didn’t like, and helped me piece together a dress that felt like it was designed just for me (and I guess it was, in a way). The dress was a custom creation from Suzanne Neville, combining the skirt from one dress, the bodice of another, and incorporating the bow from yet a third.

The creation of the dress wasn’t the end of it, though. The seamstresses at Zoya’s then worked with me to further customize the dress. Not only did they have to up the hem (yes, I’m short) and do other general items, but they also took time again to listen to me, and took care to build more structure into the fit and flow of the skirt. While I started my shopping experience not sure what I was looking for, I was able to land in a beautiful and unique work of art and I’m grateful to everyone who helped make that happen.

There are a million other vendors and experts I should say thank you to. A quick run down:

• Liz at Sapphire Ballroom dancing spent hours working with us as total dancing newbies. She was patient, kind, supportive, and (most importantly) helped us find the fun in preparing for those big wedding moments. What could have been the most stressful part of the day ended up being one of our most treasured moments and we owe much of that to the time we spent learning with Liz.

• Sharon Mandel stepped in on a last-minute request to lead an amazing on-site yoga class that was just the perfect blend of energizing and calming, and perfect for our guests of all ages and backgrounds.
• The folks at Grant Laughter Jewelry ensured that my engagement ring, a long-time family heirloom from my (now) in-law’s family, was cleaned up and gleamed like new on our big day.
• Pre-wedding appointments at Sachi Spa, Gaze Lash & Brow Bar, and Bronzed (all in Asheville) had me feeling primped and relaxed going into the wedding weekend. The folks I worked with were each attentive and provided excellent services.
• We took a big party of folks into Noire the Nails Bar in Asheville, who definitely provided 5-star service. Not only were the technicians friendly and professional, and did an excellent job, but on learning we were preparing for a wedding, the manager cracked open a bottle of champagne to celebrate with us. A really warm and memorable experience all around.

Another post will follow; I can’t imagine having anything but glowing praise for our photographers and videographer, but we’ll save those words of gratitude for another day once we have some products to share!

In June 2022, the U.S. Supreme Court published the much-anticipated final decision on Dobbs v. Jackson Women’s Health Organization. In an exceptionally rare circumstance, an earlier version of the decision had been leaked, and was published by Politico. Penned by Justice Alito and joined by four additional Justices, the majority opinion followed through on the threat of the earlier-leaked draft and overruled Roe v. Wade, which for 50 years had stood for constitutional protection for reproductive health decisions, specifically for the right to have an abortion. In the wake of the decision, abortion was banned or severely limited many states, including those that had already passed “trigger laws” or are expected to pass a law in the coming months.

As the gravity of the opinion continues to sink in, it is still hard to fully comprehend the potential future impact. In a particularly troubling concurring opinion, Justice Thomas indicated that he was supportive of efforts to apply similar reasoning to other Supreme Court precedents recognizing fundamental rights under the constitution, including Griswold v. Connecticut, Lawrence v. Texas, and Obergefell v. Hodges. This language raises serious questions about the long-term viability of protection for rights of married couples to access contraception and equality regarding both sexual relations and marriage. Given both the Dobbs decision, and the possibility of where the Supreme Court could go next, the importance of protecting information related to personal health and wellness status and decisions in the United States has never been greater. However, doing so requires an inclusive approach to cybersecurity that places the individual, and in particular people from traditionally-marginalized communities, at the center of the conversation.

This short essay will examine the current scope of data implicating health status, the state of the legal requirements governing law enforcement access to that data, the landscape around current data privacy and security law and practices for private organizations, and ultimately a recommendation toward implementing an inclusive approach to organizational data security to protect individuals who may be targeted by oppressive laws criminalizing health procedures or other acts limiting individual rights.

Data and Health Status

A 21st century explosion of consumer technology products and services has led to processing of vast amounts of personal data that is either directly or indirectly related to health status. Some of this is intuitive. For instance, with the spread of COVID-19 starting in 2020 and the rise of social distancing there was a correlating sharp increase in the use of health apps. Deloitte reports that in 2020, more than 90,000 health-related apps were added to app stores for download and use. Health apps can include those that provide resources, consultation services, or tools to track symptoms or identify ailments. For certain segments of the population, these apps may also include menstruation or pregnancy trackers and sexual health aids. People who use these apps often intentionally record or track certain health-related information to assist with medical conditions, conception, or for other personal reasons.

However, it isn’t only the data in health and wellness apps that can reveal health information. For instance, a smartwatch tracks how often a person exercises (or engage in other strenuous activities) and can note variances in types or forms of activity; purchase history revealed through store logs (including reward or loyalty programs) or bank statements can detail purchases that implicate health decisions, from vitamins and over the counter treatments, to trends related to alcohol consumption or dietary changes; Your preferred navigation application, along with any other location-tracking technologies, can disclose, for one example, what doctors you have been seeing, when, and with what frequency. To a layperson, these may not seem like obvious paths to determining if a person is (or isn’t) pregnant, or is facing any other ailment or malady, but some of these records may actually be easier or more obvious paths to identify either individual or even lists of people who have received certain medical treatment.

In 2016, the Future of Privacy Forum conducted a study on mobile applications. The study determined that application developers had increasingly recognized and responded to privacy questions raised by individuals. However, perhaps counterintuitively given the level of sensitivity involved in the information, health and fitness apps were less robust on this question than the average app in general across all measured categories. A more recent study suggests these trends continue: a majority of apps studied allowed behavioral tracking and shared data with other organizations, and only a slight majority provided data security information.

When discussing privacy, inevitably many people emphasize that principles of “personal responsibility” or the “free market” support that users should themselves be aware of all of the risks in consenting to the collection of their information. However, even were that to be the case, most laypeople may find it impossible to opt out of the full scope of data collection that implicates health status. A 2022 editorial in The Los Angeles Times underscores that hiding data about your health status and medical decisions is, at best, inconvenient and expensive, and requires a level of sophisticated knowledge about just how technology works. This, in turn, heavily preferences those with significant discretionary time, wealth privilege, and digital literacy. Even more troubling is that companies with no connection to individuals may still collect or aggregate large amounts of personal data from many public and/or private sources. That data, in turn, may be able to be used with advanced algorithms or artificial intelligence-driven systems to make educated inferences about health status. There is financial incentive for companies to engage in these practices. Reports have found that federal, state, and local law enforcement across the country are purchasing data, in part as a way to bypass other statutory limits or constitutional requirements pursuant to the Fourth Amendment of the U.S. Constitution.

Law enforcement access to data

The data collected by organizations provides a decadent reservoir of information for law enforcement to pursue in instigating or substantiating investigations into criminal activity, including criminalized health procedures. At the federal level,[1] there are two primary limits on government access to personal data: the Fourth Amendment and the U.S. Code.

Current Supreme Court precedent limits Fourth Amendment protections to areas where a person has a “reasonable expectation of privacy”. In cases where the Fourth Amendment applies, law enforcement must receive a warrant showing probable cause. A legal concept known as the third-party doctrine indicates that individuals do not have a reasonable expectation of privacy in information that they turn over to others, including financial institutions, telecommunications carriers, or others. As individuals have shifted from the practice of storing personal information in paper files in their homes to digital repositories stored on cloud servers, this constitutional exception has swallowed the rule. Notably, recent cases have started to suggest that there are limits to this doctrine, particularly when information is collected over time. However, developments in this space are progressing slowly, particularly in terms of technological development.

The analysis doesn’t stop after the Fourth Amendment questions have been answered, though. Federal law grants greater protection than the Constitution in some instances, including in many cases where the constitution’s protections have not traditionally reached. For instance, the wiretap act requires that, where a wiretap is sought, not only must the probable cause standard be met, but there must also be a showing of necessity where other less-intrusive search methods would be inadequate. For most other types of data, law provides for a lesser standard for access, such as through a court ordering demonstrating specific and articulable facts showing reasonable grounds that the data sought is relevant and material to an ongoing investigation.

These are not the only ways that law enforcement can gain access to data. Referenced above, one method is for law enforcement to purchase data from private organizations. In 2021, the Center for Democracy and Technology released a report studying the ecosystem and the information available, finding that law enforcement often uses misleading terms and descriptions to hide or otherwise obscure the data they are purchasing.

It is important to note that law enforcement does often have legitimate reasons to access personal data in pursuit of investigations into crime, including crime that impacts vulnerable or traditionally-marginalized populations and communities. However, current law implicates a near limitless range of personal data, much of it with minimal due process or evidentiary burden and without requirement for law enforcement to reveal what they are investigating in a request for organizations to hand over data.

What this means, unfortunately, is that even privacy-friendly organizations trying to protect their user’s information may, wittingly or not, ultimately still be subject to turning the data over to law enforcement so long as they have access to that data, including in investigations concerning abortion or other criminalized health decisions.

Data protection in the U.S.

As we’ve learned, so long as the proper evidentiary standard can be satisfied, law enforcement is able to gain access to any data collected and retained by companies or organizations. But are there limits on what data companies may collect or retain?

On the consumer side, the U.S. today takes a sectoral approach to its privacy laws. Laws exist to govern specific sectors, or data related to specific populations. For instance, the U.S. Health Information Portability and Accountability Act (HIPAA) provides some transparency and consent requirements for data collection and disclosure of personal health information. However, the scope of the law primarily governs conduct of health providers and their partners, and not most applications or other entities collecting health-related data, including, in some cases, applications that are recommended or used by medical offices or professionals. In the publication of a policy statement on the scope of the HIPAA rules on data security last year, Federal Trade Commission (FTC) Chair Lina M. Khan, indicated support for a more comprehensive approach to this information at the FTC: “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”

Consequently, no federal law comprehensively governs data collection practices, including the collection or use of health information by most applications or devices.[2] That means that so long as these organizations don’t engage in deceptive or unfair business practices, both of which would be unlawful under the FTC Act, many organizations in this space are largely free from federal regulatory requirements.

Protecting user data: Data minimization and Encryption

So far we’ve discussed the many types of data that implicate health status, the ease by which law enforcement may gain access to that information when it is held by an organization, and the few restrictions on organizations collection and use of personal data.

While the law and constitution may permit law enforcement the authority to seek information, it cannot guarantee that information is ultimately obtained. Throughout history there have been many reasons why law enforcement may be unable to effectuate a search or seizure.

Relevant to this conversation are two important limitations to the reach of law enforcement. First, they cannot compel data that doesn’t exist; and second, they cannot access data if it’s adequately encrypted to prevent it from being readable. This means that organizations may still have proactive strategies available to them to protect against turning over information in these cases.

One method an organization may undertake is the robust implementation of data minimization — a foundational principle of data privacy that indicates that data should not be collected if it isn’t necessary, and shouldn’t be retained beyond that necessity. Organizations can choose to not collect or limit retention periods for data that may implicate health status. While this may work in some circumstances, however, users may receive important benefits from the collection of their information — menstruation apps can help people avoid pregnancy or monitor complicated health issues; fitness trackers encourage healthier lifestyles; and one can imagine the headaches involved with returning to a world of paper maps to find hospitals and medical offices without the assistance of on-demand navigation.

Perhaps more practical to ensuring continued benefits for individuals with mitigated risk is the second option. Organizations may either implement systems that only collect data in an encrypted format that is otherwise inaccessible to anyone without the password, which would live with the user, or to not centrally collect any user data, instead leaving it to be processed on the user’s device, which may be protected by device encryption itself.

Much has been written about the benefit of encryption to individuals. Encryption is a form of security that obfuscates the true meaning / plain text of certain communications or information. While encryption has been around for ages, the forms of encryption applied in the digital age are often tied to a key that would be nearly impossible to compromise through brute strength, at least not before the heat death of the universe. Law enforcement may have ways to bypass encryption, including through hacking operations like those enabled by government contracts with companies that find and take advantage of flaws in the encryption to extract data from otherwise encrypted mobile devices, like Cellebrite. However, the cost for these operations is much higher than simply going straight to a company and getting a download of data. Obtaining information this way also typically requires law enforcement to have the user device in hand. Not only does this mean that there is more transparency about the law enforcement operation (and a better opportunity to appeal), but that the law enforcement requests often cannot implicate bulk data from multiple individuals at the same time.

Both of these options, naturally, limit organizational access to data that may be part of the organization’s central business model. These systems also may be expensive to build and maintain. These facets both create barriers to implementation of these approaches which, in some cases, may be considered prohibitive.

An inclusive approach to data protection and security

Given the barriers to implementation of protective practices, what, then, incentivizes organizations to build their systems in a certain way that may offer critical protections to only a small percentage of the overall users of that system?

In implementing cybersecurity practices and protections, a large number of organizations utilize a risk-based approach, like the framework developed by the U.S. National Institute for Standards and Technology. The NIST Cybersecurity Framework encourages the creation of organizational profiles that take into account risks and resources, among other things, to help determine how to deploy precious resources like program funding and employee time.

In order to determine practicability and desirability of implementing the above practices, organizations should consider updating their profiles for the new post-Dobbs reality, and perhaps also the values behind their profiles. I propose that organizations adopt a human-focused approach to cybersecurity risk profiles that put an emphasis on principles of inclusivity. This inclusive approach, rather than focusing primarily on potential risks to the organization (like the cost of compliance with data breach notification or reputational harm from an incident), would also consider in depth the risks to the end-user (or the person to whom the personal data pertains) with an emphasis on people and communities who may be targeted by repressive laws or policies.

An inclusive examination of cybersecurity risks is not only a matter of a few individuals, but important to the protection of the human rights of everyone.[3] While human rights often are seen as the obligation of the state to protect, the Guiding Principles on Business and Human Rights clarify that organizations are required to comply with all applicable laws and human rights.” Organizations that incorporate these considerations into their risk profiles will be well-placed to ensure that they are leading on rights-respecting practices and resistant to authoritarian or repressive governments or practices. Approaching a risk analysis with humans in mind may reveal that investments in robust encryption or data minimization are actually in the best interest of the organization by reflecting the best interest of the organization’s key constituencies.

In addition to the risks of law enforcement access, encryption and other cybersecurity best practices may also benefit users in other ways. In 2014, Sarah Jeong wrote, “surveillance begins at home.” The article detailed the connection between intimate partner / domestic violence and surveillance in the home, in particular the ways technology facilitates tracking that can be used as a control mechanism in abusive relationships. The ability to access and use strong security measures, including but not limited to data and device encryption, to protect our technological existences is crucial to provide people who may be in dangerous or abusive situations the ability to control their own information in a way that may empower them to leave those situations or, in some cases, even provide life-saving protection.

Conclusion

The 2022 U.S. Supreme Court docket has made clear that long-held and much-cherished rights that people currently enjoy in this country are not guaranteed. Organizations will have to adapt to a world where law enforcement in the U.S. is in more direct opposition to the rights of their users, particularly when those companies are transacting with traditionally marginalized individuals and communities. Ultimately, to robustly defend people from the threat of criminal repercussions from personal health decisions post-Dobbs, protect personal autonomy, and preserve the exercise of all rights, policymakers need to start the process of examining how to update and amend existing U.S. federal law to limit the data that law enforcement can access in these cases, while preserving other necessary authorities. However, the law moves slowly, and organizations must act with haste to prevent users from harms risked by oppressive and authoritarian state laws.

The best approach for organizations is to re-examine their data security profiles from an inclusive perspective, looking toward the risks to their users from certain data practices, and target resources toward best preventing harm. This approach lends itself to benefit both organizations and individuals, and help build a digital future that can be resistant to authoritarian regressions.

[1] Other protections exist at the state level. For simplicity, we leave the discussion of those protections for another day.

[2] At the time of writing, the American Data Privacy and Protection Act, a bipartisan effort, was approved by the Committee on Energy and Commerce of the U.S. House of Representatives and, with support from leadership in both chambers.

[3] According to the former United Nations Special Rapporteur for Freedom of Expression: “[A]n open and secure Internet should be counted among the leading prerequisites for the enjoyment of the freedom of expression today. But it is constantly under threat, a space — not unlike the physical world — in which criminal enterprise, targeted repression and mass data collection also exist. It is thus critical that individuals find ways to secure themselves online, that Governments provide such safety in law and policy and that corporate actors design, develop and market secure-by-default products and services.” Further, in the face of the serious threats that individuals face online, “encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age.”

Julia’s work is the gold standard. She is a leader in tech journalism, and her investigations and reporting have undeniably had a considerable positive impact on the sector at large.

We oppose her recent ouster as Editor in Chief of the Markup — the entity she founded — and express deep disappointment at the implication that she was let go in order to shift the focus of the publication to “advocating against tech companies.”

Now more than ever the world needs principled, data driven tech reporting of the kind that Julia has built her career on. The Markup is set to launch in July and should not do so without Julia at the helm. We encourage all her original funders to investigate this situation and to take steps to ensure that the Markup stays true to its founding principles.

Sincerely,

(*If you would like to add your name please drop a comment. Any affiliations will be added for identification only*)

Mario Aguilar, Deputy Editor, Gizmodo

Ben Arnon, Color Farm Media

Patrick Ball, Human Rights Data Analysis Group

Kevin Bankston, Director, New America’s Open Technology Institute

Christine Bannan, Consumer Protection Counsel, Electronic Privacy Information Center

Renata Barreto, JD / PhD Candidate, UC Berkeley School of Law

Lindsey Barrett, Institute for Public Representation, Georgetown Law

Burcu Baykurt, Columbia University

Alvaro M. Bedoya, Founding Director, Center on Privacy & Technology at Georgetown Law

Steven M. Bellovin, Columbia University

Wafa Ben-Hassine, Policy Counsel at Access Now

Griffin Boyce, Berkman Klein Center for Internet & Society at Harvard University

danah boyd/ Microsoft Research and Data & Society

Joshua Braun, Associate Professor of Journalism, UMass Amherst

David Brody, Counsel & Senior Fellow for Privacy and Technology, Lawyers’ Committee for Civil Rights Under Law

Justin Brookman

Sean Brooks, Director, Citizen Clinic — UC Berkeley Center for Long-Term Cybersecurity

Deborah Brown, Global Policy Advocacy Lead, Association for Progressive Communications

Monica Bulger, Senior Fellow, Future of Privacy Forum

Georgia Bullen, Executive Director, Simply Secure

Ryan Calo, Tech Policy Lab

JC Cannon, Privacy Activist, Former Dir. of Privacy, Microsoft Corporation

Robyn Caplan, Phd Candidate at Rutgers University, Affiliate at Data & Society Research Institute

Karla Carter

Ann Cavoukian, Ph.D. leading the Privacy by Design Center of Excellence, Toronto, Canada

Christine Chen, independent consultant

Jon Christian, news editor at Futurism

Danielle Keats Citron, Prof of Law, University of Maryland School of Law (Prof of Law at Boston U School of Law as of July 1, 2019)

Maggie Clifford, PhD student, American University School of Communication

Rena Coen, privacy researcher

Cindy Cohn, Executive Director, Electronic Frontier Foundation

Gabriella Coleman, Wolfe Chair in Scientific and Technological Literacy, McGill University

Zane Cooper, PhD Student, University of Pennsylvania

Kate Crawford, co-founder and co-director of the AI Now Institute, NYU

Kade Crockford, Director, Technology for Liberty Program, ACLU of Massachusetts

Michelle De Mooy, Privacy and Data Ethics Consultant, former Director of the Privacy and Data Project at the Center for Democracy & Technology

Ángel Díaz, Liberty & National Security Counsel — Brennan Center for Justice

Judith Donath, Berkman-Klein Center @ Harvard University

Lilian Edwards, Professor of Law and Innovation, Newcastle Law School

Serge Egelman, International Computer Science Institute / U.C. Berkeley

Madeleine Clare Elish, Research Lead, Data & Society Research Institute

Kai Falkenberg, Media Lawyer & Columbia Law Lecturer in Law

Jim Fenton, Independent technologist

Ayden Férdeline, Technology Policy Fellow, Mozilla

Bill Fitzgerald

Roger Ford, Associate Professor of Law, University of New Hampshire

Camille Francois, Chief Innovation Officer, Graphika; Affiliate, Harvard Berkman Klein Center for Internet and Society; Fellow, Mozilla

Vince Fulco, Weisisheng Corporate Management Consulting

Eva Galperin, security researcher

Gennie Gebhart, Associate Director of Research, Electronic Frontier Foundation

Alexandra Givens, Executive Director, Georgetown Institute for Technology Law & Policy

Jeffrey Goldberg, 1Password

Yael Grauer, independent journalist

Evan Greer, deputy director of Fight for the Future

G.S. Hans, Assistant Clinical Professor of Law, Vanderbilt University

Woodrow Hartzog, Professor of Law and Computer Science, Northeastern University

Marcia Hofmann, Zeitgeist Law

Alexander B. Howard, E-PluribusUnum.org

Andrew Iliadis, Assistant Professor, Department of Media Studies and Production, Temple University

Joseph Jerome, Counsel, Privacy & Data Project, Center for Democracy & Technology

Elizabeth Joh, UC Davis School of Law

Mike Katz-Lacabe, Director of Research, Center for Human Rights and Privacy

Dragana Kaurin, Berkman Klein Center @ Harvard University

Ashkhen Kazaryan, Director of Civil Liberties, TechFreedom

Cameron F. Kerry, distinguished visiting fellow, The Brookings Institution

Aleksandra Korolova, University of Southern California

Daniel Leufer, AI policy & philosophy researcher

Micah Lee, security engineer and journalist at The Intercept

Douglas Levin, President, EdTech Strategies

Karen Levy, Cornell University, Department of Information Science

Kristian Lum, Human Rights Data Analysis Group

Stephen Lynch

Barry C. Lynn, Executive Director, Open Markets Institute

Dave Maass, Senior Investigative Researcher, Electronic Frontier Foundation

Colin Maclay, University of Southern California

Micaela Mantegna, Researcher, Center for Technology and Society, San Andres University

Alice E. Marwick, Assistant Professor, Department of Communication, UNC-Chapel Hill and Faculty Advisor, Data & Society Research Institute

Aaron Massey, Assistant Professor, University of Maryland, Baltimore County

Jeanna Neefe Matthews, Clarkson University/ Data and Society Affiliate

Bailey McCann, Independent Journalist and Author

Sean McDonald, Digital Public

Peter A. McKay, independent consultant, former Wall Street Journal reporter

Andrew McLaughlin, board chair at Access Now

Corynne McSherry

Whitney Merrill, Privacy & Data Security Attorney and Founder of the Crypto & Privacy Village

Peter Micek, General Counsel, Access Now and Adjunct Professor, Columbia-SIPA

Dan Mitchell, independent journalist

Mary Mitchell

Heidi N. Moore, Independent Media Consultant

Emanuel Moss, PhD Candidate, CUNY Graduate Center, Data & Society Research Analyst

Laura Moy, Executive Director, Center on Privacy & Technology at Georgetown Law

Paul Nemitz, Principal Advisor European Commission, Member of the German Data Ethics Commission

Sarah Newman, metaLAB at Harvard, Berkman Klein Center for Internet & Society

Eric Null, Senior Counsel, Open Technology Institute

Kurt Opsahl, Deputy Executive Director and General Counsel, Electronic Frontier Foundation

Javier Pallero, Latam Policy Lead at Access Now

Eli Pariser, Author, The Filter Bubble

Christopher Parsons, Research Associate, Citizen Lab at the Munk School of Global Affairs, University of Toronto

Faiza Patel

Melody Patry, Advocacy Director at Access Now

Heather Patterson, Intel Labs and Oakland Privacy Advisory Commission

Meredith L. Patterson, Special Circumstances, LLC.

Jon Pincus, CTO, A Change is Coming

Laura Poitras, Filmmaker

Jules Polonetsky, CEO, Future of Privacy Forum

Katherine Pratt, PhD Candidate, University of Washington

Megan Price, Human Rights Data Analysis Group

Cooper Quintin, Senior Staff Technologist, EFF

Karen Reilly

Joel Reidenberg, Stanley D. and Nikki Waxberg Chair in Law, Founding Director, CLIP, Fordham University

Victoire Rio — Myanmar Tech accountability Network

Emory Roane, Policy Counsel, Privacy Rights Clearinghouse

David Robinson, Upturn and Cornell University

Alex Rosenblat

David Ruiz, Content Writer, Malwarebytes Labs

Julie Samuels, Tech:NYC

Philip Di Salvo, researcher and lecturer, Università della Svizzera italiana (Lugano, Switzerland)

Maurizio Santamicone

Andrew Schrock, Aloi Research and Consulting & University of Southern California

Calli Schroeder, Privacy attorney and researcher

Ian Schuler, CEO Development Seed, Former Internet Freedom @ US State Department

Ross Schulman, Senior Policy Technologist, New America’s Open Technology Institute

Jason Schultz, NYU School of Law

David Segal, Executive Director of Demand Progress

Andrew Selbst, Postdoctoral Scholar, Data & Society Research Institute.

Andrew Sellars, Director, Technology Law Clinic, Boston University School of Law

Tarak Shah, Human Rights Data Analysis Group

Ryan Shapiro, Executive Director, Property of the People

Elissa Shevinsky, Editor of “Lean Out: The Struggle for Gender Equality in Tech & Start-up Culture”

Caroline Sinders, researcher and fellow with the Mozilla Foundation

Ryan Singel, Fellow at Stanford Law School’s Center for Internet and Society, former Wired editor

Ashkan Soltani, Independent Researcher and Consultant. Former FTC Chief Technologist, and consulting researcher for Julia Angwin @ the WSJ in 2009–2012

Amie Stepanovich, U.S. Policy Manager at Access Now

Olivier Sylvain, Fordham Law School

dan tynan, independent journalist (adweek, guardian, fastco), former eic at yahoo tech

Amelia Vance, Director of Education Privacy, Future of Privacy Forum

James Vasile, Partner at Open Tech Strategies, Frmr Director of Open Internet Tools Project, Founder at FreedomBox Foundation

Suresh Venkatasubramanian, Professor, School of Computing, University of Utah

Sandra Wachter, Oxford Internet Institute, University of Oxford

Pat Walshe, independent consultant, Privacy Matters (Pat Walshe)

Rian Wanstreet, PhD Candidate, University of Washington

Nicholas Weaver, Lecturer in Computer Science at UC Berkeley and Researcher at the International Computer Science Institute

Gabriel Weinberg

Daniel Weitzner, MIT Internet Policy Research Initiative and Former White House Deputy CTO

Sarah Myers West, Postdoctoral Researcher, AI Now Institute, NYU

Marcy Wheeler, Independent journalist at emptywheel

Kenneth White, security researcher and DHS policy advisor

Royce Williams, security researcher and public-interest technologist

Marlena Wisniak, Stanford Law School / Investor Alliance for Human Rights

Nicole Wong, Former Deputy US Chief Technology Officer

Teddy Woodhouse, Research Analyst & Advocate, Web Foundation

John Wunderlich, Vice Chair of the Board, MyData Global @mydataorg

Scott Yates, Founder, Certified Content Coalition

Jillian C. York

Harlan Yu, Executive Director, Upturn

Ethan Zuckerman, Director, Center for Civic Media, MIT

Defining privacy is difficult. Our sense of privacy is deeply personal, and each of us interprets it through the lens of our own life. I should know. I work on these issues every day at Access Now, analyzing how users interact with one another, companies, and governments, and how those interactions support or repress human rights.

Privacy takes the protagonist on a journey that the audience knows, understands, and can relate to. Who are we? Who are we online? How do we relate to ourselves and others? How do we use technology, and how does it use us? And that’s only the first act.

Ultimately, the show raises questions rather than provides answers. Through actor-portrayal of real-life experts in the field, like Senator Wyden, Daniel Solove, and Sherry Turkle, it forces us to consider the very concepts of identity and self that we take for granted. The show challenges assumptions about interacting online and puts a spotlight on our mis-conceptions. Privacy is the type of show that, even after you’ve forgotten the dialogue, you remember the message: The internet has changed us. It has changed everything. And there’s no going back.

I thank everyone involved in the show for taking me on this journey with them. If you have the fortune of being in or near New York City, you should go see Privacy. At alternate times both hilarious and heartbreaking, never before have I seen these complicated issues dealt with in a way that was so easy to relate to.

Bravo! (Although, if the writers read this — the U.S. does have federal privacy laws!)

Today’s battle is just the most recent iteration of a long-fought “crypto war” that initiated with fights on export controls in the 1970s, and continued with mandatory third-party access to encryption keys in the 1990s. These most recent discussions started in 2010, when the U.S. Federal Bureau of Investigation proclaimed it was “going dark,” a claim that has been hotly debated.

Throughout each part of this fight, there has been one fact that simply cannot be argued around: it is not possible to weaken or insert vulnerabilities into software or hardware in a way that doesn’t make all users less secure.

That is not to say that so-called backdoors are not possible. In fact, many companies maintain the capability to access user data for any number of reasons, many of which relate to ensuring the usability of a product or service. However, when a company is prevented from implementing the most secure system possible to protect its users, those users are put at serious risk.

In short, encryption is absolutely essential to our security in the digital world.

But certain members of law enforcement continue to insist that some sort of “magic key” is possible. They tell us that if only the experts would “nerd harder,” then only authorized officials, and not bad actors, could gain access to databases. This argument places all the burden on technologists to disprove it, and takes no responsibility for consequences if and when companies divert efforts from product security to work on developing this pixie dust.

It also ignores that these companies are already in a constant battle to secure networks and systems. Most technologists will tell you that to keep all bad guys out, security essentially needs to be perfect. Any chink or hole will, eventually, be found and exploited. However, perfect security is a pipe dream — so we’ve ended up in a race to stay just one step ahead of the people looking to break into your stuff, and we’re losing. It seems like we can barely go a full day without hearing another data breach has been discovered.

Instead of convincing technologists to backtrack on their security, government officials should affirm the importance of uncompromised security.

That affirmation may be a long time coming. Late last year, I was in two meetings with senior White House officials to talk about encryption and digital security. In the first, we were told that the administration wanted to get past the arguments on encryption. That was very good news. If the president took a strong position on these issues, it would not only help improve security in the U.S., but also globally, stopping oppressive governments from using our silence as political cover for passing bad laws.

However, a day after that, at the second meeting, the talking point had shifted. Instead of promising to put the encryption policy debate to rest, officials suggested that the goal was to “expand” the conversation to include other issues. The shift signaled that the White House would not support settling even the most basic questions about encryption anytime soon.

Accordingly, advocates, experts, and technologists continue to devote time and resources to this same debate, making it harder to open a public discussion about other ways the government has to break security — like hacking.

We know U.S. government agencies hack into devices and systems, buying and maintaining access to vulnerabilities to allow them to do so. We don’t have much information about these activities. What safeguards are in place to protect users on the back end? What separation exists between the agency that develops encryption standards and the NSA’s own hacking teams? Under what circumstances, exactly, does the FBI or NSA (or other agencies) disclose a vulnerability they have discovered or purchased? Alternatively, when does law enforcement think it’s appropriate to keep the vulnerability secret, preserving their back door but keeping us vulnerable?

It is time that we discussed these things out in the open. And to do that, we must get past this distracting and redundant debate on encryption once and for all. Otherwise we will continue through this real-life version of Groundhog Day, endlessly fighting and re-fighting the crypto wars, while a whole host of practices continue under the radar that are sacrificing the security of the ordinary people that the government is supposed to protect.