Yan Zhu on privacy, data mining and the principle of least privilege


18 Sep 2020

Yan Zhu. Image: Brave Software

Security expert Yan Zhu spoke to Siliconrepublic.com about how companies should approach security when it comes to user data.

Covid-19 has brought with it a variety of security challenges – from the worries around ‘Zoombombing’ in the early days of the pandemic to a wider focus on keeping staff secure while working remotely.

But what other effects has the pandemic had on security trends? Speaking to Siliconrepublic.com, security expert Yan Zhu said Covid-19 has made it clear that information and services need to be digital in order to be accessible, but there are security challenges that come with that.

Zhu is the chief information security officer at Brave Software, the tech company that built the Brave browser, a free and open-source web browser focusing on user privacy. She has worked on numerous open-source security and privacy projects, including Let’s Encrypt, HTTPS Everywhere, SecureDrop and Privacy Badger.

Prior to working with Brave, Zhu was a senior security engineer at Yahoo and a senior staff technologist at the Electronic Frontier Foundation. In 2015, she was listed as one of the 30 Under 30 in enterprise technology by Forbes.

‘Advertisers have swooped in on the opportunity to track users and mine their data for profit’
– YAN ZHU

Describe your role and your responsibilities in driving tech strategy.

I run the security team at Brave, which includes prioritising security issues, running our bug bounty programme, evaluating vendors, working with our data protection officer on privacy matters, defining our security processes and making sure our products and infrastructure are reasonably secure.

I also indirectly manage our IT, support and DevOps teams. As a team, we mainly support other teams in shipping features to our users. We are constantly doing code reviews to make sure that our products are living up to our security standards.

Are you spearheading any major product or IT initiatives you can tell us about?

We recently started enrolling key employees in Google’s Advanced Protection programme to enforce that they are only using hardware two-factor authorisation (2FA) keys, adding an additional layer of defence against targeted attacks.

We are also enforcing 2FA for all employees across as many applications as possible. On the engineering side, we are hardening the Brave browser by removing unnecessary APIs that could have privacy leaks, shipping privacy-preserving content delivery networks and making our built-in Tor integration more usable.

How big is your team? Do you outsource where possible?

I have three direct reports and nine indirect reports. Since the security team is relatively small, we make an effort to educate other engineering teams at Brave about security and ask them to do self-audits when possible. We have also used an external security auditing company in the past.

What are your thoughts on digital transformation and how it will change the future of work?

With so many people now forced to work from home, Covid-19 is making it clear that information and services need to be digital in order to be widely accessible.

As more and more of our data becomes digitised, advertisers have swooped in on the opportunity to track users and mine their data for profit. At Brave, we are concerned about the privacy implications of this; hence we’re building a new model for browser-based advertising that keeps all the user data on their own device.

Instead of sending user data to advertisers, Brave does local machine learning to figure out a user’s interests and serves ads that are stored locally on the file system rather than fetched from a server – for users who opt into seeing ads.

I would encourage other companies to also consider how they can serve their customers while minimising data that is sent and stored on the company’s servers, both because of privacy regulations such as GDPR and because this helps mitigate the damage of a breach.

What big tech trends do you believe are changing the future of work from an IT perspective?

We’ve seen a huge rise in remote tech work due to Covid-19. Many employers are realising that working from home can be just as productive, if not more so, than working in an office. As a result, many companies will probably continue allowing employees to work from home after the pandemic is over.

Tools like Slack, Zoom and GitHub have made it easy for people to collaborate while not being in the same physical location. In the future, I think tech companies will be much more open to hiring remote workers.

In terms of security, what are your thoughts on how the workforce can better protect data?

Companies need to think about data from the principle of least privilege. Only collect data that is absolutely needed for your business, keep a registry of the purpose of the data and retain the data for as little time as possible.

When possible, move your data processing client-side. This can save on infrastructure costs while further minimising the data collected by your services. I also recommend hiring a data protection officer and applying the GDPR to all of your users, not just ones located in the EU.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.