All sessions will be held in the Santa Clara Ballroom unless otherwise noted.
(Registered attendees: Sign in to your USENIX account to download this file.)
PEPR '25 Attendee List (PDF)Monday, June 9
7:30 am–9:00 am
Continental Breakfast
Mezzanine East/West
9:15 am–10:30 am
Privacy Risks
Room Captain: Emily Choi-Greene, Clearly AI
Privacy Paradigms for Law Enforcement Response
Lukas Bundonis, Netflix; Ben Ballard, MITRE
The phrase "law enforcement response" is ambiguous. It most often describes the domain of legal engineering that comprises corporate disclosure of data to government authorities in response to a legal request for information. However, this definition oversimplifies an opaque process. Law enforcement requests for information and the legal processes that structure them resist comprehension by design. Wiretap and pen register orders (real-time surveillance), lawful intercept requests, emergency disclosure/data requests, and national security letters all fall into this category. However, basic types of information requests, such as subpoenas and warrants for information, are less opaque, and provide an opportunity for greater standardization of information disclosure. A discussion of law enforcement response systems in the context of data privacy therefore bears merit. This is especially true when viewed through the complementary lenses of a concept Lawfare fellow Alan Rozenshtein coined in 2018—"surveillance intermediaries"—and an increasingly aggressive series of nation-state intelligence operations targeting sensitive corporate infrastructure. This short talk will explore what intermediaries are, why they matter, some of the risks posed to their sensitive systems, and what the speakers believe we all can do as privacy professionals to better defend them.
Lukas Bundonis is a Senior Privacy Engineer at Netflix and the program lead for Legal and Privacy Engineering (LEAP), which comprises Subject Access Requests (SAR), data holds, law enforcement response, and other legal engineering services. He previously worked on law enforcement response, counter-abuse, and machine learning issues at Google, and served in the Intelligence and Space branches of the United States Army Reserve. He has spoken and written on a variety of intelligence and privacy topics for Lawfare, internal technical conferences, the Defense Innovation Unit, Harvard University, and more. In his free time, he lifts weights, writes poetry and stories, and enjoys finding new hobbies to abandon in search of others.
Ben Ballard is a Senior Cybersecurity Engineer at the MITRE Corporation. Ben has served as a Google Public Policy Fellow at the Electronic Frontier Foundation, an X-Force Fellow with the National Security Innovation Network, and a cybersecurity fellow at the Citizen Lab at the Munk School of Global Affairs & Public Policy, University of Toronto. His research centers around the international governance of information security and privacy, especially data appropriation, surveillance, and deception. At work, he supports hardware security projects, cyber resilience efforts, risk assessments, international capacity building, and privacy threats research. In his spare time, he's either on the Brazilian Jiu Jitsu mat or pampering his cat, Loki.
Remediating Systemic Privacy Incidents
Sam Havron, Meta
When a privacy incident occurs, our incident management process kicks in to quickly identify the root cause, mitigate the issue, and conduct a post-mortem review. While a post-mortem ensures the same incident doesn't reoccur, we want to take a more proactive approach and prevent similar incidents and enhance our privacy posture. This however could face challenges resulting from a lack of visibility and insufficient metrics. Incident owners may not be aware of similar incidents that require joint analysis, leading to missed systemic root causes. Furthermore, measurements to determine the frequency of similar incidents could be lacking to assess the effectiveness of our prevention efforts. To address these challenges, we've developed a program along with tooling to identify, analyze, and remediate systemic privacy incidents. In this talk, we'll cover our approach to tackling these clusters, including:
- Automated Cluster Identification: Using heuristic and LLM-based methods to automatically identify clusters
- Analysis and Remediation: Analyzing prioritized systemic clusters and holding teams accountable for remediation
- Regression Alerting: Implementing alerting systems to detect regressions and prevent similar incidents from happening again
Join us as we share our experiences and insights on tackling systemic privacy incident clusters and improving incident management processes.
Authors: Sam Havron, Meta (Speaker); David Huang, Meta (Not Speaking)
Sam Havron is a Privacy Engineer at Meta, with a focus on developing workflows to scale incident investigation and review. Sam has an M.S. in Computer Science from Cornell University, and a B.S. in Computer Science from the University of Virginia.
Observable...Yet Still Private? An Offensive Privacy Perspective on Observability
Cat Easdon, Dynatrace Research; Patrick Berchtold, Dynatrace
Observability platforms provide development and operations teams with insights into their distributed systems, typically combining logs, metrics, and traces with additional telemetry for use cases such as runtime security monitoring and understanding user behavior. While this data is tremendously useful for troubleshooting and product development, it also poses privacy challenges. In this session, we'll consider these challenges through an offensive privacy lens, presenting our research conducting reconstruction attacks against aggregated user session data. We'll explore how offensive privacy research can be used to support the business case for a new product privacy feature, discuss the unique aspects of privacy threat modeling in a business-to-business (B2B) setting, and consider runtime mitigations to halt reconstruction attacks earlier in the 'privacy kill chain'.
Cat Easdon is an engineer and researcher working at the intersection of privacy, security, and policy. She leads Dynatrace's privacy engineering team, designing product privacy features and building privacy controls into the software development lifecycle.
Patrick Berchtold is a software engineer at Dynatrace and a student at TU Graz, researching reconstruction attacks at ISEC in collaboration with Dynatrace in his thesis. His thesis focuses on applying reconstruction attacks in industry scenarios, exploring their risks and implications for real-world systems.
Using Privacy Infrastructure to Kickstart AI Governance: NIST AI Risk Management Case Studies
Katharina Koerner, Trace3; Nandita Rao Narla, DoorDash
The NIST AI Risk Management Framework has emerged as a popular choice among US based organizations aiming to build responsible AI governance programs. However, real-word adoption of this very comprehensive framework is both challenging and onerous—often falling on privacy engineers who are voluntold to lead AI governance efforts. This presentation will explore key lessons learned from implementing the NIST AI RMF for different industries, highlighting how existing privacy infrastructure, policies, and other governance frameworks can serve as a foundation for AI risk management and compliance. We will also uncover common pitfalls and present a lightweight approach to jumpstart this framework adoption.
Katharina is a seasoned expert in AI governance, tech policy, privacy, and security, with a background spanning law, public policy, and emerging technologies. She is currently a Senior Principal Consultant - AI Governance and Risk at Trace3, a leading technology consulting firm specializing in cloud, data, AI, and security solutions. Previously, she was AI Governance Lead at Western Governors University (WGU), where she developed AI/ML governance frameworks, led policy initiatives, and assessed AI risks. She has also worked as a Principal Researcher - Technology at IAPP, conducting research on privacy engineering, AI regulation, and technology governance. With a PhD in EU Law, a JD in Law, and multiple certifications in privacy, security, and AI, Katharina bridges policy, law, and technology to drive ethical and responsible AI adoption.
Nandita Rao Narla is the Head of Technical Privacy and Governance at DoorDash. Previously, she was a founding team member of a data profiling startup and held various leadership roles at EY, where she helped Fortune 500 companies build and mature privacy, cybersecurity, and data governance programs. Beyond checkbox compliance programs, Nandita is interested in developing products that respect user privacy and build trust. She is a Senior Fellow at Future of Privacy Forum and serves on the advisory boards and technical standards committees for IAPP, Ethical Tech Project, XR Safety Initiative, Institute of Operational Privacy Design, IEEE and NIST.
10:30 am–11:00 am
Coffee and Tea Break
Mezzanine East/West
11:00 am–12:25 pm
Respecting Users
Room Captain: Vasudha Hegde, DoorDash
UsersFirst: A User-Centric Threat Modeling Framework for Privacy Notice and Choice
Norman Sadeh and Lorrie Cranor, Carnegie Mellon University
Recent privacy regulations impose increasingly stringent requirements on the collection and use of data. This includes more specific obligations to disclose various data practices and the need to provide data subjects with more comprehensive sets of choices or controls. There is also an increasing emphasis on user-centric criteria. Failure to offer usable notices and choices that people can truly benefit from has become a significant privacy threat, whether one thinks in terms of potential regulatory penalties, consumer trust and brand reputation, or privacy-by-design best practices. This presentation will provide an overview of UsersFirst, a Privacy Threat Modeling framework intended to supplement existing privacy threat modeling frameworks and to support organizations in their analysis and mitigation of risks associated with the absence or ineffectiveness of privacy notices and choices. Rather than treating privacy notices and choices as mere checkboxes, UsersFirst revolves around user-centric interpretations of these requirements. It is intended to reflect an emerging trend in privacy regulations where perfunctory approaches to notices and choices are no longer sufficient, and where instead notices and choices are expected to be noticeable, usable, unambiguous, devoid of deceptive patterns, and more. The presentation will include results of a detailed evaluation of the UsersFirst user-centric threat taxonomy with people working and/or trained in privacy.
Norman Sadeh is a Professor in the School of Computer Science at Carnegie Mellon University (CMU), where he co-founded and co-directs Privacy Engineering Program. Norman served as lead principal investigator on two of the largest domestic research projects in privacy, the Usable Privacy Policy Project and the Personalized Privacy Assistant Project. He was also founding CEO and, until its acquisition by Proofpoint, chairman and chief scientist of Wombat Security Technologies, a company that defined the multi-billion dollar user-oriented cybersecurity market. Technologies Norman developed with colleagues at CMU and Wombat are used to protect tens of millions of users around the world against cybersecurity attacks such as phishing. Earlier in his career, he also served at the European Commission as Chief Scientist of the 550M Euro eWork and eCommerce initiative, which included all pan-European research in cybersecurity and privacy and related policy activities.
Lorrie Faith Cranor is the Director and Bosch Distinguished Professor in Security and Privacy Technologies of CyLab and the FORE Systems University Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University. She directs the CyLab Usable Privacy and Security Laboratory (CUPS) and co-directs the Privacy Engineering masters program. In 2016 she served as Chief Technologist at the US Federal Trade Commission. She is also a co-founder of Wombat Security Technologies, Inc, a security awareness training company that was acquired by Proofpoint. She founded the Symposium On Usable Privacy and Security (SOUPS) and co-founded the Conference on Privacy Engineering Practice and Respect (PEPR). She currently serves on the board of directors of the Computing Research Association and the Center for Democracy and Technology. She is a fellow of ACM, IEEE, and AAAS. She received the 2018 International Association of Privacy Professionals Privacy Leadership Award
Enterprise-Scale Privacy for AI: How Canva Scaled Customer Control of Data for AI Training
Phillip Ward, Canva
Canva's mission is to empower the world to design. A major challenge to that mission is securing the data required to build the AI-powered tools that modern professionals love. This is not just the newest and fanciest generative-AI tools. Even the humble background remover and template library search functions require data that represents our user community in order to perform at the level our users expect. To create the best experience for users, this data must be as unique and diverse as our community, and as we scale, data from our growing community is essential to building a better product. However, no one can do their best creative work if they do not feel safe and empowered. We want our users to experience high quality protection for their personal information and personal creations, so every use of their content must be carefully considered. In this talk, I will outline the AI consent platform that we have built. I will share how Canva built an end-to-end ecosystem to simultaneously empower users to control their data and power the next generation of AI tools. This ecosystem spans from the user experience of providing consent, to the controls and platforms that ensure our 100+ models respect user consent every day.
Dr. Phillip Ward is the Lead of Privacy Engineering at Canva, specializing in privacy technology with over a decade of experience in software engineering, data science, and computer science. He leads a team focused on creating privacy-enabling infrastructure for the rapidly growing tech company. His team develops innovative solutions for automating risk and audit functions, simplifying compliance for employees, and empowering customers to control their data and experiences. Dr Ward has diverse experience across hydrological modeling, neuroscience, financial services, physiology, data science and software engineering, and he holds university degrees in maths, physics, computer science, and biomedical imaging.
Panel: The "Privacy" Offered by PETs and the "Privacy" That Users Want. Why So Different?
Moderator: Lawrence You
Panelists: Don Marti, Raptive; Miguel Guevara, Google; Greg Chappell, Privacy Angel Investor; Ari Levenfeld, Google
The "privacy" offered by "privacy-enhancing technologies" (PETs) on the web is remarkably different from the privacy that users want and expect. People seek out privacy to avoid real-world privacy harms such as fraud and algorithmic discrimination, and PETs, focused on more narrow mathematical goals, can actually make the real privacy problems worse and harder to detect. Can today's PETs be fixed, or should the web move to more productive alternatives?
Lawrence You most recently worked as a director and privacy engineer at Google, where he led a team that developed core business practices working across software development, research, data management, legal, compliance, incidents, and investigations teams; during his earlier years, he led storage and log analysis teams. During Lawrence's career, he has worked on large-scale data storage, platforms, and development tools. He has supported PEPR as a volunteer and served as co-chair in 2024 and 2025.
Don Marti is VP of Ecosystem Innovation at Raptive (the company that used to be CafeMedia), and a former strategist at Mozilla and former editor of Linux Journal. He works on web ecosystem and business issues including collaborative research on the impact of advances in consent management and tracking protection technology. He started the California authorized agent project at Consumer Reports Digital Lab that led to the the development of CR’s Permission Slip service. Don has written for AdExchanger, Linux Weekly News, and other publications, and co-authored a paper on the economics of software quality for the Journal of Cybersecurity and a book chapter in Advances in Advertising Research.
Miguel Guevara works at Google's Data Protection team, focusing on implementing privacy-enhancing technologies at scale and launching new initiatives that further overall privacy.
Greg Chappell is a software engineer and angel investor with over 20 years of experience at leading technology companies. Most recently, he worked on AI Responsibility at Meta, where he served as the senior engineer leading efforts in targeted AI transparency, youth advertising, and user data governance for large language model (LLM) training. Prior to Meta, Greg was a Principal Engineer at Amazon, spearheading initiatives in AI Privacy, and held engineering roles at Microsoft.
Today, Greg focuses on angel investing, partnering with early-stage startups at the forefront of privacy, security, and responsible data innovation. He holds an M.S. in Computer Science & Engineering from the University of Washington and a B.S. in Computer Science from Rensselaer Polytechnic Institute.
Ari Levenfeld is the Global Head of Ads Privacy for Google’s Government Affairs and Public Policy team. He has spent the last 20 years working for technology companies, focusing specifically on privacy, global compliance, data protection and policy. Prior to Google, Ari was Chief Privacy Officer for a number of digital ads and AI companies including Quantcast, Sizmek and Rocket Fuel. Ari holds a BA from the University of California at Santa Cruz, and a Master’s degree from the University of Southern California. He served as an NAI board member for 5 years and co-Chair of IAB Europe’s Transparency and Consent Framework Launch Committee, which he helped to create. Ari has published extensively on public policy related to digital privacy, and holds several ad fraud and abuse prevention technology patents.
12:25 pm–2:00 pm
Lunch
Terra Courtyard
2:00 pm–3:15 pm
PETs
Room Captain: Lorrie Cranor, Carnegie Mellon University
My $5MM Differential Privacy Visualizations
Marc-Antoine Paré
Let's face it: explaining that "differential privacy is like blurring an image" doesn't get very far in communicating how and why this technology should be used. This talk breaks down data visualizations used over the course of a three-year differential privacy project for the Department of Energy that were used to unlock $5MM in funding from grant administrators, convince regulators of the effectiveness of privacy protection, and generate excitement from industry partners for adoption. While past work in this sector failed to get past academic discussions, this project culminated in two large-scale data releases, subject to a strong differential privacy guarantee (ε=4.72 and δ=5.06⋅10^−9). Practitioners will walk away with ideas and inspiration for bridging the variety of communication gaps found in real-life privacy projects.
Marc-Antoine Paré was most recently a staff software engineer leading Cruise's Privacy Infrastructure team. Previously, he was the technical lead for the Department of Energy's "Energy Data Vault", which brought differential privacy to the energy efficiency sector.
Establishing Privacy Metrics for Genomic Data Analysis
Curtis Mitchell, xD, United States Census Bureau
The ability to work with genomic datasets across institutions is a promising approach to understanding and treating diseases such as rare cancers. However, the sharing of genomic data raises challenging legal and ethical concerns around patient privacy. In this talk we will present on ongoing work between the National Institute of Standards and Technology (NIST), the US Census Bureau, and other organizations to explore metrics and use cases for privacy-preserving machine learning on genomic data. We will discuss the goals of the project, the technical architecture of the project using privacy-preserving federated learning, and the initial results on performance and privacy metrics we have obtained using plant genomic data as an initial stand-in for human genomic data.
Additional authors: Gary Howarth and Justin Wagner, NIST; Jess Stahl, Census; Christine Task and Karan Bhagat, Knexus; Amy Hilla and Rebecca Steinberg, MITRE
Curtis Mitchell is an Emerging Technology Fellow on the xD team at the US Census Bureau where he is contributing to a variety of projects involving privacy-enhancing technologies, artificial intelligence, and modern web applications. He has over 15 years of experience in software- and data-related roles at small startups, large corporations, and open-source communities. Prior to joining the Census Bureau, he worked at NASA's Ames Research Center.
Practical Considerations for Differential Privacy
Alex Kulesza
What happens when the philosophical aspirations of differential privacy collide with practical reality? Reflecting on seven years of experience building and deploying differential privacy systems at Google, I will describe in this talk some of the ways in which a focus on worst-case outcomes both enables and discourages an honest accounting of privacy risk.
Alex Kulesza is a research scientist at Google NYC.
Unlocking Cross-Organizational Insights: Practical MPC for Cloud-Based Data Analytics
Daniele Romanini, Resolve
In today's data-driven landscape, organizations often seek collaborative analytics to gain cross-organizational insights while upholding stringent privacy standards. This talk introduces a practical approach to adopting a Secure Multi-Party Computation (MPC) system for cloud-based data analytics. Leveraging open-source frameworks such as Carbyne Stack and MP-SPDZ, we have developed features to enable non-cryptographic and non-MPC expert developers to perform private analytics using intuitive, Python-like code. In this talk, we focus on the practical features that a real-world MPC solutions should have, presenting lessons learned and the key modification to an existing framework to reach a stable deployment.
We explain how we enhanced usability and functionalities of the existing framework (Carbyne Stack with MP-SPDZ), such as implementing the support for a semi-honest security model, which is less expensive and more practical than a malicious one in some real-world settings. We also address practical considerations of cost and performance, presenting strategies to optimize infrastructure deployment and algorithm-level enhancements to improve costs and enable complex analytics. Moreover, we illustrate a practical example on how the platform can be leveraged in the AdTech world. This presentation aims to demonstrate that secure and efficient cross-organizational data analytics are achievable, even for developers without specialized MPC expertise.
Authors: Adrián Vaca Humanes, Gerardo González Seco, Daniele Romanini, Goran Stipcich
Daniele Romanini is a Senior Privacy Engineer at Resolve, with expertise in both data science and software engineering. His background includes experience in academia, government organizations, and the AdTech industry. Daniele is an advocate for privacy-by-design and a privacy tech enthusiast, actively integrating privacy threat modeling and a privacy-first approach into the software development lifecycle. He is currently focused on contributing to the development of a decentralized measurement and analytics platform built with privacy-enhancing technologies at its core.
3:15 pm–3:45 pm
Coffee and Tea Break
Mezzanine East/West
3:45 pm–5:00 pm
Data at Scale
Room Captain: Harshal Shah, Visa Research
Building an End-to-End De-Identification Pipeline for Advertising Activity Data at LinkedIn
Saikrishna Badrinarayanan and Chris Harris, LinkedIn
Advertising platforms rely heavily on activity data to measure and optimize ads performance. With current privacy regulations and platform requirements, LinkedIn is held to increasingly rigorous standards in the handling of our members' personal data. This is acute for our ads business, as we adhere to strict regulations that necessitate stringent measures when handling user data, including data minimization, which is almost expanding into a global requirement. These regulations continue to evolve, requiring constant adaptation to new standards, while our data pipelines were originally established in a time when the use of personal data was less regulated.
Motivated by the principle of building privacy by design, we undertook a comprehensive project involving numerous stakeholders to address these challenges, and built an end-to-end robust pipeline that de-identifies advertising activity data. The goal of this project was to ensure that user information is protected while still enabling processing on this de-identified data to generate valuable analytics and enable advertisers to learn the effectiveness of their ad spend. We have onboarded products such as performance reporting and billing as the hero use-cases onto this pipeline. This talk will cover the design, implementation and innovative aspects of this pipeline. We will discuss the various privacy enhancing technologies we applied, our system architecture, challenges faced such as scalability (to process billions of events a day) and balancing privacy with the needs of the business. Finally, we will also highlight the outcomes and practical insights gained from this project.
Saikrishna Badrinarayanan is a Staff Privacy Engineer at LinkedIn. He has spent the last two years building privacy-preserving systems for problems in ads measurement and responsible AI. Before LinkedIn, he worked on privacy/security teams at Snap and Visa. He is a cryptographer by training and holds a PhD from UCLA. He is passionate about using privacy enhancing technologies to derive value from data while protecting user privacy.
Chris Harris is a Senior Staff Engineer at LinkedIn, where they have spent the past nine years working on ads measurement, privacy, and data governance. Passionate about hands-on coding and system performance optimization, they focus on building scalable, privacy-conscious solutions that balance business needs with user trust. Beyond engineering, they are committed to fostering a culture of doing the right thing—ensuring that privacy and integrity remain at the forefront of innovation.
Network Structure and Privacy: The Re-Identification Risk in Graph Data
Daniele Romanini, Resolve
In graph data, particularly those representing human connections, the structure of relationships can inadvertently expose individuals to privacy risks. Recent research indicates that even when traditional anonymization techniques are applied, the unique patterns within a user's local network—referred to as their "neighborhood"—can be exploited for re-identification. This talk delves into the complexities of anonymizing graph data, emphasizing that connections themselves serve as distinctive features that can compromise user privacy. This talk examines the relationship between a network's average degree (i.e. the amount of nodes' connections) and the severity of uniquely identify a node in it solely based on the network's structure. We discuss how understanding these risks can inform the design of privacy-aware data collection and anonymization methods, ensuring that the benefits of data sharing are balanced with the imperative to protect individual privacy.
Authors: Daniele Romanini and Sune Lehmann, Technical University of Denmark; Mikko Kivelä, Aalto University
Daniele Romanini is a Senior Privacy Engineer at Resolve, with expertise in both data science and software engineering. His background includes experience in academia, government organizations, and the AdTech industry. Daniele is an advocate for privacy-by-design and a privacy tech enthusiast, actively integrating privacy threat modeling and a privacy-first approach into the software development lifecycle. He is currently focused on contributing to the development of a decentralized measurement and analytics platform built with privacy-enhancing technologies at its core.
Data Classification at Scale: Taming the Hydra
Daniel Gagne, Meta
This talk goes into detail about the data classification processes at Meta, where we assign metadata about the semantics, actor, and other attributes of the data. We start by defining a taxonomy to support categorization based on the nature of data and regulatory requirements which will be used to ensure appropriate data usage. This supports a wide variety of privacy policies such as access control, deletion, and purpose limitation. We then take a bytes up approach to scan data, extract features, and infer labels from the taxonomy. We also detail challenges with different data storage patterns, classification approaches and quality measurement.
Additional Author: Giuseppe M. Mazzeo
Danny Gagne is a Software Engineer on the Privacy Infrastructure team at Meta. He holds a B.S. in Computer Science from Northeastern University. He has worked on large scale data classification at the MITRE Corporation and at the International Atomic Energy Agency.
Harnessing LLMs for Scalable Data Minimization
Charles de Bourcy, OpenAI
This talk explores how Large Language Models can enhance Data Minimization practices compared to traditional methods. Advanced contextual understanding can accelerate data classification across an organization's storage locations, improve de-identification of text corpora, and streamline internal governance mechanics. The talk will propose architectures for combining LLM-based tools of various kinds with other techniques like lineage tracing to facilitate proactive data minimization and prevent data sprawl.
Charles de Bourcy is a Member of Technical Staff at OpenAI. He enjoys exploring new ways to improve privacy protections. He received his PhD from Stanford University.
5:00 pm–6:30 pm
Conference Reception
Terra Courtyard
9:00 am–10:00 am
Safety and Identity
Room Captain: Divya Sharma, Google
Demystifying the Android Telehealth Ecosystem
Primal Wijesekera, ICSI and UC Berkeley
The regulatory landscape surrounding sharing personal health information is complex and constantly evolving. Given that a host of regulations could be relevant to mobile health applications, it is not surprising that many developers and organizations are confused about or unaware of the applicability of such regulations and how to comply. This misunderstanding may cost consumers privacy protection for highly sensitive health data. We examined the data handling practices of 408 Android telehealth apps from 36 countries. We found that a significant portion deployed event reporting, which exposes highly sensitive health data to domains not equipped to handle health data. Such practices demonstrate a clear gap between the operational, technical, and regulatory realms. In our pool of US-based telehealth apps, 48.09% potentially violate at least one applicable regulation. We also uncover three main patterns of violations among the U.S.-based apps, including the potential culpability of the Android Platform.
Liam Webster have contributed significantly in the course of the analysis to analyze apps and understand the legal context of this telehealth apps. This work was supported by the U.S. National Science Foundation NSF (under grant CNS-2055772 & CNS-2217771 ).
Primal Wijesekera is a research scientist in the Usable Security and Privacy Research Group at ICSI and also holds an appointment in the EECS at the University of California, Berkeley. His research focuses on exposing current privacy vulnerabilities and providing systematic solutions to meet the privacy expectations of consumers. He has extensive experience in mobile app analysis for privacy violations and implementing privacy protections for Android. He has published in top-tier security venues (IEEE S&P, USENIX Security and usable security and privacy venues (ACM CHI, SOUPS, PETS). He received his Ph.D. from the University of British Columbia, although he carried out his Ph.D. research at U.C. Berkeley. He also has a Masters from UBC in Distributed Systems and a BSc in CS from the University of Colombo, Sri Lanka. His research on privacy on mobile platforms has received the Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies, the USENIX Security Distinguished Paper Award, the AEPD Emilio Aced Personal Data Protection Research Award, and the CNIL-INRIA Privacy Award. He has been a PI & Co-PI on multiple NSF Projects focusing on privacy and regulations.
Safetypedia: Crowdsourcing Privacy Inspections
Lisa LeVasseur and Bryce Simpson, Internet Safety Labs
Internet Safety Labs has a goal to have current safety labels for all [more than 5M] mobile apps by 2029. To accomplish this, we've been experimenting with two paths: automation and crowdsourcing. Since October 2024, we've been running a pilot project called Safetypedia to crowdsource mobile app privacy inspections and labels. This presentation will share our findings on the hybrid approach of using both automation and crowdsourcing to increase the volume of safety labels (viewable at https://appmicroscope.org/). We'll discuss the challenges with crowdsourcing for both participants and ISL, whether the approach warrants a full rollout, and if the resultant community (and safety labels) can be a viable grassroots approach to accountability and digital product safety.
Lisa LeVasseur is the founder, Executive Director and Research Director of Internet Safety Labs, a nonprofit software product safety testing organization. Her technical industry contributions and deep knowledge of consumer software products and connected technologies span more than three decades. Throughout her career in software, she has developed a particular love for industry standards development and software product safety. At the core of Lisa's work is an understanding of how connected technologies can make our lives better as well as the safeguards that are necessary for them to do so. She has dedicated the past six years to developing a vision for digital product safety – where all connected, software-driven products are safe for people and humanity.
Bryce Simpson is a Safety Researcher/Auditor at Internet Safety Labs. He's been performing cyber security and online privacy assessments for five years, with recent focus on educational technology platforms, synthesizing regulatory requirements and industry best practices. Specializing in meticulously analyzing the behavior of digital ecosystems, he is dedicated to navigating the intersection of privacy concerns and technological advancements, ensuring a secure online environment for all.
Verifying Humanness: Personhood Credentials for the Digital Identity Crisis
Tanusree Sharma, Pennsylvania State University
With the rise of AI-powered deception, identity verification systems are increasingly important to distinguish between AI and humans. Building on related concepts, like, decentralized identifiers (DIDs), proof-of-personhood, anonymous credentials, personhood credentials (PHCs) emerged as an alternative approach, enabling individuals to verify that they are a unique person without disclosing additional information. However, new technologies might introduce some friction due to users' misunderstandings and mismatched expectations. This talk will discuss how people reason about unknown privacy and security guarantees of PHCs compared to current methods; and factors that influence how people would like to manage PHCs. Specifically, it will address critical design considerations, including the role of trusted issuers (e.g., government, private entities), the reliability of data attributes used for credential issuance (e.g., biometrics, physical IDs, selfies), and the trade-offs between centralized and decentralized issuance systems.
Tanusree Sharma is an Assistant Professor at Penn State University and directs the Governance, Privacy, and Security (GPS) Research Lab. Her work, at the intersection of Security, HCI, and blockchain is oriented around answering the question: How can we design secure systems that improve the quality of human interaction and human data authenticity in critical systems? She has received the John Karat Usable Privacy and Security Award at Usenix SOUPS 2024, for her contributions to the field. She has been PI and Co-PI of funded grants from Meta and OpenAI. She received her Ph.D. from the University of Illinois at Urbana Champaign in 2024.
10:00 am–10:30 am
Coffee and Tea Break
Mezzanine East/West
10:30 am–11:40 am
Privacy Engineering
Room Captain: Marc-Antoine Paré
Career Advice for Privacy Engineers: From Resume to Interview to Finding the Next Job
Jason A. Novak, Google
We are in the second decade of privacy engineers being hired in industry and the process has professionalized at all levels. From the backgrounds that applicants come from to the way that candidates are screened to job descriptions to how interviews are conducted. This talk aims to: demystify the privacy engineering job market as it currently exists; to empower privacy engineers (current and prospective) in their career growth; and educate privacy engineers on hiring processes and practices.
Jason Novak (jasonanovak.com) is a Sr. Staff Privacy Engineer at Google where he works on cross company privacy initiatives including AI data protection. Prior to Google, Jason led the Privacy Engineering teams at Cruise and Apple where he helped teams develop new infrastructure products to enhance user privacy including anomalous data access alerting, Wi-Fi MAC address randomization, and Safari Intelligent Tracking Prevention. In these roles, Jason has screened, interviewed, and hired many Privacy Engineers.
Privacy Engineers on the Front Line: Bridging Technical and Managerial Skills
Ramazan Yener, University of Illinois at Urbana-Champaign
Privacy engineers (PEs) play a critical role in managing sensitive data and ensuring responsible system design amid evolving regulations like GDPR and CCPA. Yet, their skills and challenges remain poorly understood. To address this gap, we utilized a mixed-methods study combining survey responses from 28 privacy engineers and semi-structured interviews with 18 practitioners across diverse industries. Our findings reveal that PEs navigate a unique intersection of technical and managerial expertise and interpersonal skills. Educational backgrounds and certifications influence their career trajectories, equipping them to tackle industry-specific challenges such as navigating complex regulatory frameworks or implementing privacy-by-design principles in domains ranging from healthcare to technology. Beyond technical skills, PEs rely on interpersonal and managerial abilities to collaborate with cross-functional teams, negotiate with stakeholders, and advocate for privacy-first practices. They also perceive their roles as dual mandates: ensuring compliance while driving innovation, a balance that requires strategic approaches to overcome organizational resistance. This research highlights the diverse skill set of PEs and offers recommendations for supporting their growth. By shedding light on their evolving roles, we aim to inspire new professionals to explore this vital field while helping organizations better define and support the PE role.
Ramazan Yener is a PhD student at the University of Illinois Urbana-Champaign, researching user-centered privacy and security, with a focus on policy and governance in AI and IoT-driven systems. He examines apps and online platforms from a user perspective to identify potential privacy and security risks. His current research explores how privacy professionals navigate challenges in implementing privacy-by-design principles. He aims to protect individuals and organizations from digital threats while promoting equitable and transparent data practices for the public good.
Purpose Limitation with Policy Zones: What We Tried That Didn't Work
Diana Marsala, Meta
Purpose limitation is a foundational principle in data privacy, ensuring that the use of data is strictly confined to the explicitly stated purpose(s) disclosed at the time of collection. This presentation is a retrospective analysis on early iterations of Policy Zones, one of Meta's technical solutions designed to enforce purpose limitation.
By examining the evolution of Policy Zones, including lessons learned and key insights into why certain approaches were effective or ineffective, we aim to provide a deeper understanding of the complexities and opportunities in implementing purpose limitation at scale.
In particular, we'll focus on three common purpose limitation paradigms:
- Set it and forget it: Dynamically propagating policies from service to service, throughout the stack
- One size fits all: Leveraging a single policy for all purpose-limitation-based privacy requirements
- Run checks everywhere: Running privacy checks server-side for every data store, in a single chokepoint that covers all callers
These three paradigms were initially adopted by Meta. Although they appeared sound and facilitated a faster system build-out, we later identified several gaps that necessitated a redesign of our systems to enhance operational maturity and make them more viable at scale.
Diana Marsala is a Software Engineer on Meta's Privacy Infrastructure team, where she plays a pivotal role in shaping the company's approach to privacy. As an early adopter of privacy infrastructure technologies, she has successfully leveraged these tools to uphold critical privacy obligations and now focuses on developing and adapting them for broader adoption across the organization. Marsala holds B.A.S. and M.S.E. degrees in Computer Science from the University of Pennsylvania.
Building Privacy Products: Field Notes
Miguel Guevara, Google
This talk will provide insights from a product manager working on privacy. These insights will share some high-level thoughts that the author has accumulated over years of experience working on privacy products. These insights will shed light on what can make a privacy product successful, and what other considerations one might need to take into account when developing cutting-edge privacy technology with unclear use-cases.
The author will also share learnings from unsuccessful privacy experiences that can help others as they embark on a privacy journey.
The ultimate goal is to start a conversation that can help privacy practitioners build privacy products and features in a successful manner.
Miguel Guevara works at Google's Data Protection team, focusing on implementing privacy-enhancing technologies at scale and launching new initiatives that further overall privacy.
11:40 am–11:45 am
Short Break
Mezzanine East/West
11:45 am–12:30 pm
Panel: How Privacy Engineers Can Shape the Coming Wave of AI Governance
Moderator: Zachary Kilhoffer, Dynatrace
Panelists: Hoang Bao, Axon; Masooda Bashir, University of Illinois at Urbana-Champaign; Debra Farber, Lumin Digital; Sarah Lewis Cortes, Netflix and NIST; Akhilesh Srivastava, IOPD
Privacy engineers often work on complex AI systems, and as such, many now find themselves playing a AI governance roles alongside their privacy engineering responsibilities. However, PEs are not only seeing their roles shaped by AI Governance; they also have an opportunity to shape it. Furthermore, PEs are at the forefront of regulatory compliance and as AI governance evolves and regulations take shape, PEs are uniquely positioned to lead in this domain. This panel explores the intersection of privacy engineering practice and the new wave of AI governance. As the EU AI Act ushers in a new era of AI regulation, reminiscent of GDPR's impact on privacy, we examine how privacy engineering practices and skills can inform and enhance AI governance strategies.
Dr. Zachary (Zak) Kilhoffer is a manager of AI governance at Dynatrace. His research focuses on the ethical, socio-economic, and political implications of emerging technologies, particularly artificial intelligence. With a multidisciplinary background spanning international relations, economics, tech and labor law, and computer science, Zak employs mixed methods and diverse theoretical lenses in his research. He has enriched his academic perspective through internships with the US House of Representatives, the OSCE, and the United Nations. From 2017 to 2021, at the Centre for European Policy Studies in Brussels, he focused on the intersection of technology and EU policy, authoring influential work on the platform economy, gig work, and algorithmic fairness—research that has notably shaped EU discourse on digital platform regulation.
Hoang Bao has two decades of experience in building and leading privacy and data governance programs. He is currently serving as Director, Global Head of Privacy and Data Privacy Officer for Axon, where he helps ensure Axon is always at the forefront in fulfilling its commitment to protecting privacy for all global Axon Customers and the communities they serve.
He is also a member of the IAPP Privacy Engineering Advisory Board. Additionally, he is a Principal at Virtual Privacy, focusing on empowering the privacy and data protection ecosystem through pro bono services and research about businesses, consumers, and trust in the digital space. Previously, he also served in senior leadership roles at Google, Twitch, Netflix, Walmart Global eCommerce, and Yahoo!. He was also a Senior Consultant at KPMG LLP.Hoang received his Master of Science in Computer Science from Cal Poly, San Luis Obispo and is currently a Master of Laws - LLM candidate. In addition, Hoang has privacy designations such as CIPP/US, CIPP/E, CIPT, and CIPM. He also has the ECPC-B Professional DPO Certification from the European Centre on Privacy and Cybersecurity, Maastricht University.
Dr. Masooda Bashir is an Associate Professor in the School of Information Sciences at the University of Illinois at Urbana-Champaign, where she conducts interdisciplinary research that bridges mathematics, computer science, and psychology. Her research sheds new light on digital trust, cybersecurity, and data ethics, positioning her as a respected expert in these critical fields. Dr. Bashir's career began in Silicon Valley, where she built a robust foundation in technology through roles as a systems analyst, technical trainer, manager, and global manager at companies including Lotus and IBM. Her hands-on industry experience laid the groundwork for her later scholarly pursuits, fueling her decision to earn a PhD from Purdue University. This unique combination of practical expertise and rigorous academic training informs her innovative approach in both research and teaching. In addition to her primary appointment, Dr. Bashir directs Social Sciences in Engineering Research and holds key affiliations with the Department of Industrial and Enterprise Systems Engineering, the Coordinated Science Laboratory, and the Information Trust Institute. Her extensive publication record includes over 100 scholarly papers on data privacy, cybersecurity, and human trust in automation, developed alongside her dynamic research team at UIUC. Her leadership extends to managing several NSF-funded research initiatives, including a decade-long commitment to the CyberSecurity Scholarship Program. Through her groundbreaking work and visionary leadership, Dr. Bashir continues to shape and advance the dialogue on technology's impact on society.
Debra J. Farber is a seasoned privacy executive and leader with over 20 years of experience operationalizing privacy across complex, data-driven environments. She spent the bulk of her career operationalizing privacy programs at companies large and small before shifting left into privacy engineering. She currently serves as Privacy Engineering Manager at Lumin Digital, where her team embeds privacy early into a cloud-native digital banking platform. Debra has led privacy and security programs at Amazon Prime Video, AWS, BigID, Visa, TrustArc, and IBM, and serves as Advisory Board member to several privacy tech startups, guiding them on product strategy, go-to-market messaging, and responsible data practices. In addition, with a strong interest and focus on responsible AI, she advocates for organizations to embed privacy and ethical guardrails throughout the AI lifecycle.
Debra is an active member of the privacy engineering community. A passionate advocate for shifting privacy left in the software development lifecycle to address privacy issues early, she created and hosted The Shifting Privacy Left Podcast, which published 63 episodes spotlighting how privacy engineers can integrate privacy early and effectively into the software development lifecycle before code is shipped and PII is ever collected. She's also a Member of the USENIX PEPR Conference's Programming Committee and is an Advisor to the Institute of Operational Privacy Design (IOPD). She holds a BA from Binghamton University, a JD from Brooklyn Law School, and a Certificate in Designing and Building AI Systems from Cornell University. She also holds multiple certifications, including the CISSP, CIPP/E, CIPP/EU, CIPT, and CIPM, among others. Her work sits at the intersection of privacy, security, engineering, and trust where she aims to consistently drive scalable, privacy-respecting outcomes.
Dr. Sarah Lewis Cortes (CISSP, FIP, CIPP/E (GDPR), CIPT, CISM, CISA, CRISC) is a leading expert with over 20 years of global-scale technology experience in domains including strategy and execution for Information Security, Privacy Engineering, Privacy Enhancing Technologies (PETs), Data Protection, and secure, privacy-aware AI/ML. She has a strong record of success creating robust privacy engineering and security solutions and programs. At firms such as Netflix, Salesforce, and Fidelity Investments, she has had responsibility for implementing global-scale, comprehensive privacy engineering and privacy-aware, secure AI/ML programs. She earned degrees at Harvard University and Boston University, studied Forensic Sciences at Boston University Medical School, and holds a PhD in Computer Science, Cybersecurity from Northeastern University. Her research and publications focus on the dark net, anonymous network communications, privacy and privacy law, and responsible AI/ML Sarah has served as an invited Team Leader for the NIST Privacy Workforce Working Group, where she helps shape national strategies for building privacy expertise and capacity, and has published NIST privacy framework crosswalks. She also serves on the Privacy Engineering Advisory Board of the International Association of Privacy Professionals (IAPP). A former analyst for the US Department of Energy, she led the NIST Cybersecurity Working Group on Privacy & Security sub-team as co-author, that created the security and privacy laws section of the 2014 NIST: Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid. She also conducts training and research with the FBI, the Alameda County Sheriff’s Office Digital Forensics Crime Lab, and other Law Enforcement Agencies (LEAs). Prior to undertaking her PhD, Sarah was Senior Vice President for Security, Privacy, GRC and Disaster Recovery at Putnam Investments, where she led a team of over 150 staff, delivering privacy and security solutions and programs.
Akhilesh Srivastava is a strategic senior leader with a wealth of experience as a Product Technical PM in large tech companies like Meta, Amazon, Capital One, and FINRA. Over his 19-year journey, he has been at the forefront of innovation across diverse domains, including Privacy, Fin-Tech (Payments, Regulation), Ads, Insurance, and e-commerce.
Passionate about privacy-enhancing technologies, governance, ethics, and GenAI, Akhilesh has driven multi-million-dollar impacts across various product suites, serving billions of customers globally on a large scale. He volunteered as the Chair of the Risks & Controls Committee at the Institute of Operational Privacy Design and is an executive volunteer member of Tejas Cyber Security Professionals Network and Washington DC's CTO's Club. He speaks at privacy-related industry conferences. Additionally, he actively volunteers in various nonprofit community initiatives, providing mentorship to leaders.
He is certified in MIT Sloan's AI-Implications for Business Strategy.
12:30 pm–2:00 pm
Lunch
Terra Courtyard
2:00 pm–3:10 pm
Machine Learning and Artificial Intelligence
Room Captain: Ryan Guest, Amazon
Beyond RAG: Building Reliable AI Systems for Privacy Assessments
Emily Choi-Greene, Clearly AI
As organizations explore AI automation for privacy assessments, ensuring reliable and trustworthy output is critical. This talk examines practical challenges in building AI systems that can consistently interpret privacy requirements, process engineering documentation, and produce reliable assessments. We'll set context by discussing which components of privacy assessments are ripe for automation, and which require more human oversight. We'll then explore technical approaches to prevent hallucinations, handle conflicting documentation, normalize AI outputs, and validate assessments against established policies. Drawing from real-world implementation experience, we'll share key patterns for building robust privacy automation systems that maintain high accuracy while scaling across organizations.
Emily Choi-Greene is the CEO and co-founder of Clearly AI, a Y Combinator-backed startup that automates security and privacy reviews. Previously, Emily led data security and privacy at Moveworks, including enterprise-grade privacy-preserving ML, sensitive data detection, and data masking. Before that, Emily led Alexa AI security as a Senior Security Engineer at Amazon.
When Privacy Guarantees Meet Pre-Trained LLMs: A Case Study in Synthetic Data
Yash Maurya and Aman Priyanshu, Carnegie Mellon University
Modern synthetic data generation with privacy guarantees has become increasingly prevalent. Take real data, create synthetic versions following similar patterns, and ensure privacy through differential privacy mechanisms. But what happens when theoretical privacy guarantees meet real-world data? Even with conservative epsilon values (ε<10), document formatting and contextual patterns can create unexpected privacy challenges, especially when using models which aren't transparent about their own training data like most LLMs.
We explore a case study where financial synthetic data was generated with differential privacy guarantees (ε<10) using public SEC filings, yet revealed concerning privacy leakages. These findings raise important questions: Does the privacy leakage stem from the training data, or did fine-tuning untangle existing privacy controls in the base model? How do we evaluate privacy when the model's training history isn't fully known? This talk examines these challenges and brings awareness to emerging privacy considerations when generating synthetic data using modern language models.
Yash Maurya is a Privacy Engineer who evaluates empirical guarantees of real-world privacy deployments, having designed privacy-preserving systems at Meta, PwC, BNY Mellon, and Samsung. An IAPP Westin Scholar with a Master's in Privacy Engineering from Carnegie Mellon University, his research on LLM unlearning and privacy frameworks has been presented at ICLR, SaTML, and SOUPS.
Aman Priyanshu is an incoming AI Researcher at Cisco focused on AI safety & privacy. With a Masters from CMU, his research on foundation model vulnerabilities and LLM security has attracted media coverage and led to invitations to OpenAI's Red Teaming Network. His work has earned recognition through the AAAI Undergraduate Consortium Scholar award.
Quantifying Reidentification Risk for ML Models
Nitin Agrawal and Laura Book, Snap Inc.
Machine learning models, in particular classification models, are used across a wide spectrum of products and applications. These models may be susceptible to attacks like model inversion and attribute inference attacks that could allow for reconstruction of the training data and re-indentification of the data subjects. However, not all models are attackable: well generalized ones specifically are less prone to memorize their training data, and privacy preserving techniques can be used to help ensure training is generalized rather than memorized. However, a key challenge at an industrial scale lies in identifying the attackability of a model as well as calibrating the need for privacy mitigations. Academic literature has established an order relationship between attacks, demonstrating that membership inference attacks are a precursor to the reconstruction and re-identification of training data. In this talk we'll discuss a mechanism to repurpose those attacks into a practical quantifiable metric for ML model attackability measurement. This could be critical in ensuring model privacy and ongoing monitoring of the model in the model deployment lifecycle.
Nitin Agrawal is currently a Privacy Engineer at Snap Inc., focussing on privacy validation, AI privacy, and data classification. Previously, he worked as an Applied Scientist for Alexa Privacy at Amazon. He holds a Ph.D. in Computer Science from the University of Oxford, where his research focused on advancing techniques for effective and equitable privacy-preserving machine learning.
Laura Book is a Privacy Engineer at Snap Inc., where she is currently focusing on validating privacy adherence across the product. Previously, she worked at Google as a software engineer with a focus on monetization, privacy and data governance. She holds a PhD in Physics from the California Institute of Technology.
Breaking Barriers, Not Privacy: Real-World Split Learning across Healthcare Systems
Sravan Kumar Elineni
Regulatory constraints and siloed data often hinder collaborative AI in healthcare. Our project supported by ONC/ASTP implements Split Learning to enable three independent HIEs to jointly train a deep learning model without sharing sensitive patient data. We detail the technical workflow (e.g., partial model hosting, secure exchange of activations) and discuss how we navigated real-world challenges in data integration and quality, network security, and regulatory compliance. Preliminary results show robust model performance and seamless interoperability across participating sites, suggesting a robust blueprint for large-scale privacy-preserving ML in healthcare.
Authors: Sean Muir, Dave Carlson, Himali Saitwal, David E Taylor, Chit win, Jayme Welty, Adam Wong, Jordon Everson, Keith Salzman, Serafina Versaggi, Lindsay Cushing, Savannah Mueller
Sravan Kumar Elineni is a seasoned technologist with over a decade of experience in healthcare data systems and emerging fields such as machine learning, robotics, computer vision, and natural language processing. He recently led a high-impact project implementing a state-of-the-art collaborative machine learning system that integrates legal, technological, and security frameworks to facilitate cross-organizational healthcare collaboration.
3:10 pm–3:40 pm
Coffee and Tea Break
Mezzanine East/West
3:40 pm–4:50 pm
Putting Machine Learning and AI to Work
Room Captain: Greg Chappell
OneShield Privacy Guard: Deployable Privacy Solutions for LLMs
Shubhi Asthana, IBM Research
The adoption of Large Language Models (LLMs) has revolutionized AI applications but has introduced complex challenges in enforcing scalable and adaptive privacy safeguards. This talk presents OneShield Privacy Guard, a framework engineered to mitigate privacy risks through context-aware guardrails across the LLM lifecycle—input preprocessing, inference, and output sanitization—while leveraging automated risk assessment for continuous refinement.
The talk explores two key deployments of OneShield Privacy Guard. The first deployment focuses on an enterprise-scale multilingual system for data governance, demonstrating enhanced PII detection accuracy and optimized privacy-utility tradeoffs compared to existing solutions. OneShield's integration provided real-time privacy enforcement, improving compliance adherence in high-volume enterprise environments.
The second deployment highlights an open-source implementation for automated privacy risk triaging, where OneShield reduced manual intervention in privacy-sensitive pull requests by 30% while maintaining compliance precision. This deployment demonstrates its adaptability in privacy-first software development workflows, enabling efficient and automated risk mitigation.
These deployments illustrate OneShield's scalability and deployment flexibility in enterprise and open-source ecosystems. Attendees will gain insights into its technical architecture, tradeoff considerations, and deployment challenges, equipping them with strategies for building automated, high-fidelity privacy safeguards for real-world AI applications.
Shubhi Asthana is a Senior Research Software Engineer at IBM Almaden Research Center, specializing in AI and machine learning solutions for privacy-preserving technologies, particularly PII detection and management in unstructured data. She has contributed to the development of multimodal AI systems, transformer-based models, and scalable data pipelines for enterprise applications. Shubhi has led innovative projects that bridge research and practical impact in AI.
Scaling Federated Systems at Meta: Innovations in Analytics and Learning
Sai Aparna Aketi and Harish Srinivas, Meta
At Meta, we are advancing the scalability and efficiency of federated systems through innovations in both Federated Analytics (FA) and Federated Learning (FL). Our FA system is designed to facilitate privacy-preserving analytics for billions of devices, addressing the key challenges of scalability, resource efficiency, and data privacy. By leveraging one-shot algorithms, batch processing, and predictable query loads, FA achieves efficient large-scale data processing while ensuring robust privacy safeguards through Trusted Execution Environments (TEEs). The system supports flexible ad-hoc querying with rapid iteration cycles, minimizing resource consumption even on constrained devices.
Simultaneously, we have enhanced our internal FL simulation framework, FLSim, to meet the demands of large-scale distributed learning. We addressed previous scalability bottlenecks by integrating FLSim with asynchronous Remote Procedure Call (RPC) communication protocol. As a result, FLSim can now simulate FL training with a throughput of 200,000 users—each with 50 samples—with 10 million samples per minute for a small three-layer neural network over an 8x8 distributed cluster.
The synergy of FA's scalable architecture and FLSim's optimized FL capabilities have enabled Meta to deploy internal use-cases leveraging federated technologies, with a pipeline of additional applications in development.
Authors:
PPML Team: Anjul Tyagi, Othmane Marfoq, Luca Melis, Aparna Aketi
Pytorch Edge Team: Diego Palma Sánchez, Harish Srinivas
Sai Aparna Aketi is a Postdoctoral Researcher in the Central Applied Science team at Meta where she works on building Privacy Enhancing Technologies for Machine Learning applications. She received her Ph.D. in Electrical and Computer Engineering from Purdue University in 2024.
Harish Srinivas is a software engineer in PyTorch Edge team at Meta where he works on building on device AI frameworks and Privacy Enhancing Technologies for Machine Learning applications.
Using GenAI to Accelerate Privacy Implementations
Rituraj Kirti, Meta
Meta has developed several streamlined workflows to enable developers to deploy purpose-limitation technology. Adoption of this technology can, however, often become challenging, both because of the scale at which Meta operates and the deep privacy domain knowledge and platform expertise required for efficiently implementing solutions.
This presentation will walk through how Meta leverages Generative AI and automation for scalable deployment of purpose limitation technology and guiding developers into building durable privacy solutions. We will discuss the architecture of the tooling behind key Privacy Workflows at Meta, such as annotating assets, reviewing data flows, and preventing regressions, and how we use Generative AI to accelerate decision-making for developers at every step of the way.
Rituraj Kirti is a Software Engineer on the Privacy Infrastructure team at Meta that builds technologies for addressing privacy obligations. Kirti's prior work at Meta includes creating and scaling various products that apply machine learning to improve the effectiveness of advertisers. He holds a B.E. (Hons) degree in Instrumentation Engineering from Birla Institute of Technology and Science, Pilani, India.
From Existential to Existing Risks of Generative AI: A Taxonomy of Who Is at Risk, What Risks Are Prevalent, and How They Arise
Megan Li and Wendy Bickersteth, Carnegie Mellon University
Due to its general-purpose nature, Generative AI is applied in an ever-growing set of domains and tasks, leading to an expanding set of risks impacting people, communities, society, and the environment. These risks may arise due to failures during the design and development of the technology, its release, deployment, or downstream usages and appropriations of its outputs. In this paper, building on prior taxonomies of AI risks and failures, we construct both a taxonomy of Generative AI risks and a taxonomy of the sociotechnical failure modes that precipitate them through a systematic analysis of 499 publicly reported incidents. We'll walk through some example incidents and highlight those related to privacy. We describe what risks are reported, how they arose, and who they impact. We report the prevalence of each type of risk, failure mode, and affected human entity in our dataset, as well as their co-occurrences. We find that the majority of reported incidents are caused by use-related issues but pose risks to parties beyond the end user(s) of the Generative AI at fault. We argue that tracing and characterizing Generative AI failure modes to their downstream risks in the real world offers actionable insights for many stakeholders, including policymakers, developers, and Generative AI users. In particular, our results call for the prioritization of non-technical risk mitigation approaches.
Megan Li is a Societal Computing PhD student at Carnegie Mellon University co-advised by Drs. Lorrie Cranor and Hoda Heidari. She is currently thinking mostly about Generative AI safety.
Wendy Bickersteth is a Societal Computing PhD student at the Carnegie Mellon CyLab Security and Privacy Institute. Working with Dr. Lorrie Cranor, she conducts usable privacy and security research, focusing on privacy labels and AI use.