Risks and Rewards of Technological Innovation

February 6, 2019 · READ

As technology becomes more advanced each year, organizations need to consider the risks disruptive innovations can raise and whether they’re worth the reward. Is the risk of a data breach or cyberattack worth the improvements in organizational efficiency and even increased revenue?

We invited a panel of experts to our head office in Toronto to debate this topic in front of an audience of information security, cybersecurity, and risk professionals at our #EmergingRisksTO event. At the end of the night, the audience determined the winning team. Read a summary of the debate questions asked or listen to the full recording of the debate and ask yourself: Are you Team Risk or Team Reward? A full transcript of the debate can be found at the end of this article or click here to jump straight to the full transcript.

John daniele speaking during the risks and rewards of technological innovation debate at resolver

Topic #1: Cybersecurity concerns should not outweigh the benefits of adopting IoT and third-party vendors

Team Risk

There will always be an inherent vulnerability with IoT; it’s difficult to close this gap 100%. However, it is still the responsibility of those who develop these types of products to protect the infrastructure and find ways to gain visibility into these gaps to prevent attacks from happening.

Companies, like Google, by default are trying to predict behaviour and sell those behavioural outcomes to advertisers, and sometimes, as we have seen in recent years, to aide in experiments that can influence elections. There isn’t enough government oversight into mandating security standards with operational technologies.

Team Reward

IoT is about convenience. One way to look at this is to consider the fact that the population is aging. Take for example, applications like fall detection and health monitoring. There are examples where those devices have literally saved lives, including the Apple Watch which has detected cardiac issues.

Companies are investing into developing technologies that make our lives simpler and easier and can enable people with limited mobility and disabilities to continue to live their lives with a level of dignity without requiring a care worker.

The enabling effects of IoT, when also combined with technologies like AI, start to bring in things like self-driving cars and smart environments, which can be hugely enabling as a matter of human rights for people who don’t otherwise have solutions.

Topic #2: Individuals are ultimately responsible for the personal data that they upload online, as opposed to organizations, governments, and third-party bodies

Team Risk

You can make sure that you don’t share online and you don’t share private information where it shouldn’t and you can keep things protected, but at the end of the day, the devices that you use, if they’re not secure, if they’re not developed with security in mind, can expose all of your most sensitive secrets to the world whether you like it or not.

Sometimes criminals aren’t necessarily targeting you, they’re targeting anybody because everybody has credit information that they can steal. Everybody has identity information that they can make use of and create secondary fake IDs on the basis of that. How else do hackers find out what your mother’s maiden name is? They surveil you and one great way to do that is remotely. Think about that. We could do all the right things, but if the devices that we use are not adequately secure, you’re still at risk.

Team Reward

There’s certainly something to be said about personal responsibility and how we share data. There are examples where people do overshare online and that’s one of the bigger concerns in terms of the data that is available. If we have a cautious approach and share the data that is necessary to gain the benefits of whatever system we’re participating in or introducing that data into, the value is there.

There’s a little bit of hypocrisy that we should probably acknowledge around what society has encouraged us to do and the way that we share information online across all forms of social media and elsewhere. In other areas, we generally make people somewhat personally responsible for themselves whether in finances or in how they deal with their motor vehicles or anything else.

People are not privacy and security experts, so there’s common sense that people engage in best practices, and corporations can help with that. Beyond that, there’s the fault that shouldn’t be attributed just to technology companies, but rather to the legal system. Technology has evolved faster than we as humans can keep up with it. We’re just catching up to understand the value of our privacy in what we put out there.

Topic #3: Why is the adoption of machine learning and AI rapid in tech giants, but lagging from a commercial perspective?

Team Risk

When you’re looking to train a neural network, you have to have a really good idea of what you want to train it to do, to find, and then find all sort of permutations and combinations of that. The training process could be one month, two months, three months per use case. This is one of the reasons for a lack of adoption of AI. It takes quite a bit to sort of train traditional approaches.

Most of the time, just simple orchestration and automation is what’s required, not necessarily an AI-driven automation process. It does have its places in terms of looking for patterns, identifying patterns within an unstructured data set. But there is still a need to have a human to label it afterwards, to find all other permutations and combinations.

Computers don’t accommodate for the nuance of human living and experience. You can teach a system to understand. You can teach it to recognize things, but we do not have AI that comes even remotely close to understanding anything of our world. Until we do, there’s always going to be those risks that we must manage.

Team Reward

AI is being used successfully by a lot of companies that are worth many billions of dollars and many of them would attribute their many billions of dollars to use of AI being in large part, a lot of the tech giants, Uber, Tesla, Google, Amazon, etc.

Beyond that, besides theories of whether or not it’s effective, companies that are not tech start-ups or tech giants and digital natives, are frequently not data first. So, banks have not historically been data first. They do not have the data and the ability to just go and use AI. You need to be a first-mover. Generally, it is the digital natives who their entire M.O., their entire business strategies, their decisions around what products and services they’re selling are around data analysis. That’s the main reason why you see AI primarily used at tech companies and tech giants.

Fern karsh speaking during the risks and rewards of technological innovation debate at resolver

Topic #4: What are the risks and rewards that organizations need to consider when it comes to enterprise blockchain technology?

Team Risk

Companies are integrating blockchain blindly and introducing errors into the consensus algorithm, introducing problems in the way that the network is designed so that, once again, consensus can be gamed. There’s not enough thought being put into why blockchain? Why can’t we just use other simple proven approaches? And when we implement blockchain because we think it’s going to do a better job, are we really thinking about the risks? Have we done enough research into how the system can be effectively gamed and have we really mitigated those risks? Organizations need to ask themselves if they can do what needs to be done with another proven, secure method.

People have been gaming everything in blockchain already, so we can foresee those risks. The exchanges have been getting hacked. The wallets have had their problems. There’s been a total lack of governance in this space and that’s been exacerbated by media.

Team Reward

Society has come around to become a lot more open to blockchain technologies and some of its applications, blockchain being the foundational technology underlying these other applications.

We see even beyond risk-taking start-ups, we see very large companies and big enterprise employing blockchain and experimenting with blockchain these days. We see blockchain being used in, frankly, a lot of boring and probably future effective ways these days in just creating internal efficiencies. Blockchain is a decentralized, intermediary, eliminating encrypted technology that banks are currently experimenting with when it comes to back-office transactions. But blockchain is a bad idea for companies that don’t need blockchain. Blockchain should not be just employed in every single company.

Topic #5: Innovative technology and its benefits should trump the right to personal privacy

Team Risk

If people have such a cavalier attitude and approach towards privacy, you’re going to find the next 10 years really interesting when privacy becomes an archaic term used in the distant past. When corporations win, and they can use your information and sell it 50 ways to Sunday, you might look back and realize, “Oh, that’s why I should have been more concerned about personal privacy.”

If you value your freedom, you should think about the implications to our democracy at the end of the day. If many of us in society can be convinced to give up our privacy, that is going to have an effect on lawmakers and the way that they develop policy and the bills that are brought forth to government and the laws that are then passed. If the majority of us do not value privacy, eventually that is going to be making its way into weaker laws.

Team Reward

If we value privacy, we value freedom. If you are willing to give up your privacy, then that’s for you to decide. It seems like we are willing to give up our privacy for the benefits that the technologies deliver to us. If people are willing to give up their privacy for the ability to connect with others, for the ability to reach more people than ever, for the ability to organize and assemble with like-minded people, that’s up to us to decide. You can’t say that you value freedom and then tell people what that means to them.

Allowing technology to innovate isn’t going to necessarily further enable a corporation’s ability to sell your information. Enabling more technological innovation can also enable an individual’s ownership of their own information and ability to sell that directly if they want to because those technologies are already being created.


Thank you to all our attendees and speakers!

Want to attend the next debate? Click here to learn more about our events.

Interested in learning more about how Resolver can help your organization mitigate risks that arise from new technologies?  Take a Guided Tour of our ERM Software now.


About our Speakers

John Daniele, Vice President, Consulting Services, Cybersecurity, CGI
John Daniele is a cybersecurity professional with over 20 years of consulting experience. John has supported clients in both the private and public sector including banking, resources, law enforcement and defense organizations. Currently serving as VP of Consulting Services, Cybersecurity, at CGI, John works with clients to augment and advance the maturity of their cybersecurity operations, to deliver more strategic insights and intelligence to senior business leaders on credible threats.

Simon Clift, Co-founder, Achray Capital Corporation
Simon Clift is a Co-Founder of Achray Capital Corporation, a trading advisor firm for the RJOASIS managed futures platform in Chicago. His 35 years of software engineering and implementation experience have been applied to algorithmic trading, risk management and derivative pricing, for buy and sell side institutions in Switzerland, France and Canada.

Fern Karsh, General Counsel & Director, Blockchain and Cryptoassets, Catalystic AI
Fern Karsh is a consultant and lawyer focused on blockchain, crypto assets and frontier technologies. She serves as General Counsel and blockchain technologies lead at Catalystic AI, an artificial intelligence and blockchain consultancy, incubator, angel investor and AI Academy, that takes start-ups, scale-ups and large enterprise to the next frontier.

Artem Sherman, Systems Investigations Supervisor, TJX
With a background in surveillance, internal investigations and loss prevention, Artem currently works as the Systems Investigations Supervisor at TJX, where he is responsible for the support and enhancement of all systems related to loss prevention, as well as the development of new systems and solutions to support investigations, operations and corporate loss prevention.

Take a guided tour of Resolver’s ERM software.


Full Transcript of Event

Geoff: I want to welcome everyone to Resolver’s offices and to the event. Really appreciate everyone coming out while it’s this cold and with all the snow as well. I’m Geoff Broad, so it’s really great to meet everyone. I’m a sales manager here at Resolver. I’m just going to kick things off and then hand it off to Peter Nguyen.

For those of you who are less familiar with Resolver, Resolver’s a technology company that strives to bring together different business units within your organization to really streamline processes and bring together all that information. Risk, compliance, audit, InfoSec, cybersecurity, bringing all of that information together in one area, one platform, allows you to streamline, but really also allows you to know what’s going on in your organization.

Especially if a risk event happens or any kind of event, the left hand knowing what the right hand is doing and vice versa, you can actually prevent things from happening, mitigate them, and reduce that impact within your organization. That’s overall what Resolver does. If anyone wants to know more information, there’s a lot of people around in the background if you want to raise your hands for everyone that works at Resolver, feel free to talk to them. They all know a lot about it, so ask them a lot of questions.

This is the second event that we’ve had here. We’ve tagged it Emerging Risks Event. The next one we’re actually doing in London, England, but this is the second one in our office. Really the purpose of it is to bring similar professionals together in similar industries or also in different industries, but having does allow a networking opportunity and really just to socialize with some of your counterparts.

There are a few things I do need say. For this Emerging Risk Event, we decided that instead of doing a panel, we’re doing more of a debate. Are you can see, it’s Team Risk versus Team Reward. At the end of it, we’re actually going to use one of our technologies called Resolver Ballot to just do a quick vote and to see, and you guys get to choose who actually wins this debate. Also, don’t forget to put your business card in the bowl at the front so you can win one our swag bags.

I’m just going to hand it off to Peter Nguyen. Peter Nguyen is our General Counsel and Corporate Secretary of Resolver.

Peter: Thanks, Geoff. I’m very excited to be moderating tonight’s debate because it brings me back to my high school days when I was part of the Debate Club. It’s nice to be a lawyer, not atypical. Very nice to try something very different tonight. I think we see a lot of panel discussions going on in this part of the city, but to get two different perspectives on some very interesting topics, will be very interesting to see. Secondly, and probably more importantly, I get to use my gavel that was gifted to me by our CTO this past Christmas. Hopefully, I won’t have to call points of order and we’ll have a very civilized, yet hopefully, interesting debate.

I’m going to introduce our panel tonight before I go over the rules. I don’t think we have any walk-up music, but first for Team Risk we have Simon Clift and John Daniele. Gentlemen, why don’t you come take your seats. Simon is noted the co-founder of Achray Capital Corp and John Daniele, VP, Cybersecurity at CGI. Representing Team Reward, Fern Karsh and Artem Sherman from Catalystic AI and TJX respectively.

Before we go over the rules, I’m going to ask our panel to introduce themselves, let them know a bit about who they are. Simon, why don’t we start with you?

Simon: Hi, thank you, Peter. I’ve worked about 20 years in the financial industry usually in the mathematical side of the risk equation but also dealing with a lot of sensitive intellectual property, which has made me very sensitive to the various IT risks that we’re going to look at tonight. I’ve got a Ph.D. from the University of Waterloo, the David R. Cheriton School of Computer Science and I specialize in basically, again, the sort of equations that arise when you’re making risk or option calculations.

John: My name’s John Daniele. I am leading the cybersecurity practice at CGI. The early part of my career I worked for our nation’s spy agency, the Communications Securities Establishment, tracking down threat actors and bad guys that were trying to break into critical infrastructure and things like that. I now do the same sort of thing in the corporate sector, helping to track down malicious threat actors, monitor their activity, and report to our clients on how to mitigate the risks associated with that sort of nasty business.

Fern: My name is Fern Karsh, and I’m a lawyer. So, my background is legal and regulatory compliance. I started my career at Lang Michener. I’ve been a lawyer for a little over a decade. I previously worked in financial services and wealth management. I spent a lot of that time internally, in-house as a general counsel responsible for legal and compliance for funds, mutual funds, hedge funds, pivoted to blockchain and cryptocurrencies. Helped create some crypto, some of the first regulated crypto asset funds in Canada and advised other types of entities in that space, so blockchain companies and MSBs.

Basically, had a consulting practice for a little while and then went in-house. Now, I’m at Catalystic AI, which is a technology investor, accelerator, and strategy and consulting firm largely focused on AI and blockchain and crypto assets. I’m responsible for internal legal and external business consulting, regulatory consulting, and supporting our team internally.

Artem: All right, I’m Artem Sherman. I’ve been in the security industry for about 16 years, started as a private investigator. Worked in retail loss prevention in multiple retailers. Whole run for HBC and now TJX. Worked in a few different capacities. Now, I’m responsible for delivering all of the analytics and systems and solutions to identify and detect fraud and theft and other types of losses.

Peter: Great. Sounds like we have a very great panel that will probably have a lot of interesting things to say. We’re going to go over the debate rules right now. It’s not going to be traditional parliamentary-style debating, but what we will have is each team will have the chance to provide certain arguments in respect of certain questions that we’ll be presenting on the screen. Team Risk, obviously, will be talking about the risks to an organization about implementing certain technological innovations whereas Team Reward will obviously talk about the benefits. Each team will have about a couple of minutes each to talk. We’ll switch. Each speaker from each team will have a chance to speak and rebut the other side.

With that, why don’t we get going? Sorry, and at the end, we’ll have a chance, obviously, for Q&A from the audience on any of the topics. So, here is the first topic. Discuss. Cybersecurity concerns should not outweigh the benefits of adopting the Internet of Things and third-party vendors. I will start with Team Risk, John or Simon.

John: I think certainly when we’re dealing with IoT, there’s a lot of interesting complications that come into mind. Memory constraints, resourcing constraints for these devices make it extremely difficult for you to deploy any kind of mitigations or controls or good encryption. There’s always going to be an inherent vulnerability with IoT. The risk could never be close to 100%, however, it is still the responsibility of those who develop these products, who manage and run environments that incorporate IoT cameras or operational technology in an industrial setting, still the responsibility of people who manage and run this stuff to protect that infrastructure and find some way to gain visibility and stop attacks that are happening.

These are devices that can be a point of entry into your system. From there, somebody could break into backend databases and steal a lot of your corporate information or expose private information. It’s inherently difficult to find some way to 100% close this gap. I don’t think that gap will ever be closed. Anyway, those are just some thoughts that I had about IoT and its place in the world today and whether it could even be addressed from a security point of view.

Peter: Team Reward?

Artem: Sure. I think IoT is about convenience and if we’re conscious of the fact that the population is aging and we’re investing into developing all of these technologies that make our lives simpler and easier and enable people with limited mobility, disabilities, to continue to live their lives with a level of dignity with not having to have a care worker, for example, that would take care of them all the time, I would say investing in that, even though it’s early on and some of the technologies seem like they’re not that efficient … For example, I could turn on a light instead of saying, “Okay, Google. Turn on the living room light.” We’re not necessarily the full-target audience for the benefits of IoT and us sticking to it and continuing to invest and evolve these technologies, will ultimately benefit the groups that will reap the rewards of that.

Peter: Simon, do you have any thoughts on what’s been said so far?

Simon: In the retail space, I would not allow one of these devices in my house, to be honest. If you look at the business model, companies like Google by default, what are they trying to do? They’re trying to predict behavior and then sell those behavioral outcomes initially to advertisers, but as we have seen in the last few years, those behavioral outcomes have been the subject of experiments and some of those experiments, again, may have contributed to the outcome of the U.S. election. That’s still under investigation.

That is how IoT and what IoT is doing for many of these vendors by default, that’s before the company in question decides that it’s no longer going to support your device and suddenly 10 GB or many terabytes of private information suddenly turn up on a random Amazon word server. That’s a rated case for sure, but again, by default, what these devices are doing is attempting to shape behavior and sell that to a vendor.

John: I think it’s also just embarrassing that a wifi-connected light bulb could be the thing that takes down your company. It’s ridiculous to think about, but it could happen. Or, that wifi-connected refrigerator in the Resolver office or what have you. At the end of the day, I go back to my original arguments, resource constraints. There’s sometimes not enough memory in these devices to detect intrusions against that device. We haven’t really come up with a really good mesh-based approach to offloading those security functions to some other cloud-based server that will be responsible for that sort of analytics. We don’t have that today.

Caveat emptor. You use this stuff at your own risk including the wifi-connected light bulbs that will take down your company. I can only tell you how many times a printer has been the cause of penetration that one of my teams has gone into to do. Sometimes we test the security of systems to help organizations bolster security and if there is a printer that we can access and then pivot off that printer into your environment, we’re going to do that. If there’s a wifi-connected light bulb, we’re going to break into that wifi-connected light bulb probably from the car park across the road. You’ll never see us coming.

Simon: IoT coffee machine. Can you imagine how much information you can get from one of those? It would be fantastic.

Peter: Team Reward, any kind of last thoughts on this first part of the question?

Fern: In terms of the impact, the size of the potential reward, if we look at IoT from more of an opportunity lens as opposed to just a risk lens, we’ve got a Canadian population a quarter of which is going to be elderly in the next 15 years and a lot of whom are going to be needing a lot of assistance. We’ve got millions of people who are disabled. We have increasing numbers of people living past the age of 100 and not only past the age of 80. Those people don’t have great solutions.

In terms of the light bulb and the refrigerator, that’s really where IoT is probably largely today and where it’s starting. The enabling effects of IoT when also combined with technologies like AI start to bring in things like cars and self-driving cars and not just smart homes, but smart environments, which can be hugely enabling as a matter of human rights for, again, the disabled and older people who don’t otherwise have solutions.

I think the opportunity is a very big one. On the side of whether there’s a solution for the security problems posed by IoT, on the one hand, in terms of the corporate risk, I think a lot of the smart home innovations are in the homes right now. I don’t know how many corporations, and I may be wrong about this, but are enormously at risk on the IoT side of things. When we look at IoT integrations of blockchain, blockchain does present some real potential security benefits on the IoT side in terms of decentralization of IoT devices and ability to identify bad nodes and disable them. I think we painted an overly negative picture of the potential to secure IoT devices.

John: One thing in addition to that is operational technology is fundamentally the same kind of principle that is deployed up there is causing risks, but when it comes down to it, who is going to be responsible for setting standards in this area? Because right now, there’s no stakeholder coming forward. The government doesn’t want to mandate security standards with operational technologies. The devices that go into your car that make it a self-driving car, it’s an example of operational technology that’s been deployed.

Who is going to set the standards? Nobody’s doing it. Industry has a myriad of standards none of which are necessarily interoperable and compatible. I say that you might want to really limit your exposure to this until at least some stakeholders come forward to say, “This is the way forward. This is how we’re going to make sure that everything’s interoperable. This is what the security bus looks like, and these are the standards we all have to follow to make sure that we’re going to develop good, safe equipment that isn’t going to blow up in consumer’s hands.”

Simon: That CAN bus in your car that makes all the bits of the engine talk to bits of the radio, et cetera, et cetera, et cetera, completely unsecured. Anything can get on that bus and talk to anything else.

Artem: I think if we’re talking about risk versus reward in IoT and look at applications like fall detection and look at applications like health monitoring, we’ve all seen examples and heard of examples where those devices have literally saved lives including the Apple Watch in detecting cardiac issues and things like that. I’ve not been able to find a single example in my research of an IoT security vulnerability causing a death.

John: The one thing I can say is that my good, late associate, Barnaby Jones, has probably the one figure that has looked at medical IoT in his short life and found horrific vulnerabilities that would allow somebody to break into pacemakers and what have you. The one thing I can say, however, from my own experience is in the hospital setting. You would think that a hospital would be a really controlled environment in the sense that whatever medical IoT is being used, it’s tightly controlled and audited and looked after, but I’ve been in so many hospitals here in this city where there’s a malware attack propagating across the network. The first thing that I say is, “You better isolate your medical IoT.” And, they’re like, “It’s not really a priority. How is it really going to get on that?”

Well, you know, some of this IoT is running operating systems that could be penetrated and you don’t want the defibrillator in the operating room to go on the fritz when you have an emergency situation. There was at least one incident in the U.S. where operational technology was switched out. It didn’t cause a health concern at that point because they had a backup on the surgery table that they moved back into place, but I think that’s going to become much, much more commonplace until we figure out how to create a good risk control and security framework around this stuff.

Peter: Sorry, John. I’m going to have to cut you off. I’m going to give Team Reward one last chance to make final arguments before we move onto the next topic. Any final thoughts, Fern, Simon? Sorry, Artem.

Fern: On the front of the point you made on how you’re not necessarily completely anti-IoT, but you would wait for standards to emerge and none have emerged to date, the fact of no standards emerging initially in an area is, I think, normal for sort of any area in industry. Technology moves particularly quickly, so if we look at, I think, pretty much any other industry, eventually, standards and standards makers do emerge and they often are global. You got organizations like governmental and non-governmental organizations coming together globally to create standards and to promulgate them.

I would expect that in the IoT space there would be enough interested corporations, people, and researchers, to make that happen.

John: Not enough memory in them.

Peter: All right, thank you. That was a very interesting debate. I think we’re going to move onto our next question. Jen? The next one I think is a particularly interesting one in light of a lot of views that we’re hearing out the U.S. in terms of the 2016 U.S. election. Here’s kind of the statement. Given that personal data is a valuable commodity, individuals, as opposed to organizations, governments, third-party bodies, individuals are ultimately responsible for the personal data that they upload online. We’ll give Team Reward a chance to share their thoughts on that statement.

Artem: Sure. I think there’s certainly something to be said for personal responsibility and how we share data. There are examples where I think we could all agree that people do overshare online and that’s one of the bigger concerns in terms of what data’s available online. I think if we have a cautious approach and share the data that is necessary to gain the benefits of whatever system we’re participating in or introducing that data into, the value is there.

We see that most systems nowadays need data to work. They need personal information to customize our experiences and some of us might not like the perceived privacy breaches around that, but if you look back to 200 years ago, everybody had perfect privacy. You also didn’t know if you’ll survive the next winter. With evolving technologies and increasing lifespans as a result of those technologies and everything that’s available to us, we’ve compromised our privacy, if compromise is really the word, but we’ve traded some of the privacy for quality of life.

If we look today, there’s a lot of emergent technologies where the value’s questionable, but just like the previous point, continuing to invest in it and continuing to take some level of risk is certainly worth the reward if we look over how far we’ve come even over the last 30 years.

Simon: Okay, so going back to the point that many of these devices, the reason we’re sharing this information. My sister, she’s an expert animal trainer. She trains dogs, cats, chickens, sometimes even her co-workers. She’s taught me enough of clicker training that I’ve got a cat that will do tricks. It will sit for its dinner and not take a thumb off when I put its dinner plate down. You get to know the animal a little bit. You find out what behaviors it does that you want, you tag them, you give them little rewards.

In the human space, with our current information sharing, those little rewards are that Pokémon that you’re trying to get and why are you sitting at this café drinking this coconut goji berry spice latte when … Well, you’re sitting there drinking at the café because that Pokémon is at that café and you want to get it. Congratulations. If you played that game, you’ve been part one of the larger training experiments conducted by a Google-incubated company. Are you really deriving so much benefit from that? You are certainly not being paid by Google. They have no contractual obligation to our society beyond the taxes they pay and they’re getting immensely wealthy off this.

John: Just by show of hands, how many people have an iPhone? How many people … Keep your hands up. How many people shut off FaceTime this week? Congratulations, everybody who still has their hand up, whether you like it or not, actors can actually get access to all your phone conversations. I’d recommend this week that you shut off FaceTime until fixes have been put out there.

I just wanted to demonstrate. You can do all the right things. You can make sure that you don’t share online and you don’t share private information where it shouldn’t and you can keep things protected, but at the end of the day, the devices that you use, if they’re not secure, if they’re not developed with security in mind, can expose all of your most sensitive secrets to the world whether you like it or not.

Sometimes criminals aren’t necessarily targeting you, they’re targeting anybody because everybody has credit information that they can steal from. Everybody has identity information that they can make use of and create secondary fake IDs on the basis of that. How else do hackers find out what your mother’s maiden name is? Well, they surveil you and one great way to do that is remotely. Think about that. We could do all the right things, but if the devices that we use are not adequately secure, you’re still screwed.

Simon: Back to the early days of the web, I remember when the first web applications appeared and oh, my God, you could look up somebody’s address. That felt like a violation. What’s my address doing up there?

Peter: In Reward, any thoughts?

Fern: With …

Simon: Was the latte really [crosstalk 00:27:31]?

Fern: Sorry. I got thrown back. I was thinking about the point about the address and that’s true. I agree with Artem’s earlier point around I think there’s a little bit of hypocrisy that we should probably acknowledge around what society has encouraged us to do and the way that we share information online, basically the entirety of our resumes and what we do on a moment-to-moment and day-to-day basis across all forms of social media and elsewhere. In other areas, we generally make people somewhat personally responsible for themselves whether in finances or in how they deal with their motor vehicles or anything else.

I think that those kinds of rules should apply roughly equally in privacy. At the same rate, we need to give people tools for that. People are not privacy and security experts, so there’s the common sense that people engage in best practices, and corporations can help with that. Beyond that, there’s fault that shouldn’t be attributed just to technology companies, but rather to the legal system.

We have a legal system where currently and for a long time now, the Privacy Commissioner of Canada has been complaining about our privacy laws and how they’re too weak and how they’re not enabling with respect to enforcement audits and related. That, again, is sort of another part of the ecosystem that could help protect us if we want to actually encourage technological innovation.

In terms of giving people tools with which to properly protect themselves, it is tough when basically all your data resides in central servers in companies that are major points of attack and vulnerable to attack. Blockchain, again, is a technology … That’s a technology that’s really well suited to personal privacy and to putting privacy back in the hands of people. That is what blockchain technology is …

That is a big part of the M.O. and structure blockchain technologies, which are decentralized so they eliminate the issue of central points of attack, which is a huge vulnerability. The encryption and everything else, we do have some blockchain companies coming out with identity on blockchain and we’ve got companies like Toronto-based Skrumble that puts control of communication into the individual’s hands or the company’s hands and other innovations like that that I think empower people if we empower those technologies.

Artem: I think part of it is also technology has evolved faster than we as humans can keep up with it. We’re just catching up to understanding the value of our privacy in what we put out there. I think it’s fair to assume that if we got back to old examples, we all acknowledge that home security is each one of our responsibility. I don’t think at any point we would say, “Well, someone else is responsible for the security of my home.”

I think it’s just an example of where we just haven’t caught up to fully understand what’s going on with our data and the technologies that we interact with. Ultimately, we will catch up to understand that it’s as valuable as protecting our home. We’ll be more informed and take all of those steps. It’s just far more complicated than that.

Simon: Police in my neighborhood do a pretty good job.

John: I do agree though in the sense that we haven’t taken very many punitive approaches to enforcing things like making sure vendors create secure code, making sure companies actually respect your privacy. If your information is exposed under the current regime, it’s a $100,000 fine per records versus GDPR, which is three percent of your top line revenue. That hurts. $100,000 per unit, that’s just the tax to most large Canadian corporations. They won’t [inaudible 00:31:55].

They’ll be like, “You know what? $100,000 per record equals this amount. I’d probably have to spend almost about that amount securing the system to protect those records, so I might as well just take my chances with the class action lawsuit.” You would be amazed how many corporations make these sort of risk deductions.

Simon: Privacy can be quite serious. There were two people in my extended circles, who, even if their address is revealed, they will be hunted down by nasty governments and killed. It’s quite serious. I got to agree with the GDPR and especially the German approach to privacy is one that we should emulate. Merkel is extremely smart. She has a Ph.D. in quantum chemistry and she grew up in eastern Germany, so understands very viscerally what’s going on in this sphere and I just like what the Germans are doing.

Artem: On the risk versus the reward concept, who here has an iPhone? Raise your hands. And, when you find out about the FaceTime bug, who here put their iPhone in the microwave and fried it? Knowing that there is a security vulnerability, being informed that your data is now at risk and potentially could be at risk from other sources, we all continue to use the iPhone.

Simon: Bad habits.

Artem: I think the reward is worth the risk.

Peter: Gray hair, actually. We’re going to move on to our next topic, which we were starting to touch on in some of Fern’s comments, which is the following. We’ve seen a lot of technology giant companies investing rapidly in machine learning and AI but generally, commercial adoption seems to be lagging behind this. Risk Team, why do you think this is? Why aren’t more companies using machine learning and AI in their products?

Simon: Mostly, it doesn’t