"The Data Diva" Talks Privacy Podcast

The Data Diva E109 - Brandon Pugh and Debbie Reynolds

December 06, 2022 Season 3 Episode 109
"The Data Diva" Talks Privacy Podcast
The Data Diva E109 - Brandon Pugh and Debbie Reynolds
Show Notes Transcript

Debbie Reynolds, “The Data Diva,” talks to Brandon Pugh, Senior Fellow & Counsel at R Street Institute. We discuss his background in the New Jersey State Legislature and National Data Privacy, the Military, the FBI, and elected office, why the US can’t simply implement the GDPR and the complicated State and National issues of Data Privacy, the lack of education about this issue, the need for a new agency to address these concerns, the lack of individual human right to privacy, the need for privacy legislation to have bi-partisan support and ADPPA, don’t let the perfect be the enemy of the good, California has several privacy advantages and is the standard now, and for the foreseeable future, IoT needs direction and his contribution, EnergyStar as a good but simplistic model for IoT,  and his hope for Data Privacy in the future.

Support the show



privacy, ftc, congress, california, label, people, concern, security, states, iot devices, bill, buy, pass, consumer, legislation, law, point, industry, provisions, federal


Debbie Reynolds, Brandon Pugh

Debbie Reynolds  00:00

Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds; they call me "The Data Diva". This "The Data Diva" Talks Privacy podcast where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know now. I have a special guest on the show all the way from the Beltway, kind of New Jersey and DC. Brandon Pugh. He is a Senior Fellow and Counsel at R Street Institute. Welcome.

Brandon Pugh  00:44

Well, it's a pleasure to be here. I've listened to numerous of your shows. It's always great to be on and talk about something that's a passion of mine, Data Privacy and data security, especially legislation. Yeah.

Debbie Reynolds  00:56

Well, you have a very interesting background; you obviously have the legislative chops, and that's something that you work very closely on. You obviously are interested and have expertise in cybersecurity and privacy. So tell me your trajectory in your career and why privacy is of interest to you.

Brandon Pugh  01:17

Yes, so thanks, Debbie. So my background is kind of atypical for DC. I actually come most recently from a State legislature, that being New Jersey. And in that capacity, even though most of the laws, whether it be judiciary or medical laws, they would funnel through me as one of the staffers and one of only a few attorneys, I pulled out all the Data Privacy tech and cyber legislation just because it was my passion. So it was neat to be able to focus on just New Jersey but also really be mindful of the entire landscape across the country as New Jersey is considering legislation. So that's really where my passion for privacy specifically started. Then being at R Street now I serve on, it's a nonpartisan Think Tank, and I'm on the cyber team. But a major element of our team is Data Privacy. And I'm the Senior Fellow leading that work which connects to a few of my past jobs and for the legislature, my you know, my career spans the military, time at the FBI and time in several elected offices too. And ultimately, some people look at my resume like, well, how does being an elected official match up with Think Tank service? And truthfully, I think it's all these experiences that made me a better Fellow now because DC is such a unique place; you have to have substantive expertise. But it's also very political, and you have to know the legislative landscape.

Debbie Reynolds  02:41

I think that's 1,000%. True, I lived in DC for 10 years. So I know a lot about kind of the inside scoop of the Beltway, of getting connected and fill circles and understanding how things work. You know, this is, we definitely have an American audience. We have a lot of people internationally. And I think a lot of people internationally are looking around at all the Data Privacy regulations that are being passed. And they're like, what is up with the US? Like, why can't we get this done? So can you talk about that, like how people think it's so funny? So this is a funny story. So I was at an Edtech conference. And I heard a guy say, well, why can't the US just take the GDPR and implement it in the US and I went like, oh, my goodness. There are so many things wrong with that statement that we have to talk about, right? Because I mean, structurally, obviously, we're different countries were structurally very different. You can't wipe out 200 years of jurisprudence just because something is coming up. But talk about someone like you who understands the legislation and how that works. And also the technical issues that we're running into around data. So what tell me from your point of view, why is this so difficult for us in the US?

Brandon Pugh  04:19

Yeah. And let me first say you're right; I've heard the GDPR comments several times myself saying, well, can't we just enact that in the US and we'll move on? The reality is it's pretty complicated. You alluded to, because like taking a step back to where we are now in the US, especially for non US listeners, kind of two general directions. We see States acting in privacy legislation. Right now we have five states with standalone privacy laws and over 27 states trying to enact similar legislation this year. So that trend is continuing, and I think it's going to progress in the next year. And then we also see certain sectors regulated like health care, finance and students just to name a few. The concern is really, three of them really. One is this patchwork that's emerging. So we have States that vary in their laws, or worse yet, you may live in a State with no protections, which is the vast majority of Americans. And then next, like there's Wall Street strongly looks at the security reasons why we need privacy. And right now, there's major concerns from adversaries buying and selling information on Americans, and a privacy wall would help with that. But third, it's kind of a mess for the industry. Not to downplay the need from a consumer point of view, because that's definitely very relevant. But industry now has have a degree of uncertainty on what the laws they have to follow are; when is the next one going to come online? And I think Congress could really change a lot of this by enacting Federal privacy legislation in the US and we've made significant progress this year on that, but there still is definitely a long road ahead. Not to downplay how much work still needs to be done. But there is potential there.

Debbie Reynolds  06:05

You know, I feel like there just isn't enough education around what exactly is happening. And so, to me, it's hard to make a change if people aren't on the same page about where we are right now. Right? So I saw a letter that came out from some big industry group or something they were like, tell the FTC to stop rulemaking so that Congress can pass privacy law, like FTC, if Congress passes a law, it will trump what the FTC is doing and rulemaking so to think that one is popping the other it's just not, that's not true.

Brandon Pugh  06:47

Yeah. And to your point, they're like, I've, we've recently submitted comments in FTC. And I did raise some concerns around that in terms of their scope and maybe being a little premature. But I think the solution is then Congress could  like they've done in the American Data Privacy Protection Act, it's delineated different areas for the FTC to go forward and rulemaking on versus now that we see the FTC is taking upon themselves to do rulemaking because Congress hasn't given them specific directions. So I think this is a real opportunity for those skeptical of Federal agencies to direct them, and then, you know, realizing that they are going to need resources too, whether it's the FTC or some new entity, which, you know, hopefully, it's not, you know, a new entity, but they are going to need additional resources because I think there's a role for the FTC. But it shouldn't be, in my opinion, kind of constrained and directed by Congress because after all, Congress has a policy for the FTC or the substantive experts when it comes to privacy.

Debbie Reynolds  07:46

Yeah, I think we need a new agency, frankly, because the FTC doesn't cover all industries, right? So having more of a human rights approach and something and not to say that the FTC is doing what they're supposed to do, right? They're constrained in what they can do. And so we can't pretend like those other issues are fair. So I think having an agency like California did at their State level, right, having an agency dedicated to this, not only like California is doing but like almost any jurisdiction I can think of, you know, China, Saudi Arabia, Europe, Australia, like all these places, Brazil, for Christ's sake, right. So all these places have decided that you need an agency to work on this separate from other things. And so we know that a lot of the impetus side behind privacy in the US has been commerce, so we can't ignore that. But I think there's more there in terms of the human rights of people. So if I'm not in the US right now, if I'm not consuming stuff, like even my rights don't really kick in. Right. So that's kind of a big, big issue.

Brandon Pugh  09:11

Yeah, and you've raised two great points. Just to kind of elaborate on one being all those other countries that have moved forward and progressed. We see ourselves as a leader in most aspects of the world, economically and military but we're really behind now when it comes to privacy. We even see China having a privacy law; granted, you know, maybe it's not as robust in practice as it is on paper, but still, they have something whereas the US doesn't. So that's the first point and the second point, you're right. A vast majority of Americans right now don't have rights when it comes to privacy outside of like those limited areas like health and finance. If you live in 45 of the states without the laws. You don't have a right to know how your information is collected, how it's used whom it's sold to, and then most importantly, in my opinion, how it's protected, which is kind of pretty easy. That's where we are now. Like we've come a long way, I am happy to go into a, to like in terms of this Congress a lot farther than in previous congresses. And there's been a lot of areas that have been traditional roadblocks we've seen move forward on a bipartisan basis, which I think is the key; no matter how we move forward, we will need bipartisan support because privacy and even cybersecurity more broadly. You know, it's a little naive to say this, but they should be bipartisan, like these are issues that impact everybody, regardless of their political party.

Debbie Reynolds  10:33

Yeah. It should be bipartisan. I don't know. It obviously depends on what pieces are on the chessboard at the time. Right? So all that plays into things. I know that when the ADPPA first draft splashed on the scene, I think I was probably one of the only people kind of naysayers, not that I didn't want Federal privacy legislation to pass. I just felt like it was knowing that the midterms are coming up knowing kind of the state of play like we were going to write this summer. I just didn't think there were enough legislative days to actually get it done. And so I think I was right on that. But there seems to be and you know, I had Cameron Kerry from Brookings Institute, who's a former head of the Department of Commerce, and he actually was the person in the Obama administration that had written the Privacy Bill of Rights. He thought that there may be some activity in the lame duck session, meaning now that the midterm is over, between the time that new people get installed and their new roles, there may be an opportunity for people, the Congress to kind of regroup and try to figure out how to get ADPPA passed. What is your thought there?

Brandon Pugh  12:13

Yeah so I think there's two different ways you can go forward, either we act on this legislation ADPPA, or we're coming back in the 118th Congress and either reintroducing ADPPA or something similar to that. I definitely remain optimistic that we continue to move forward in ADPPA this Congress; I do realize there are many priorities though at the same time, whether it be a spending bill, and there's so few days left. So all that I'd like I want and I think that's the direction Congress should push for. And there is a potential for that. I'm just also being realistic that it is limited. But we have seen even today, numerous key voices in Congress have said they want to push privacy legislation during lame duck. So they are continuing to push leadership; I think there's some still some big hurdles to making that a reality. I don't think they're impossible to overcome. I just think it's going to be a lot of work. But I was it was comforting to see key voices calling for it to be acted on during lame duck. And really just as it comes down to a matter of priorities for Congress and both houses, and both parties, is this really want to prioritize? My answer is yes because it's really needed. Now, we've waited long enough for privacy legislation. But if not, I think the 118th Congress should realize it ADPPA has come substantively a long way. So rather than like totally reinventing the legislation, I think that's a good starting point. And then maybe we think of ways, other ways to finesse it further in a new Congress. So I would say to Cam Kerry's point, which I respect a lot, it's definitely a possibility. Yeah, yeah. work to do, though.

Debbie Reynolds  13:58

Yeah. Yeah. Cam is more optimistic than I am on this. Not that people don't want it. But again, there's kind of, you know, logistics, right? There are technicalities and a lot of movements happening. And you know, on the back end, and then we have holidays coming up, right? So I was like, are people going to prioritize this over like, you know, three major holidays or whatever. But you're right.

Brandon Pugh  14:24

And to add to this, I don't want to sound pessimistic because I am in the camp that we need this, and I'm doing everything I can to keep pushing this. But there are some political challenges to which we can't forget; I mean, Nancy Pelosi, Speaker Pelosi has I wouldn't say she came out against it. But she came out saying that there was additional work that needed to be done, namely around preemption, and just for those that aren't attorneys or don't follow this, basically, how will the Federal law interact with State laws and the reality is California has their own law. So will how that interplay with Federal law? And that was her concern because that's come out with Governor Newsom, their State Governor, their California Protection Agency, they all have concerns. So that makes sense why she has expressed concern. So the question will be now is, will she give this floor time and put it to a vote on the floor, given her concerns? And is there a way to address them? There's definitely a way to address them. The challenge with this bill is it's a very delicate balance because historically, Republicans have been very supportive of preemption, meaning there's one strong Federal law, and against the private right of action, meaning individuals can sue if the rights are violated, Democrats have been largely the opposite. There's some exceptions. They want a strong prior right of action and weak preemption. So all of these things are, they all fit together, it's easy to talk about them as discrete issues, but they're really not. So if we were to adjust preemption, let's say, then we may lose some Republicans that are against it, because there's still this private right of action there. So that's kind of a political dynamic. And I think that's something that's remarkable about ADPPA is that it's tried to strike this balance of making both sides happy. Yes, there's still work that can be done, but they've tried. Secondly, like Senator Cantwell, it's not a surprise. But we've had three of the four key leaders on this bill, the Chair and Ranking member in the House, and then the ranking member in the Senate. They've all come out in favor of this. Senator Cantwell is the fourth voice that hasn't. And she's the chair of the Commerce Committee in the Senate, obviously. So she is a very important voice. And she cares deeply about privacy in her defense, but there are some differences between how she thinks it should look. And obviously, her voice is necessary because she chairs the committee, and this bill still needs to pass in the Senate, which

Debbie Reynolds  16:46

So what are your thoughts about this? Now? I say this, and I know a lot of people, this is the reason why we can't get anything done; I feel because my thing is this, if we can agree on 80%, let's pass the 80%. And then let's work on the other 20 later, because I feel like to me these types of big bills or things like that, they get done in layers, not layups, right? So no, don't wait until the end of the buzzer and then try to throw everything in there. So to me, I feel like it will be better, instead of having absolutely nothing, right? Why can't we say, okay, here are the things we absolutely agree on? Let's trim the bill and get those things out. And then we can fight later on these other little nuanced issues. What are your thoughts?

Brandon Pugh  17:39

Yeah, well, historically, that's similar to the view I've taken and R Street's taken because, admittedly, this bill is not perfect in every sense. And there's certain parts that if I were to sit down and write it, would look perhaps slightly different. But I do realize this is a consensus bill and that we need Democrats on board and we need Republicans on board. So we do need to find this middle ground. It's just not a small group sitting in a room. And I think that's why this is unique, because we do see left leaning groups in favor of this bill, and right leaning groups. So in terms of the approach of passing it, I think there are certain areas that we could defer to a Federal agency to do specifics on it and give it like, let's say the FTC, for example. The challenge would be is if we can't get a consensus on these key areas like prevention and private right of action, preemption, I would say is still relevant, especially considering the Speaker and there's kind of two general ways we can solve it or keep it what we have now. A stronger branch in language or we do what California is asking for is to make it a Federal floor meaning states can make stricter laws, but there's a baseline across the country. Yeah. So that's one option. But to your point, I think we could revisit other provisions later. Like one issue that's out there still is arbitration. So should we change arbitration, meaning that this is an oversimplification, but essentially, should parties that have their rights violated have the opportunity to address it out of court? Or should they be able to go directly to court? That's very simplified. But the concern there is that if we had a private right of action, and companies are still using arbitration, will private right of action be fully available then? And there's pros and cons to that approach. You know, I'd hate to see that hold up a Federal privacy bill because of how far we've come. But I do see the arguments for and against it are my personal view, is that right now, we've handled arbitration in a piecemeal approach. So I would hate to see it kind of continue in that fashion. If Congress generally thinks the concept of arbitration is invalid, it may be better to look at a holistic approach rather than just saying we're going to view it in this context today. Tomorrow, we'll look at it in privacy next week. We'll look at a different era if that makes sense.

Debbie Reynolds  19:59

Yeah, definitely. So let's talk a bit about California. So California has an advantage in many different ways. One is just time, right? They started, you know, they've been very strong on privacy for decades. They have privacy as a fundamental human right and their constitution. They've done these little incremental steps. And that's the reason why they're so far ahead of everyone. But then also, you know, they the CCPA, has been been in effect for years now, the CPRA is going into effect. So I think, you know, California, regardless of what happens on the Federal level, in the absence of a Federal bill is the de facto standard in the US, right? And it will be for the next two years, regardless of what happens with ADPPA. So let's say ADPPA magically passes today; it will still probably take years to implement it right. So what I'm seeing or what I have seen over the years is companies that were not in California didn't have to comply with California's laws decided as a business case, it was better for them to align their business with CCPA. And when California was doing, because they felt that California will be stronger than these other states on stuff. And so that's been a very winning strategy for the company. So in my view, making California floor would be easier because companies are already accustomed to that. Right. So what are your thoughts on that?

Brandon Pugh  21:38

Yeah, you're right; we do see many companies voluntarily following California or even GDPR, realizing that if in the future, we follow a price regulation, we've taken a big step in the first place. And it also is it is a differentiator; I think something a lot of big companies and really small medium sized companies don't get enough credit for a lot of them have voluntarily put faith in privacy as just a core business strategy. Yes, it maybe it's not as strong as some would like to see. But I've been impressed just in speaking with companies and consumer groups as well, of just what protections that are out there that are maybe not publicly shared as a common. But and you are right that even if ADPPA passed today, there are provisions that would take time in areas that the FTC would have to do rulemaking on. So there would still be a path forward. And obviously, I always tell people my work really just begins if ADPPA passes today, the implementation stage is going to be just as important for companies that need help figuring out how to wrestle with this, and the FTC is going to need experts to weigh in. So there is a path forward but if we wait any longer, let's say we're going to need 118th Congress, and it just stalled, then we're just farther behind. I think California has done a lot. They've like we've seen California's legislation impact where we are now at EPA, so I don't want to not give them credit. I do think that there is some fault that and this is my personal opinion. I wrote an op-ed recently in the OC registrar. So I maybe don't have a ton of friends there. But I basically was saying that I respect California, but there may come a point where we're at a time where one State shouldn't hold up the entire country in passing a privacy law. I do think ADPPA try to account for California, like they there's parts in the text that specifically call out the California, the CCPA giving them authority that other States wouldn't have. There's also a lot of rights in ADPPA that are stronger or non-existent in California; the pushback there would be that California has a provision essentially, this is an oversimplification, but that the State law can always get stronger, but it can't take a step back. So some Californians have concerns rather if we pass ADPPA today, it could get weaker in the future, and Californians and Americans lose privacy protections. My response would be that in the interest of the country because we are a country of 50 states, that's why we should have like a Federal standard. So yeah, and these very conversations we're having are the exact way to get some privacy laws yet.

Debbie Reynolds  24:20

Yeah. Right. Exactly. The, you know, I'm very good at predicting these things; I have been for decades. So I've visited California recently, you know, and my feeling is they're not going to take one for the team. So I don't think they're going to, they're not swinging on this argument like, hey, make the sacrifices for the rest of the space. They're like, nah, I think we're good.

Brandon Pugh  24:45

I think you're right. I get it, you know, California, when they came out with this process like it, was groundbreaking like yes, our you know, colleagues and friends in Europe are considering these things, but for the US, it was a big step. I will be curious to see kind of, you know, talking about politics a little how things will play out. Yes, the numbers are still up in the air a little bit, but it generally looks like the Republicans will have control of the House Representatives. And obviously, that means we'd have a Republican Speaker. So I'm not sure who that would be. But let's say it was Kevin McCarthy, a Speaker in the past; he has felt strongly about a Federal privacy law that has preemption included, obviously individuals can change their opinions, but that was at least his stance when he said that. So I will be curious to see if that impacts future privacy legislation; all of the challenges could be that if we have in the 118th Congress, assuming it doesn't pass this session, two houses, the Senate being Democrat and the House being Republican, there's some people that are concerned about there potentially being an impasse and not moving forward. I hope that doesn't happen because it truly should be both parties working together. And you know, even we saw that this year coming out of the House committee a 53 to 2 vote. I mean, that is impressive any way we look at it.

Debbie Reynolds  26:07

Yeah. Excellent, excellent. Well, I want to switch it up a bit. So you and I are sort of working tangentially on an issue around IoT. And I'd love to chat about that a bit. So I was recently appointed one of 16 Americans to the IoT advisory board by the Department of Commerce. And so it's a two-year appointment to go to DC and meet a couple of times a year, and we're going to work well, you know, this, it's this multidisciplinary team on cybersecurity privacy issues, trying to work on the economic impact of IoT, figuring out what type of international agreements that make sense for us to try to push this, and one of the reasons why I decided to work on this issue is because IoT is buckwild, in my opinion, we just need some direction, not only as a country but just internationally. So you know, these products are coming out fast and furious. There just aren't a lot of guardrails there, not a lot of direction in terms of security and privacy in those types of spaces. But I want you to talk a little bit about your work ethic, your work, I want you to explain what you're working on with IoT, and we chat about that.

Brandon Pugh  27:39

Sure. Well, first, congratulations; I saw you were appointed maybe a couple of weeks ago or so. So I was thrilled to see given your background and privacy that you were on there. Because traditionally, we look at IoT devices just through like a cybersecurity lens. And as you and I both know, there is a difference between privacy and security, very intertwined. But there are differences. So my work around this has really been around what the White House has been doing. So the White House convened a group of mostly industry groups, but there were a couple of Think Tanks there, myself being a Think Tank representative, consumer groups there, everyone really creating a label around IoT devices are what they're calling the ENERGY STAR for cyber. So essentially, if you were to go buy an IoT device, let's say in the store or online, you could look for some sort of either QR code or physical label that says this has been vetted. It needs a baseline level of security and allows consumers now to know that the devices they are buying have met some baseline of security because to your point, you can buy an IoT-connected device today. And you don't know if it's been made in an adversary country where they're intentionally collecting information from Americans, or is it so vulnerable to security that if you have an electronic lock in your front door, somebody could just open that and come in your house, we've seen the disasters, case studies of babies being monitored through baby monitors against, you know, crazy individuals, for lack of a better word, so that the legal initiative is underway. Still a ton of questions surrounding that. But I was, you know, encouraged to see that process moving forward.

Debbie Reynolds  29:22

Yeah, yeah. I know; I think this would be a fun debate for us to have. So I think kind of like the initial ENERGY STAR label is a good way forward. The concern that I have there is IoT devices, so let me give you a sample. So like, let's say you go and buy a non technical toaster, right? So you buy a non-technical non-Internet-connected toaster, it's not going to do anything except what it was developed to do, right? You don't need any software updates; you don't have any firmware updates; it's not going to have like new features or anything, right? So a device like that you put a label on it, it makes sense like, so like a washer and dryer or whatever. But we have Internet-connected devices, and the manufacturer, or who is the software holder, can change the features that are happening on the device, the security can get changed, and the firmware can get changed. So you have a device that can be changing and doing different things based on you know, what, you know, the chips that are in the device when it came, you know, just because let's say, for instance, you buy an Internet-connected device, it does today 10 things, but really, based on the hardware or the chips or in the device, it may be able to do 20 things right in the future. Because as more technology is developed, more software is developed, it can do different things. So my concern with the label is, is that a label? You know, depending on what exactly is on that label doesn't really speak to what that device actually is and what it can do.

Brandon Pugh  31:11

Yeah, so I actually agree with you personally because this is kind of a concern on how a label would look. So one side you could have, like, I'm just making this stuff, this isn't coming from the National Security Council like a checkmark that if you saw that, that means it's meant the baseline in other option is or maybe a combination of both, is it some sort of QR code that you can you could scan and that would allow in real time for you to have the most accurate information, because to your point, I could see a scenario where maybe it met a degree of security, the time of boxing it but then a year later or even a day later, perhaps is a vulnerability that is unpatched and then now a consumer buying a product with a false expectation of being secure. So I think that is the value of having a QR code, you can get real time information. Obviously connected to that is consumer education; it was not easy for ENERGY STAR to catch on. There's a lot of money and a lot of advertising that went around that. So consumers would have to be told, what is the point of this? What is the information? And then on the government and industry side, there has to be consensus around what is the baseline and what information. So from my point of view, I want to see privacy provisions encompassed in this label. So far, it's mainly more on security provisions. But in the White House's defense, like it's not set in stone, and they have a draft out there, and they've asked for critical feedback. So this is an ongoing process, not something it's done by any means. I've heard Spring 2023 as a potential launch, but I'm not clear if that means that's the framework, or if that's like when we actually see see the first label itself. So kind of ongoing.

Debbie Reynolds  32:53

Well I'll be interested, you know, anything a step forward? I'm not going to throw salt on any efforts because I think being able to realize that this is the issue that education is necessary. I think it's definitely important. But I always think about those nuanced issues, right? I'm thinking about someone's Grandma who doesn't have a smartphone, or someone who doesn't fully understand, they don't understand that the device is changing, right? You know, I say, an IoT device is like a computer without a screen, right? So you think it's doing things that you may not be aware of. So I think that education is really important, but not only that, I work with industry groups to work on standards and stuff like that. And I think what they want is to drive adoption, but that adoption won't happen unless they have trust. So that label is something that gives people more confidence and more, you know, security, or, you know, feeling that they understand what they're getting into; I think that's great.

Brandon Pugh  33:59

Yeah, and you're right, there are efforts underway, different entities out there, whether it be ioXT or some of their competitors, they have sample labels as well, just different countries around the world, like the US, is actually not the one to have made this. They're just doing it for now. So thinking of an approach that kind of respects the work that's been done and then syncs it with their international allies, I think is important because I don't think the worst case would be we just have another label that doesn't match up with existing work and efforts around the world. And now we have an even more confusing system where consumers now see multiple labels. And they're like, well, what label is this? What does this mean? Or maybe in the future, we see a label that emerges just for privacy because we do see some vendors already that are providing privacy labels will say around websites, and I think that work is commendable. So rather than seeing, you know, that be put on hold for a future label, I think this is an opportune time for the NSC. And this because this is active in this space to kind of think about how we can take a holistic approach with security and privacy for IoT devices.

Debbie Reynolds  35:08

Yeah. Excellent. Excellent. Very cool. I'll keep my eye on you on that.

Brandon Pugh  35:14

Of course, no, I likewise, see your work. Yours is more fascinating than mine, you have the impressive position. I'm just somebody from a Think Tank that gets to study these issues, which I can't diminish. I love it.

Debbie Reynolds  35:27

It's amazing, it's amazing. So if it were the world, according to Brandon, and we did everything that you said, what would be your wish for privacy anywhere in the world, whether you legislation, technology, or human activity? What are your thoughts?

Brandon Pugh  35:42

Yeah, so as you may have guessed, I'd like to see a Federal privacy law in the US. In my personal feelings for that, I do think it should be pre-emptive. It should be one standard. In AI, I think for that reason, I'm most concerned about the security side without it, you know, seeing our adversaries collect information, use it, I still serve in the military. So it does concern me how we know. And this isn't speaking on behalf of the DOD, but it's just open-source information that shows the various actors around the world want information on military intelligence professionals and exploits it. I think it's just one of many reasons for privacy law. So my goal would really be to see Congress and the administration kind of rally behind having a privacy law; obviously, the substance is key. And I don't want to see a bad privacy law before. But if we could get to the bottom of a sufficiently good law. I think that would benefit every American, consumers, industries, security. Truthfully, I think it should be done. Now. I don't want to see we're entering the 120th Congress, 130th Congress rehashing this; it's time for America to step up and join our allies around the world that have put privacy as a priority.

Debbie Reynolds  36:55

Yeah. You said that you said it best. That's amazing.

Brandon Pugh  37:00

You're too kind Debbie.

Debbie Reynolds  37:01

Thank you so much. This is great. I think that everyone will fully understand the types of challenges that we have here. And yeah, we'll see. We'll see if your prediction comes true.

Brandon Pugh  37:14

Debbie, thanks so much. I'm thrilled with your work. And I'm always happy to be a resource for you or any of your listeners that want to talk about these issues.

Debbie Reynolds  37:23

Excellent. Excellent. Well, we'll talk soon. Thank you so much.

Brandon Pugh  37:26

Of course. Thank you