Yan Zhu is renowned security and privacy engineer. She is currently working as a Senior Software Engineer at Brave and a Technology Fellow at the Electronic Frontier Foundation. She is an open web standard author, technology speaker, and open source contributor. Some of her contributions include HTTPS Everywhere, Lets Encrypt, Secure drop, Privacy Badger.

Interview…

Hello Everyone, Welcome to MappingTheJouney and happy new year to all the listeners around the world. I apologise for not having an episode sooner, I was just on a break, enjoying holidays with friends and family. Here I am back with January Episode with Privacy Engineer Yan Zhu. She is renowned security and privacy engineer. She works hard to keep us all safe online. She is an open web standard author, technology speaker, and open source contributor. Some of her contributions include HTTPS Everywhere, Lets Encrypt, Secure drop to name a few. Let us discuss with her about her work so far, privacy on today’s internet, net neutrality and how can we all protect ourselves on today’s web.

Pramod: It’s my honour having you on the show Yan. Welcome to mapping the journey.

Yan: Thank you it’s an honour to be here.

Pramod: Yan, we all know you as a privacy and security engineer. Tell us about your early life, before the internet or even before technology.

Yan: Yeah, well before the internet. It’s interesting you phrased the question that way because I don’t use the internet until I was a teenager. So, I grew up in China, or I was born in China, and I lived there until I was five. And then when I came to the United States, my dad was a professor of geology. So, he was working with computers all the time, but he wasn’t really, I don’t know my parents didn’t give me a computer of my own or anything. So I played games on my computers, but I don’t really like do any hacking or anything. Ummm let’s see, I think I really got into hacking after I graduated college, because I started making friends who were really paranoid about security and worried about surveillance and an FBI and all that. Maybe they were too paranoid, and there was probably nothing happening to them, but then Edward Snowden became a famous person for leaking these NSA documents. And that’s around when I started to work at the EFF and then so that completely changed my view on how surveillance affects the average person and that’s when I became more and more interested in privacy.

Pramod: Nice, is it your undergrad at MIT brought you to the US?

Yan: No so, umm I came to the US because my dad was, he was a PhD student at Caltech, and so he came to the US to start his PhD. And then a couple of years later my mom came and joined him and so I lived with my grandparents in China for a while. And then when I was five years old, I came to the US and yeah, so I went to, I went to grade school, and middle school and high school in the United States and I dropped out of high school because I was bored and went to MIT a year early. Yeah, but I was, I was doing physics down. I wasn’t really interested in hacking.

Pramod: Yeah, Awesome! Also, Yan, you started your PhD, right, at Stanford?

Yan: Yeah, yeah. So, I wasn’t as an undergrad, I was sure I was going to do physics for the rest of my life because it was exciting and it was something I felt I was good at, especially experimental physics. So then when it was time to graduate I had no idea what to do except go to grad school. So, that was the default path. So, I applied to a couple, and ultimately I took Stanford, which was good and bad. It was bad because it was kind of a boring environment for me. I felt people there were, less creative and less weird than the people I’d known. I can call it an undergrad and so that spurred me on to leave my PhD program after in my first year, and that’s when I got interested in the kind of things I’m doing now.

Pramod: Okay, cool. As you already said for the most part of your undergrad and even after that, you did physics. When was your introduction to computers?

Yan: So, I was around computer scientists all through college. I think over one-third of students at MIT are computer science majors. So, but I had never programmed before college, and my first experience programming was for a research job, I was writing MATLAB, and that was fun. So, I took a class that was taught in scheme about programming language design and that was all training I had. I didn’t start working full-time as a programmer until, after dropping out of grad school. I did a Google Summer of Code type internship program because I don’t think I would be, very good at programming because I hadn’t grown up doing it and everyone else I knew had been programming for ten years. So, yeah, that was how I started.

Pramod: Great! Yan, was just curious, how did you get into hacking and your work on security and privacy?

Yan: I guess when I when I left grad school, and I was thinking about if I’m going to become a programmer what kind of projects do I want to work on. I was thinking about this over the course of a winter and as I was deciding to leave grad school. And then that January umm Aaron Swartz killed himself. And Aaron was a friend of a friend. A friend of many friends of mine. Ummm so, I’d met him a few times, but I was always very inspired by him. I’d say; he was probably one of my biggest, people I looked up to, as a programmer because he had such a huge impact and he did all these things that no one, everyone else was afraid to do. So, that changed my thinking. Before I was, Oh, I can work on any software company, it doesn’t matter, but then when Aaron died, I was like well, life is short, and there are important things to do. And I really believe in activism, and I think it’s worth pursuing. So, that’s how I ended up becoming interested in the EFF and the Tor project. So, I emailed my friend who, Peter Eckersley at the EFF and I said, I don’t know how to program or do anything, but I want to help you guys. So, if I got funding as an internship, for an internship through a third-party organisation would you be willing to have my work there over the summer and Peter was okay with it, so that’s, that’s how I got my first job I guess.

Pramod: Nice. Until now, most of your work is on privacy and security. What motivates you to work on such projects?

Yan: It’s the feeling that someone needs to do this. When you hear about something like the Equifax breach [Yes] or you hear one of a dozen stories every day about, people’s passwords being leaked or, dating apps tracking people around, their physical locations. It’s just hard not to think, well someone needs to work on this okay, look this is a significant problem. So, seem an obvious thing to do.

Pramod: You also worked with Yahoo for a while, right?

Yan: Yeah, sometime around then. I was there for a little bit over a year.

Pramod: What areas you worked on in Yahoo?

Yan: So, I was, Yahoo was interesting because it was my first big company job and so, the thing, the thing I was hired to do was an email encryption project. So, the Yahoo security team wanted Yahoo Mail to have better security and privacy protections. In retrospect, this was probably because Yahoo Mail has a history of, getting accounts hacked. So, the thought was that if people could somehow use PGP to encrypt their emails end to end then that would be an extra layer of protection from their accounts getting hacked right. So this was supposed to be a very user-friendly feature such that anyone could just login to yahoo mail, download a browser extension and then start using PGP and so forth. So, yeah I worked on that up for about a year. I don’t know if that project that’s still going on. It was, people were still working on it when I left.

Pramod: At that time, I think Yahoo was one of the most widely used emails.

Yan: Yeah, it’s not as widely used as Gmail but it still has hundreds of millions of users I think, so, it’s a large percentage of people.

Pramod: Awesome! And at the same time, you were also recognised as Forbes 30 under 30.

Yan: I honestly have no idea. Yeah, I think it was because a friend of mine was uh was working for Forbes and they usually asked employees to recommend people and that person suggested me. I guess it is a recognition of leading the email encryption project at Yahoo and working at EFF before that but, personally, I don’t take these [yes, yeah] certifications very seriously. Because it’s 30 under the 30s that sounds there would only be 30 people but there are 600 people because they have 200 categories or something or 20 categories or something like that. So, yeah.

Pramod: Awesome! Nice. Yan, tell us about your association with freedom of the press foundation, your work on the secure drop?

Yan: Yeah. So, I haven’t been involved in that, that’s mostly been people like Garrett Robinson of the freedom of the press foundation. But so when I was working at EFF or maybe shortly after I left, there was a group of people who had just formed an organisation called freedom of the press foundation. In light of the Snowden leaks and in light of WikiLeaks having their finances blocked, blockaded by the banks. And so, they decided it was a really good time to take up a project that Aaron Swartz had started called dead drop and dead drop was a very early version of the secure drop. It was set up at Forbes and it was a way that sources could use Tor to send use Tor browser to send documents to journalists anonymously. So, a kind of whistleblowing platform and so freedom of the press foundation decided to take over that project and fix some of the issues from their security audit. So, I went to a few hackathons where we figured out some of the desert the new design and started hacking on it. We had a good hackathon at Noise Bridge actually, that year. Yeah.

Pramod: Nice. At EFF you worked on Let’s Encrypt, HTTPS Everywhere and many other projects. You served as a technologist fellow. Tell us about your work with the EFF?

Yan: Yeah, so that was a continuation of work out I had started at EFF. So I was the maintainer of HTTPS everywhere, and I wrote the first version of privacy badger for Firefox, random stuff. Yeah, so when I heard about Let’s encrypt and when, well, so we had known about it at EFF in very vague terms, and I always thought it was a cool idea. But then when it was announced, when let’s encrypt was finally announced, I was like wow this is cool, I should go work on this. So part of my work at Yahoo was actually, they let me go to EFF and sit there and work on Let’s encrypt for a couple of months. So I worked on a plug-in for engine X, and I remember I opened an issue in the specification for allowing wildcard certificates. Umm, yeah so that’s how I got the title “Technology Fellow” at EFF because I wasn’t being paid there but I was going there and working anyway for a while. But I haven’t done that in over a year, so I don’t, I don’t even know if they still consider me.

Pramod: Awesome! I used HTTP everywhere, and it’s a great contribution and also Let’s encrypt.

Yan: Yeah, thanks.

Pramod: And speaking of Lets Encrypt Rich Salz chairperson of Let’s encrypt was also on my show

Yan: Cool.

Pramod: Let’s move on to more general topics Yan. I find this line very interesting, “I’m not famous, nor do I have a lot of money, nor do I have nothing to hide. Why do I have to care about privacy or even not being tracked?”

Yan: Yeah, so a lot of people say that I mean this is a thing everyone here is sometimes actually I’ve heard it less recently. But it used to be that a lot of people would say I’m not famous, I have nothing to hide, etc., so why do I care about privacy? If you ask those people, how would you feel if someone could read all your emails all of a sudden because your Gmail got hacked? Usually, they wouldn’t. Typically, they’d be, oh, I wouldn’t want that, they’re not just like well I have nothing to hide so whatever, and I think the answer is that, yeah everyone has something to hide. It’s just, you’re not thinking of what you have. You might be, Oh I’m not an axe murderer but, but maybe you don’t want, want everyone to see your tax returns, something very trivial.

Pramod: According to you, concerning privacy on today’s internet, how good or bad it is?

Yan: Hmm, it’s hard to say, it’s hard to, it’s hard because I don’t know everything that’s on the internet. I think it’s very tough to say whether things have gotten better since the Snowden revelations. For instance, because indeed there’s been a lot in the news about how people should care more about privacy and maybe more news about companies getting hacked and so forth, but it’s hard to measure if there are substantial changes. A few metrics that I do know about are the amount of SSL or TLS adoption on the web. So, that’s usually that’s one way to calculate, that is, from the percentage of HTTPS page loads and Firefox, which is public information and that has in the last year or two exceeded 50 percent. So, I think HTTPS becoming the norm and the default for websites is an, a significant privacy improvement and it’s steadily rising. So maybe it will get to an all HTTPS Internet in the near-future. On other fronts, I don’t think we’re doing as well. So, for instance, Email Encryption, well, so email encryption like start TLS transit encryption that’s gone up, slightly. But on other things like PGP, I don’t think a significantly higher number of people are using PGP compared to a year ago or two years ago, three years ago, four years ago, so that maybe that’s just a losing battle. We have to give up this old vision that someday everyone would be able to use PGP etc.

Pramod: Wow, that’s a surprise. Still, 50% of the traffic on the Internet is not encrypted.

Yan: Oh, I mean, it’s yeah, I mean it’s, it’s more than 50% now. But, yeah it just crossed the 50% line, somewhat recently, I think a year or two ago, maybe a year ago. Yeah, so you’re right. That means, 40 something percent of the Internet traffic out there is still unencrypted. I think a lot of that was last time I checked, a lot of that was Netflix, but Netflix turned on HTTPS somewhat recently, so maybe now it’s over 60 percent [Okay] Yeah.

Pramod: One of the problems I see is reading and understanding company’s privacy policies. I received an email from Quora regarding their privacy policy, and I started reading, and it was a lot of reading, and I lost track of it. How do we deal with this?

Yan: Yeah, that’s a great point. Umm, so EFF had, I think it was the EFF. It might be a different organisation. Someone had a project called “TOS Back” – TOS stands for “Terms of Service” and Back is just the word back. It was a service that would, keep track of privacy policy changes and notify you if anything happened that was different and, highlight the differences. So it would look, a Git Diff of different privacy policies. I think that would be useful; I’m not sure what happened to that project. But yeah, I think in general companies, companies want to give themselves more leeway with their privacy policy. So that if they, if they start as a new data collection program or integrate some new analytic service, they don’t have to email every one of their users with a policy update. So they try to relax and their privacy policies which also give them, a broad amount of permission [Yeah] to do anything. So, I mean I think as users you can, I think a lot of these companies they have PR departments that care what people are saying. So, if you see a privacy policy that’s very broad or very, have something concerning in it, it might be worth contacting the company. Or posting about it on social media is, why are you able to, track my location at all times or something that, yeah. That gets their attention.

Pramod: I think 90% of the people will just click accept, and just move on.

Yan: People do that with employment agreements too, by the way. So, yeah I recently started paying attention to arbitration agreements. Are you aware of? [No]. So basically, a lot of employers in the United States will have a clause in theirs, in they’re onboarding agreement, where it says, “You waive the right to sue the company in a public court and instead if you have any complaints about the company you have to agree to mediation”. So, if they would resolve it privately outside of Courts, [Ohh] yeah, which is very cost-efficient and often good for the company but it’s bad for employees, so yeah.

Pramod: This is a recent development, on December 14, 2017, if you see the Repealed Obama’s Net Neutrality rules, junking the long-term principle that all web traffic must be treated equally. What happens next?

Yan: Yeah, that’s a tough question. I think I don’t know. People need to keep complaining. I think the net neutrality protests were a good sign, but if you mean, if you think back to successful protests SOPA, PIPA from a few years ago or several years ago at this point. The most effective thing that happened was that tech company blacked out their websites that day. So, they were saying, if these laws passed you won’t be able to access content. So they to shut down their websites Wikipedia did this. [Yeah] EFF did this etc., and so that got people’s attention that, this is the reality we have to live with if this law passes and that got people to protests more. So, I think tech companies, and service providers can do a large part of activism by showing people what the risks are [Definitely] very concretely.

Pramod: I feel that ISP’s, will create slow lanes, fast lanes and also total speed or block content at certain regions.

Yan: Right, yeah. I saw people do that with net neutrality, they slowed down, or they showed a loading indicator on their websites, yeah.

Pramod: With the current political climate, where are we heading? Is it all ISP’s rule the internet or is there hope?

Yan: It’s hard to say. What’s supposed to be special with things like net neutrality, I think, there’s still hope because with net neutrality what was repealed was the FCC regulation of it. But, there’s also other types of regulation, there was market regulation. Umm, so things that could come, could come in a balance out the lack of regulation from the government, hopefully. Maybe that’s optimistic, [Yeah] but no, not always lost. I think, yeah, it’s hard to predict what will happen.

Pramod: I think, we should not give up on this, and we should keep fighting.

Yan: Yeah, and I think the real thing that, that should be avoided is nihilism because people get very fed up. They’re, oh, there’s nothing we can do that will influence, influence the government or make privacy better. So we should just give up, and I think that’s the wrong approach, because, then you don’t have any chance of doing anything if people don’t care.

Pramod: I was having a conversation with a friend of mine he was like, what happens to Tors and VPNs with this net neutrality?

Yan: Uh, you think ISPs will shut down [Yeah, yeah] on that [I don’t know] so, so that’s what, that’s why I said earlier that market forces would hopefully come back to restore balance because let’s say that Comcast bans Tor. Well, then, given that so many people want to use Tor, if another ISP like monkey brand or sonic decides that they allow Tor, then, they’ll get a large amount of traffic, where it’s a large number of customers. So that’s, that’s a market force that can ensure balance and fairness among these different players. But then again, no one’s done economic calculations on this so who knows.

Pramod: Moving on, a different topic. Big data as its proponents have been saying for nearly a decade now can bring big benefits. By now it’s obvious that people are generating thousands of data points every day. What’s your, take on this? Is big data for big benefits or is it creating privacy problems?

Yan: Uh, I mean, yeah, definitely the large large-scale collection of data, in general, is a problem because, data that isn’t personally identifiable or unique in the singular, can become a unique profile when aggregated. For instance, if you’re, imagine you’re looking at some analytics database, and you see that someone has some Android phone and 20 bookmarks for instance. Yeah, so, that’s not unique but as you collect more and more data points from that IP address that can to build a profile of a unique person. The person with this Android phone, with 20 bookmarks, who always uses the Internet, at this particular time etc. So, there are a lot of risks there, and I think companies large companies at least are becoming more aware of this. I know companies Google have tried building differential privacy protections into some of their data collection and I think this is something Yahoo was also interested in. So, yeah, it’s I’m not an expert on these research areas, but I think it’s good that people are thinking about them. And more importantly, I think a lot of companies that collect data that they don’t necessarily ever find useful or maybe retain that data for longer then they need to. So, a simple thing to do, which is the speed of audit your data collection and to delete anything that isn’t necessary, yeah.

Pramod: At least, be aware of the apps that are tracking your location, disable if not needed.

Yan: Right, yeah and that’s often done. I remember one case where there was an app. Where it collected and precise, oh no, what it did was, it told users with large precision the distance that another user was from their current location. But the problem is that you can use triangulation in order to find a specific coordinate for someone. You know their distance from you right now, and then you move 40 feet, and then their distance again, and then you can calculate their exact location. [Okay] So, there are problems that are more subtle also.

Pramod: Okay, cool. I think there’s role for computer engineers to play in creating awareness but there is a big gap between programmers and security engineers.

Yan: Yeah, I agree with you. Yeah, I think in an ideal world every programmer would also be a very privacy conscious and aware of these issues. Perhaps, this is an issue with education [Yes] in the curriculum because, people everyone who does computer science, takes an algorithms class [Yeah] but not everyone has a security class whereas, so it’s, that was a requirement for all new software engineers. I think that would go a long way.

Pramod: I took a few security courses in my master’s program. All it said, it was a bit of cryptography on our back, lot of outdated stuff.

Yan: Yeah.

Pramod: My next question is if he or she wants to be a privacy engineer where do they start?

Yan: Oh, that’s a great question. I honestly think that it’s, well, assuming that you have some programming knowledge, which means you can write a script in any language of your choice Python, bash, node whatever. Once you have that ability, I think the next best thing to do is just to start doing audits, security audits. So, many companies have bug crowd or hacker one account set up, and so, they incentivize financially, people who look through their services and try to find bugs. That’s actually how I got started to doing, security audits was I just saw someone who was willing to pay me to do an audit of their web, web app. And, and in doing that, I learned probably 50 percent of what I know now, about security testing [Okay]. So, I think, I think to have hands-on experience and as a real-world setting is by far the most important thing [Okay] for privacy engineering.

Pramod: Okay, that’s awesome! [Yeah] Next, for general internet users, how do they protect themselves?

Yan: Don’t enter information on HTTP websites, [Okay]. Yeah, I mean, I think that’s the obvious one that, every software engineer knows but normal people don’t necessarily know the difference between HTTPS and HTTP. And that’s probably something browsers are trying to fix. , they’re trying to flag HTTPS as much more insecure and bad, but in the meantime, people should educate themselves on that. And, yeah, and I’d phishing a hard problem too [Yes]. , people, even when they notice HTTPS sometimes the domain will be a tricky domain. People should set up two-factor authentication on all their services, preferably with a Yubikey, because that also prevents phishing, if it’s you to a universal two-factor service and so forth, yeah. I’m not sure what else there is, I mean use a password manager [Yes]. Don’t use the same password on all sites.

Pramod: I would also like to add, just be aware of the data you are entering on to the website, and also what are they doing with it, that plays a huge role.

Yan: Right, just be like, why does the site need my phone etc. [Yeah]. Yeah, on a similar note people should turn off autofill because you might have seen there’s this up browser bugs, where you can make invisible fields and have that autofill and then JavaScript can read the fields.

Pramod: Today, you are a senior engineer at Brave. Tell us more about it, what are the advantages of using Brave?

Yan: Well, so Brave does a bunch of things. But one of the things I’m most excited about is how it integrates a bunch of privacy and security extensions into one package. So for instance, there’s no script functionality, there’s HTTPS Everywhere, fingerprinting protection, tracking protection, and add block and flash blocking. So, instead of having that be, you have to get, to get the equivalent of that on something Chrome you have to download chrome [Yes], you have to turn off flash explicitly, turn off wide wand plug-in integration, download HTTPS Everywhere, download a script blocker, downloads Unlock origin and disconnect or whatever a privacy badger. So, Brave kind of gets rid of all of that. [Okay] and we try to make it very usable and manageable for normal people, yeah.

Pramod: Awesome, thank you for time Yan. [Yeah]It was a pleasure talking to you.

Yan: It’s great talking to you too, thank you.

Pramod: That is it, guys. She is a wealth of information, wonderful speaking to Yan Zhu. She is one of my inspiration to work in this field. So many contributions at such a young age. Next episode I will speak to PostMan founder Abhinav Asthana. Developers who build REST APIs must have used the utility tool called PostMan at some point. I love PostMan and looking forward to speaking with Abhinav. And my next episode will be in the Third week of February, as I said in earlier I would be doing one show every month. Until then you have all god time. Byeee