A RedMonk Conversation: Luis Villa on the AI Compliance Dumpster Fire and Doing the Right Thing

A RedMonk Conversation: Luis Villa on the AI Compliance Dumpster Fire and Doing the Right Thing

Share via Twitter Share via Facebook Share via Linkedin Share via Reddit

In this RedMonk Conversation, Kate Holterhoff, senior analyst at RedMonk, speaks with Luis Villa, co-founder and general counsel at Tidelift, about new challenges in security and privacy in the AI era. The conversation focuses on the legal and compliance implications of AI which Luis highlighted in a spicy LinkedIn post that inspired this episode. Villa discusses the tension between in-house counsel’s responsibility to protect the company and the desire of workers to embrace new technologies. He highlights the disconnect between Silicon Valley’s enthusiasm for AI and the concerns of the general public. The conversation also touches on the ethical considerations of AI, such as the need for transparency in data usage and the responsibility of companies to protect customer information.

Disclaimer: Tidelift is a RedMonk client, but this is an independent and unsponsored conversation.

Links:

Transcript

Kate (00:12)
Hello and welcome to this RedMonk Conversation. My name is Kate Holterhoff, Senior Analyst at RedMonk and with me today is Luis Villa, Co-Founder and General Counsel at Tidelift. He is also alumni of Mozilla, Wikimedia, Red Hat and a graduate of Columbia Law School. Luis, thanks so much for joining me today on the MonkCast.

Luis Villa (00:30)
Yeah, I’m excited to be here. I’m a very long time fan of Redmonk and so, you know, always happy to chat.

Kate (00:39)
Amazing. All right, so this episode is a little divergent from the way that we typically have folks come on, where they are sort of a talking head, a tech profile model. But I asked Luis on here today to speak with me about a very specific topic. So he posted this really interesting hot take on LinkedIn. And I thought it’d be worthwhile to have him come on and talk to me about where it all came from.

I’m going to read a little bit of it just to kind of set the scene here. And then I know we’re going to dig down into some of the specifics So this is from the post. So Lewis wrote,

“I have worked diligently, (though imperfectly), to Do The Right Thing, (capitalized) at Tidelift, on security and privacy on a relatively tight budget. So it is infuriating to read the security and privacy policies of an AI unicorn that has raised centi-millions and is raising all sorts of red flags their SOC compliance is a mess, their privacy policy and marketing material conflict on the single most basic question anyone asks of AI companies, quote, ‘we definitely won’t use this data’, end quote. And that’s the marketing sector versus, quote, ‘hell yes, we’re using all your data’, end quote. And that’s the privacy policy, so on and so forth.

I’m still enough of a Boy Scout that I don’t regret doing compliance work. But I’m also enough of a Boy Scout that I’m pretty mad at all the systems that are failing here.”

Okay, Luis, so there is a lot to unpack in this post Let’s just begin with like, talk to me about where this post came from. What is your frustration stemming from that you felt compelled to go on LinkedIn and shout it from the rooftops?

Luis Villa (02:15)
You know, in -house counsel face a really tough, a really tough job, even in the best of circumstances, right? They are, we’re supposed to be the guardians of the company’s risk, and we’re like the final line to defense against the company doing something illegal, dumb.

whatever, right? And at the same time, of course, our co -workers want to like plunge boldly into the future. And those two things are just inherently in tension, right? And that, you know, honestly, that’s part of my origin story. You mentioned I’m a Columbia Law School grad, but I have a comp sci degree, you know, as an undergrad, and I worked at a startup straight out of school.

And my origin story as a lawyer is in part that when we got acquired, was a GNOME, you know Linux desktop startup, we got acquired by Novell and Novell had a, what I thought of at the time was a stodgy, old -fashioned legal department and they didn’t understand this open source stuff and I was like, I surely can do better.

And now, of course, looking back, I realized those people were under a ton of time pressure. They were facing new technologies that they didn’t understand. And I was probably an obnoxious brat to them. And if I could find them and buy them, mostly Utah -based Mormons, I can’t buy them a beer.

you know, their beverage of choice, I’d be happy to buy them if any of you are listening to this. Look me up. I owe you one. That tension is in some ways negotiating that is one of the key roles of being a good general counsel. And AI is just bringing that out in spades, right? Because there are so many loose ends, so many unknowns, so many genuine sources of risk.

especially as we are simultaneously all we all want to do AI and Also, our governments are locking down on privacy. Our customers are locking down on privacy and security We have a lot of commitments Everybody has a lot of commitments to their customers about what we will and won’t do with our with their data

And here the AI customers are dangling this like, the AI companies rather, are dangling this really cool tech in front of my employees. It’s not my employees fault, right? They’re like, hey, I can do my job faster and easier and cheaper with this. Please help me out here, Luis. And it falls to me to be the bad guy, especially in situations like this where I I was reviewing a, I was reviewing a terms of service and the, the,

you know, my team had come, they had read the marketing materials, right? And so they were like, Luis, this is a nice privacy respecting service. We can totally use this, right? And I had to be the bearer of bad news saying, well, I know this is what their marketing materials say, but their marketing materials aren’t binding, aren’t enforceable. And their privacy policy, which is binding and enforceable, says they can do whatever they want. And like, who knows, right? I mean, maybe the answer is,

They just didn’t have the right set of lawyers or they hadn’t updated their privacy policy. But like that’s not my that’s not what it’s my job to do to like read their minds, right? I can only read their documents. I can’t read their minds.

Kate (06:04)
Yeah, that challenge is one that we’re hearing a lot lately at RedMonk. So I am excited to dig into this. So in terms of like getting into the weeds a little bit, are you prepared to go on record here and say which particular AI company it is that was, the impetus to write this?

Luis Villa (06:20)
I mean, I don’t, I I think it would almost be a little unfair to call them out because this is not an uncommon problem, right? I’ve seen variations on this on almost all of the company, especially sort of the, I would say the not quite first tier companies, right? Like Google, Microsoft.

They understand and they hedge. They’re very nuanced and careful about this kind of stuff. They are moving fast. They do screw things up. mean, I still think the Microsoft, the Windows 11, what do they get? Recall, copilot, whatever they’re calling it this week. There seem to be a lot of loose ends there in terms of aligning the marketing speak with the legal speak.

But almost everybody to some extent or another, right? The lawyers are consistently in afterthought even when you have huge budgets. And

I mean, that’s sort of an artifact of Silicon Valley culture, especially in this moment where so many thought leaders in Silicon Valley are explicitly rejecting the idea that society can regulate them, right? I mean, there’s just this like, you know, this is of a piece, not to get too political, but the non -attention to legal details is very much of a piece with Silicon Valley investors, a lot of CEOs essentially saying, We don’t have any responsibility to others. Or flip side, only slightly more charitably, their perspective is our biggest responsibility to others is to accelerate, to innovate. And so yeah, so what if we don’t cross all the T’s or dot all the I’s? In the long run, it’ll be better for society. I have some sympathy with that. You know?

Kate (08:11)
All right. Yeah, absolutely. I know they gotta make money. the ZIRP funding bubble has certainly popped. A lot of companies are having a hard time finding that funding that they need to get going. So I know it’s really tricky on their end, but it’s very tricky on your end as well. Like trying to advise companies so that they don’t end up, yeah, with a similar situation to Samsung where their code is out and public, right?

Luis Villa (08:37)
Yeah, mean, that’s it. know, AI has a marketing budget and risk avoidance and lawyers do not have a marketing budget. So that’s where we are.

Kate (08:50)
Right. I’m curious, so we’re not going to go on record with what particular AI company you’re thinking of here, but it sounds like it’s pretty typical, especially for, companies that aren’t like the FAANGs that aren’t, these huge organizations building these large language models and have the money to invest in legal counsel and also, trying to make sure that they’re doing things.

in a way that is more in line with typical business practices from an enterprise sense. I think there’s a cautionary tale there that folks need to be reading not just the marketing material, but also the documentation about their privacy policies, things like that, and hire a good lawyer to look these things over and not just depend on an advertisement that they might see watching an NFL game. I mean, the football season’s just kicked off and if it’s not about sports betting, it’s about AI. So, it’s, the zeitgeist of popular culture right now Yes.

Luis Villa (09:40)
the moment. Well, I didn’t watch any NFL games this weekend, though, Go Dolphins, but watch the Olympics, and I think there’s this real disconnect, right? There was the sort of infamous Google commercial that was like…

Have your child not write a letter to their hero by having the AI do it for them. There’s a real cultural disconnect right now between how the Valley thinks about AI and how, and disclaimer for your listeners who aren’t super familiar, I live right in

San Francisco, right? Like I am gonna sit here and try and and Tidelift is a VC backed company So I’m going to talk trash for the remainder of our time here about San Francisco and about VCs probably to some extent But I’m a creature of that system, too And I I think it’s probably important to be be transparent about that. And anyway, yeah, there’s just a big culture It is just so gung -ho about AI here right now

for some not, I mean it’s amazing, right? Like we have, we have self -driving cars in my neighborhood and it’s not even worth like, not even worth mentioning. Like that’s just like, it used to be my son and I would get, he’d be like, Waymo, and now it’s just boring.

self -driving cars are just a fact of life. That’s amazing. We live in the future. It’s great. But that does, I think, create this cultural disconnect that the Apple ad crushing all the instruments and art tools and this Google ad. There’s a real gap between how we think about it here and how everyone else thinks about it. And it gets reflected in tensions like

How do you even talk to your lawyers, right? Because especially for lawyers, I think one of the little nuances that might be helpful here, because you mentioned, and people should hire lawyers. Great lawyering is very nuanced to what your company is doing and what your company…

wants to do, what are their goals, what are their risk tolerances. So part of what makes the FANG companies historically pretty strong lawyer -wise is that there’s, because those lawyers are there for a long time, they can give really nuanced, complex, rich analysis because they have a deep understanding of who they’re working for. And the people listening to it,

there’s a lot of trust, right? Like they know their lawyers are doing the right thing. Here, both for the AI startups and if you’re a consumer of AI, it’s really hard to do that, right? Because the startup wants an answer now and you as an attorney don’t really know, like, what is their real risk profile? What’s their real set of values as a company? Similarly, I mean, if you hired me tomorrow,

I would give you a, I would give you really conservative advice until I knew you better, knew your company better. You know, understood like what’s your, what are your trade -offs right now. Like are you in a situation where you actually really do need to move fast or do you just think you need to move fast. Like how do you, like a good lawyer will dig in on all those kinds of questions with you.

And even a really good lawyer will take time. So you can’t just hire somebody and say like, hey, here’s the marketing speak, here’s the… and so that’s a frustrating thing, And I think that’s part of the dynamic here that we’re seeing is that most companies, even if they would like to do that, can’t do that. They don’t have the time and money to invest in that kind of relationship. And so they just read the marketing materials and the button and that’s not… it’s not unreasonable.

Kate (13:33)
Right, there does seem to be a promise in the marketing materials, but again, it’s not enforceable. And those marketing materials change pretty frequently. I mean, I’m often on homepages and I’m always surprised by like, is this the story that you’re telling today? Okay, that’s interesting. I see how you tweak things. You’re using some different keywords, things like that.

You know, we get so hung up on the technology with large language models that we really need to focus in on how’s this affecting people? And yeah, the policies in place, right? I mean, there’s such a large, ripple effect with all of these.

And I think maybe this is kind of a good time to bring in the ideas of, data. So what your complaint really digs into is something that has affected so many domains. I’m thinking of like the open source community is trying to figure out, how is it that we’re going to say that a model is open source if it is using data that we can’t see, right? If the creators are not forthright about

what this model is trained on. And so this is something that, you know, the OSI is involved in trying to suss out and there’s a lot of opinions going on. I think it’s a deeply unsettled topic, but it’s something that I’m sure the folks at Tidelift are thinking about. So talk to me about the data issue. I mean, it really seems to be the core of this debate.

Luis Villa (14:45)
I think there’s a couple, as you say, so many different facets, right? You know, one of the things that keeps jumping out at me specifically around Open, but I think also around other angles as well, is in Open, we’re not used to the idea that our source code itself might be strictly regulated, right?

Kate (14:49)
Huge. Yeah.

Luis Villa (15:13)
You’re used to, well, if I run a service, I’ve got to comply with the laws, but software by itself is rarely illegal. There’s some exceptions to that. There’s obviously some patent issues. Encryption used to be a hot topic in this area, but those tended to be sort of edge cases. And now we’ve got a situation where with the data.

Could well be that sharing the data for this model might be illegal. It might be a privacy law violation in some sense. It might be a contractual violation with the people you got it from We talk a lot about copyright violation in software, but as a practical matter Doesn’t happen all that much whereas copyright violation in data is

mean Sam Altman filed a brief with the United Kingdom just the other day essentially saying, if we can’t violate copyright we don’t have a business. You know, whether or not that’s accurate, that is certainly the commonly held belief. And so the data question there is just,

you know, again for the specifically to in -house council is how do you think about this question of My data really might be leaked through a vector that we are not familiar with we don’t really know that’s like genuinely unpredictable not just in the sense of like Okay, maybe these people’s privacy compliance isn’t that good? but in terms of like they may have really top -notch privacy compliance, but even

state -of -the -art LLMs do all kinds of weird unpredictable things, so maybe you have everything else true state -of -the -art, right? I mean, I genuinely have a lot of quibbles with Google and Microsoft. Well, maybe Microsoft’s not a good example here, right? But like, Google really does have the best security that money can buy. Microsoft, as we saw in the federal government report earlier this year,

Maybe not quite, but they’re trying. And I’m sure much better than many other companies. But even if you do your like core traditional security correctly, you might still have an LLM that just blurts it all out. And you know, I saw a letter for letter copying in Google search the other day.

You know their their AI thing it was as best as I could tell correct Which is the usual complaint about that is that it hallucinates stuff, but here it was just Here was the Google AI answer and then a web page had the first search result Had exactly the same language, right and you just don’t know like so this data question both of like how you get it How legal is it how privacy compliant is it?

you know, increasingly we’re going to see regulations on fairness and bias in those as well. I mean, I saw just this morning that Nevada or Arizona is going to do a pilot of accepting or rejecting welfare benefit applications driven by AI. That is literally illegal in the EU already should be I have a lot of complex thoughts about AI regulation, but like Thousand percent that’s a no -doubter that should like people’s livelihoods should not be allowed especially by governments to be dependent on the outputs of an LLM and You know, we’re just not used to being able to saying like actually that use of that software is illegal Like we just don’t like that’s not part of the standard toolkit of software developers of or critically of software CEOs. It’s always legal. It’s all legal in Silicon Valley.

Kate (19:01)
Right. Well, yeah, I mean, on that note, I thought it was interesting that on your LinkedIn post that Michael Bommarito, who’s the CEO of 273 Ventures, he responded, “when leaders like Eric Schmidt,” who’s a former CEO of Google, he “tells the next generation of founders that investors expect them to steal any and all data that they can find, should we be surprised anymore” that, the situation that you alluded to is even happening. So can you talk at all about what happened with Eric Schmidt that he’s railing on?

Luis Villa (19:33)
Yeah, I mean, Schmidt got up in front of a bunch of Stanford students and essentially said, I mean, among many other problematic things, he essentially said, yeah, grab all the data, your lawyers will figure it out later. And like… And this is a really interesting time for I would say copyright reform advocates. One of the things that I’m doing right now in my time on the, I’m on the board of Creative Commons, and we’re grappling mightily, right? This is, because I think, you know, 15 years ago, what Schmidt said, had he maybe said it in a little bit less of a Dr. Evil voice,

was a very, like this was seen as a pro -social kind of thing, right? Because of course, because they were scanning Google Books to make all the world’s knowledge accessible, they were scanning all the world’s web pages to make all the world’s knowledge accessible, and lots of judges… I mean, what he said… was exactly what they did, right? Google did not go one by one to each of the world’s web pages and say, hey, can we search you? They had, it was an opt out regime, right? If you didn’t like it, they gave you robots .txt. You could fill out robots .txt and say, don’t, don’t spider this. And in the rare cases where there was a conflict between the website and Google, Google won all those cases. You could fill an entire copyright law textbook with cases that Google won because essentially courts looked at this and said, you know what, this is …

Those of you who are lawyers listening to this will know that the Fair Use analysis in the US has multiple factors, including the last factor, which is essentially, and anything else the judge deems relevant. And so it really boils down to this, like Fair Use in some sense, and this is a little bit of an oversimplification, you can say cynically that it boils down to, does the judge like this use? And judges are nerds, right?

And so they loved, like, I have access to more of the world’s knowledge? Sounds great, right? It was part of the vibe of the early 2000s. And so had Schmidt said exactly the same thing in the early 2000s, it would have just been taken as a completely non -controversial statement of, yeah, this is what search engines do. They ingest stuff, they spit back out links, and they help people access the world’s knowledge.

Now, the exact same stuff has a much more sinister undertone for a whole lot of reasons. It’s not… it has all these hallucination problems, it has all these monopoly and antitrust issues, of the rich getting richer, it has, very clear socioeconomic… like, are we just putting all the… I mean, it’s funny, there’s all this talk about, like, are we putting artists out of work?

I mean, we’re putting web page writers out of work. And there are a lot more of them than there are artists, for better or for worse. And that, I mean, I think… So, I don’t know. mean, that sounded awfully terrible of Schmidt, and I don’t think it reflects terribly well on him. But like, also, that’s how Silicon Valley has operated for 20 years, and mostly… Well, at the very least Silicon Valley has gotten away with it.

And honestly, like, this is one of these things. I think the culture is probably better off for it, at least in the framework that we had 20 years ago, right? None of us would want to go back to a world where to index the web meant having a, like, one -on -one contractual relationship with web page authors.

For those of you who are too young to remember the original Yahoo! that was hand curated, it sort of sucked, right? And we don’t want to go back to that. The question is, given how powerful Silicon Valley’s ethos, Silicon Valley’s money is, you know, again, part of like the Eric Schmidt of the early 2000s wasn’t Dr. Evil because he wasn’t a gazillionaire who

gave lots of money to both parties, right? And now he is, and I don’t think he’s adjusted his thinking personally. And I don’t think a lot of Silicon Valley has realized like, still in our heads, we’re like the 80 pound weaklings who got beat up at school, and now we’re 800 pound gorillas, and a lot of us refuse to acknowledge that reality. And so the exact same things that were at worst harmless 20 years ago are very much not harmless now and we haven’t internalized that culturally yet I think.

Kate (24:27)
Yeah, and I think we’re seeing that reality of things have just fundamentally changed everywhere. Perplexity AI was just in the hot seat for ignoring the robots .txt that you mentioned. So either through outright failure to follow the standards that have been in place for 20 years, or I mean, I’m thinking of that in April, the New York Times published the article, “How Tech Giants Cut Corners to Harvest Data for AI.” And that really laid out a lot of concerning ways that things are actually happening at the FAANGs, specifically there was a lot of discussion of Meta, and how these large language models are actually working behind the scenes, even if they aren’t going on record and saying, is where our data is coming from. It’s coming from somewhere and it’s great that journalists are beginning to pay attention to that because… things have just fundamentally changed because of the AI era that we’re in right now.

Luis Villa (25:18)
Yeah, I mean a lot of behaviors, The Washington Post also did some great reporting on this last year and you know a lot of these behaviors, Internet Archive for example sucks in the web, right? And for a long time that was viewed as fundamentally harmless because yeah, there were Nazis on the web.

There was all kinds of stuff on the web, but if all you were doing was mirroring that and keeping a copy of it for archivists, you’re reflecting reality. Not ideal, but like nobody’s running around saying you should take the Nazis out of the art in this country, the whole different thing in Europe, which is a whole nother thing. By the way, our conversation has been, I do want to flag and acknowledge our conversation has been very US focused and the rest of the world has a lot to say about this too. But.

You know, like archiving that was just archiving. It was sort of a reflection of the state of the world. That same data set is now being used to train all this stuff and people have a very different reaction to, what do mean my LLM was trained on Nazis? And by the way, you actually probably do need to train your LLM on Nazis because if you don’t, they don’t know what a Nazi is. So it’s hard to instruct them, by the way, don’t be a Nazi, because they’re like…

So you do have to have that data set somewhere, maybe it’s quarantined, maybe it’s off somewhere special, you know, but we’re just lacking all these intuitions about how to deal with these things that formerly seemed… the damage was sort of, like to the extent there was damage, was cabined off, it was sort of local, and now the way these things are…

get this one out of my head. Throwback, Word Juicero’s. The Juicero was a VC backed $700 smoothie blender. look it up, it’s an amazing story. It’s an amazing story of they funded what? And anyway, so these are these are word blenders, right? Which means that if you put some Nazi in like… bad things might happen. And we just don’t have intuitions about that, right? And search at least as it was.

You know, if you haven’t had a podcast yet about Google search, if you have, hit me up with the link. I mean, I think Google search is a lot worse than it was five years ago, right? And that’s not just an LLM thing, but Google search as it was five years ago, drove a lot of traffic, drove revenue. And that was a trade off that everybody accepted as reasonably positive. And this time around, this time around, a lot more people are not going to that.

Kate (28:03)
Right, yeah. No, I haven’t had anyone on to talk about it, but I wrote a piece on “AI and the Future of Search.” So it is also on my mind, I think because AI can actually make these fundamental differences to how well search can work in ways that other companies are just kind of integrating chatbots and like slapping that on their products. It doesn’t actually change how well that product works.

I’ve been impressed with like search could actually improve dramatically by integrating AI capabilities. However, that comes with a lot of other challenges and you’re.

Luis Villa (28:35)
Right, it’s like all good right until it’s really, really not, right? Yeah.

Kate (28:40)
Yeah, I know, especially because the motives behind these search services like Google are not always there to benefit the end user, right? I mean, their advertising businesses is, what’s paying for it. So.

Luis Villa (28:54)
And they’re reflecting ideologies too, right? I mean, this is like very much a… what’s the term for it? It’s not search black holes, but something along those lines where one of the things that we know that’s driven conspiratorial thinking over the past 10 years or so is that there are topics that no reasonable person writes on.

because like there’s no stirring defense or for a long time there wasn’t, there is now, of no really the earth is round. So if you searched for flat earth, you got like a bunch of essays on like how the earth is really flat and nobody bothered to rebut that. So search reflected this very skewed view of the world. What do you do about something? You know, it’s not like Google’s job to… pay people to write those missing articles. Wikipedia to some extent fills that role, right? And how is AI gonna affect Wikipedia is a whole nother topic for another conversation. More generally, I think there’s a really interesting, challenge, right? Where a friend of mine who’s a VC asked me like, what would you do

Like if you were trying to balance your bets, right? Like if you were big on AI, hedge. If you wanted to hedge your bets with something non -AI that would like maybe benefit from the rise of AI or at least offset. And the problem is the correct answer to that is like invest in Reddit 10 years ago. Invest in the things that are gonna do really well, I think in that sense are gonna be human-driven curation, know, really trusted rigorous curation. But that takes, that trust is not a thing. can’t just, in fact, if anything VC investment is at this point detrimental to that trust. And so it’s not a thing you can really, it’s not an investment thesis that you can actually invest in, right? It’s maybe it’s something that we as individuals can perhaps double down on, but then there’s problems of scale.

Kate (30:58)
For the sake of keeping our conversation honed in on the post that you wrote, I do want to double back and talk about some of the major concerns that you’re focused on. And so you mentioned SOC compliance. Can you talk about how SOC compliance, and maybe compliance in general, is being affected by this AI era? What sort of new concerns do you have? I’m sure we’ve been touching on them all along, but you mentioned SOC compliance specifically, and I’m curious why.

Luis Villa (31:25)
You know, your developer listeners will be familiar with the concept of a code smell. It’s like something that doesn’t, you can’t point to like a specific, here’s this horrible bug. Instead, you’re pointing at sort of like a vague sense of, it’s just not, like it’s just sloppy in little ways, right? And in this particular case,

So, SOC, for those who are not familiar, is essentially a sort of standard industry checklist of things. And one of the things that you have to do as part of your SOC work is to provide quite a few details of how your system actually works so that parties who are contracting with you can review your architecture and understand,

yeah, this won’t, you know, the interactions of my systems and your systems won’t cause any unexpected harms, right? Like these two things are going to work together fairly well. To do that, you need fairly detailed understanding of what is going on behind the scenes. Understandably, companies put that behind an NDA. It is an industry standard that your SOC documents, that what it, like if I, so we are SOC compliant at Tidelift.

If I want to send any of our data that’s covered by SOC, the other party receiving it must also be SOC compliant. It’s a little bit of a generalization, but that’s the basic generalization, right? So it’s just a matter of course that the first thing I do when we’re dealing with our SOC compliant data, our SOC protected data, is you get an NDA from the other party because…

like that’s how you’re gonna get their data because there’s an NDA. This particular company had their SOC documents on a Notion wiki. and like, so like maybe the SOC documents are fine, but that’s a code smell, right? That’s a like, are there adults in the room to

Tell them what SOC means and why SOC is important and why it’s not just a checkbox, right? I can’t believe I’m defending SOC because 95 % of the time it is a checkbox, but it’s one of these things It’s like the what color was the in this in the Van Halen story? Van Halen had a rider in their in their contracts where

Kate (33:49)
No idea.

Luis Villa (33:57)
you know, all these things needed to be present and done on stage, right? Where like, because their stage show included like pyrotechnics and stuff. So if things went wrong in the setup as they’re traveling across the country, you know, badly installed pyrotechnics could literally light the band on fire.

So buried deep in the contract was a, and there needs to be a bowl of M&M’s in the green room with all the blue M&M’s removed or the brown M&M’s removed. I don’t remember what color M&M it was. And at one point this was sort of told as a story of,

those rockstar prima donnas, they… And now it’s told as a story of, no, this was an easy test for attention to detail. if the prep team removed those M&M’s, then probably they got the pyrotechnics right. And if they didn’t remove the M&M’s, we really need to double check the pyrotechnics so that we’re not lit on fire

tonight’s show, right? And this is exactly that kind of thing where honestly I think a lot of SOC is sort of checklist driven, not a great indicator of security, but if your SOC documents are just on an open -to -the -world wiki…

what else have you gotten wrong in your security story? And so that, you know, for me was a good reminder that just because something is checklist driven and sometimes feels like a paperwork burden, sometimes it actually points out useful things to you, right?

Kate (35:25)
while you were talking, I looked it up, it’s Brown M&M’s (Why Did Van Halen Demand Concert Venues Remove Brown M&M’s From the Menu?). I love the parable here of learning to read a little more closely to make sure that everything else in the organization is running as it should.

Luis Villa (35:36)
and you know, and I think that loops right back around to look, the kind of thing that I was complaining about in that post, startups get wrong all the time. And it’s, that’s the nature of startup life, right? You’re running fast. You’re not always calling your lawyer when you make every change. Like, that’s okay. But like, when there’s like literally one question that everybody cares about, which is, what are you doing with my data?

and you’ve raised hundreds of millions of dollars, like that’s a very different situation from, you know, we’re on a shoestring budget and who knows what people will be asking us, right? Because if you’re a normal startup, legal questions can be way out of left field and you won’t have answers to all of them. And that’s not ideal, I would like lawyerful employment, you know, please hire all my friends,

but doing it when you’ve raised hundreds of millions of dollars and you’re telling the world your company is worth billions like It leaves a bad taste in my mouth. And that’s what that’s what really For those of you who are who are not my LinkedIn followers yet. Yeah, most of my LinkedIn stuff is pretty bland and that one was just like You can’t see because you’re listening on audio, but i’m doing the flames on the side of my face fingers Yeah

Kate (36:55)
I appreciate it.

Luis Villa (36:58)
And it resonated with people, right? Including with lawyers.

Kate (37:02)
Well, yeah. I mean, it’s something top of mind for many folks in this. And I think as we are beginning to wrap up this conversation, maybe it would be useful for us to end on that note of like a call to action. And so we’ve been talking about a lot of different groups here. We’ve got the VCs. We’ve got the end users. We’ve got the companies themselves, so leadership. And then we’ve got developers here. What would you say when folks ask you about how to, Think, I’m trying to remember your neo-logisms here, but like in a lawyerly way about compliance and AI today, for either all of those groups or maybe a subset.

Luis Villa (37:40)
Well, I will say the happiest subset of everything, like the number two best outcome of this LinkedIn post was that I’m talking with you. But the number one was that somebody from one of these huge AI companies DM’d me almost instantly and was like, wait, was that us? Because if it’s us, let me know, I wanna fix it.

So if you’re a lawyer or a product person at one of or marketing person Feel free to send my post around to your leadership and say this might have been us Let’s hire a good lawyer and get this fixed. Yeah, I mean that’s the kind of way as I said earlier like

this field, the legal field changes slowly. It changes person by person. So if I can make one startup AI company suck a little less on this front by people forwarding that around, great. You know, I think otherwise.

just I would say move at the speed of the value of your data to other people, right? It’s one thing if you are sharing a bunch of stuff that’s already on the web, there’s complexities around that, but it’s very different when it’s your customers. Your customers have trusted you with their stuff.

And you have to be super careful about what you’re doing with it, not just as a matter of the law, though increasingly the law does control that, but as a matter of just doing the right thing. If your employees come to you and are like, I want help writing blog posts. So like, I wanna chat GPT subscription to write, to help polish the grammar in my blog posts. Yeah, fine, that blog post is gonna be public anyway.

If people are saying, yeah, I want to do it for financial protections that’s going to include like customer revenue numbers, think twice, figure out how you can do that. You know, be super careful and don’t be afraid as a lawyer or as an exec, right? You don’t need to be a lawyer to do this. Read your employees the riot act that if they are caught screwing around with customer data, there’s going to be serious consequences for that. Cause you don’t have to be a lawyer to be cautious about that kind of thing.

Kate (39:51)
The common sense argument is just being amplified in this era and we need to be aware of it and make it part of our policies because, yeah, marketing materials certainly aren’t going to cut it. But also internally in organizations, the more eyes that you can have on things to make sure that we’re not accidentally using AI products that could leak data. And then also, engaging responsibly with the data of our customers. It’s never been more important than it is today. we really didn’t dig into some of the EU regulations, which Maybe we can have you come back on to parse that. I know California is moving in some regulatory directions as well.

Luis Villa (40:25)
That means I have to read them though, and I don’t… Who’s got time for that? no. Did I just sound myself as being part of the problem?

Kate (40:29)
my God, I’m crying for you, man.

It’s a lot of words, you know, TLDR, right? All right, so it has been an absolute pleasure having you on here. Before we go, how could folks follow more of your hot takes? We got LinkedIn sort of covered here, but are you on any other social channels? Are you speaking at any conferences this year or next?

Luis Villa (40:44)
You know for the first time in a long time the answer is no, I don’t think I’m speaking at any wait. No, that’s not true Capstone of the Silicon Valley tech career. I’m speaking of TechCrunch disrupt in a few weeks there are a variety of other Podcasts that I’ve been on on on AI topics recently as well. You can my very occasional Open(ish) Machine Learning newsletter is at openml.fyi. It is endorsed by Stephen O ‘Grady as the only newsletter I actually read. So I guess I have to recommend that here. And I’m on Fediverse at [email protected] And I’m increasingly on Blue Sky, though very little around tech so far at @lu.is and lu.is is also my blog.

Kate (41:47)
Wonderful, I will include those in the show notes. Luis, again, it has been an absolute pleasure having you on here. My name is Kate Holterhoff. I’m a senior analyst at RedMonk. If you enjoyed this conversation, please like, subscribe, and review the MonkCast on your podcast platform of choice. If you are watching us on YouTube, please like, subscribe, and engage with us in the comments.

Luis Villa (42:06)
Thank you so much, Kate, it was fun to do this.

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *