A PhD Candidate, Samarin provides technology expertise to attorneys and policymakers at the California Privacy Protection Agency.
Nikita Samarin is a PhD Candidate in the UC Berkeley Department of Electrical Engineering and Computer Science (EECS). He is also a past CLTC research grantee, having received funding for his research, “Investigating the Compliance of Android App Developers with the California Consumer Privacy Act (CCPA),” and he was one of the first participants in the School of Information’s Citizen Clinic course. His work focuses on understanding the impact of existing software engineering practices on end-user privacy, as well as proposing solutions that implement “privacy by design” (PbD) principles and other best practices.
Samarin recently published a co-authored paper on how encrypted messaging apps on mobile devices leak sensitive information to mobile platform providers like Google and Apple. (A summary of the paper can be found on Nikita’s LinkedIn. The full paper can be found here.)
Earlier this year, Samarin began working as a Research Technologist at the California Privacy Protection Agency (CPPA), which was established to implement and enforce the California Privacy Rights Act of 2020 (CPRA). We spoke with Nikita to find out more about his recent research — and what his new job entails.
How would you summarize your research?
My focus is on consumer privacy protection, broadly speaking. Being an engineer, I focus on the intersection between privacy laws and technical privacy implementation — so basically, what happens in that space between the lawyers or regulators saying what the law says, and the engineers who are actually trying to comply with the laws in their code. In my work, I try to combine those two views.
For my research at UC Berkeley, we look at software developed for mobile apps and how existing software engineering practices affect or impact compliance with privacy regulations and other policies, including those set by the companies themselves. We look at ways in which mobile apps can expose personal information in ways that may have not been intended by the developer, and we try to understand how this unexpected (and often inadvertent) disclosure of user data occurs as a result of engineering practices. We try to improve the process so they’re less likely to commit those mistakes that result in non-compliance. The question is, how do we ensure that the policy gets translated into code at the implementation level?
You recently co-authored a paper on how data from push notifications might get leaked to platforms like Google. How did this research develop, and what did it entail?
Our research lab has a strong track record in identifying unexpected ways apps collect and share personal information, which often happens without user consent or awareness. Prior work, including from our lab, established that these unexpected information flows are frequently caused by third-party components embedded into these apps. These third-party components, known as software development kits or SDKs, may leak personal information when they are misconfigured or when they behave in undocumented ways, often unbeknownst to developers.
The idea for this paper came about two years ago from my co-author, who was interested in ways these SDKs might inadvertently disclose personal information in privacy-sensitive contexts, such as in banking or health-tracking mobile apps. We observed that each of these apps (and many others) used push notifications to send updates to users, and developers implemented this functionality by embedding an SDK offered by their platform provider, such as Google in the case of Android and Apple in the case of iOS devices. These SDKs also use Google or Apple servers to relay push notifications to the correct devices, thus potentially revealing the contents of notifications to those entities.
For this paper, we looked specifically at secure messaging apps available on Android, such as Signal, WhatsApp, Wire, and others, as these apps promise confidentiality, handle sensitive user communications, and use push notifications to alert users to any incoming messages, often including the sender’s name and message contents. Alarmingly, we found that four apps sent message content directly via Google’s push notification service. The remaining 16 apps that we analyzed employed some privacy-enhancing strategies to avoid revealing push notification contents to a varying degree of success, and in some cases still transmitting personal information, such as names, user identifiers, and phone numbers via Google’s push service.
After we had concluded our analysis, we were surprised to see U.S. Senator Ron Wyden publish a letter last year in December, revealing that government agencies had indeed requested smartphone push notification records from Google and Apple, validating the concerns raised by our paper. In an ideal world, push notification providers, in particular Google and Apple, would implement end-to-end encryption of push notifications by default and offer examples to developers on how to send push notifications securely.
How did you begin working with the California Privacy Protection Agency?
I had previously met Ashkan Soltani, a UC Berkeley and I School alum, who is the executive director of the agency. I asked him for a long time if there were any positions available, but there weren’t. But then he reached out to me saying that there was a position available that could be a good fit. I’m still trying to focus on my PhD, but I thought, this is a very unique opportunity that is very in line with what I do, and it’s with a novel type of agency, the first dedicated privacy regulator in the U.S. So that’s why I applied.
My official title is “research technologist,” which is a bit of a catch-all title. I’m supporting investigations, including of non-compliance by companies, especially on the technical side. The other aspect of my job is advising, giving feedback, and brainstorming ideas, giving a technical perspective on some of the proposals that the other team members (who are mostly lawyers) have when it comes to effectively applying the privacy regulations to real-world software engineering practices and products, such as websites and apps. I’m there mainly to bring up the technical facts, and they are the ones who make the legal evaluation, because they are the ones trained in the complexities of privacy law.
What does your job entail on a day-to-day basis?
We might receive a complaint about a business, or another source might indicate a potential issue with how a business handles the privacy of Californians. Or we might have identified issues on our own. I’m then tasked with researching the available facts to determine the technical “ground truth.” I provide an evaluation of what I see, but I leave the legal opinion out of it. My work is establishing the initial technical evidence that might be used to evaluate compliance, and maybe even developing evidence showing how a business practice worked.
Are companies intentionally non-compliant with privacy laws, or is it more often because they make mistakes inadvertently?
Violations don’t require intent under California’s privacy law, so I’ve been focusing primarily on evaluating the business practices that underlie potential privacy violations. In other words, I’ve been using my technical expertise to help figure out how businesses are implementing and honoring consumers’ privacy rights.
Has anything surprised you about your job?
You always hear stories about the government bureaucracy and how things move really slowly, but I have been really surprised in a good sense about how the agency is fairly nimble. In terms of the work culture, there is almost a startup feeling to this agency that was very unexpected for me, and I’m very happy about that.
I’m also very happy with how the agency has been building its foundation, because of course it would be much harder for me to do my work if lawyers just told me to follow a process developed without any input from a technologist, because I think in practice that would not work out. There are so many different intricacies with how technology works, so I think it’s important that there be robust collaboration between those technical and legal perspectives.
What would you say to students who are preparing to enter the workforce and might be interested in a job like this?
This kind of job is how you actually learn how things work in the real world. Personally, I took a lot of classes and have tried to educate myself about the policy world and legal aspects of this area, as someone who has an engineering background. But when you come and work in an actual agency that is responsible for developing and enforcing the policy, you quickly see how things actually happen.
Before I was more of an outsider, and now I’m an insider. If you are really passionate about tech policy and improving the privacy of consumers here in California, and working in a very cutting-edge field — where what we hear in the news is what you work on in the agency — then you should apply for a role like this. [Career opportunities are posted here.]
What did you get out of your time at CLTC and the I School?
I was always very public-interest minded, and my first interaction with CLTC was with the UC Berkeley Cybersecurity Clinic [formerly called Citizen Clinic]. That showed me what it’s like to work with at-risk organizations, especially organizations where security is not a priority. Being exposed to that civil society world, it was important for me to see the ways in which those organizations really struggle. They need more support. That allowed me to consider more where I can apply my skill set that can be beneficial not only for at-risk organizations, but also for consumers generally when it comes to protecting their privacy.
The skills I learned from my research are directly applicable to the work I do now. In the agency, there is an emphasis on being able to justify your findings. For me, that’s like producing research. It’s being very thorough in what I do and being able to document all the small details. A lot of the things I’ve done for my PhD are very applicable, especially the skill set of analyzing software developed by companies in the real world that might be non-compliant with the law.
Any other advice for anyone thinking about getting into this field?
Being engaged and curious is very important in this field. It moves really fast. What is a norm or policy today might be irrelevant tomorrow, as it might be completely overwritten by new laws. We live in a time when everyone’s talking about generative AI and how we regulate machine learning. I feel that’s an example where you can’t just take things for granted. You have to be always willing to learn continuously.
It’s also important not to be afraid to reach out to people. What I’ve learned from my experience in research and at the agency is that people are very willing to give you a chance to support you, but they have to know what your needs are. It’s important to be proactive and reach out to members of the community that you want to be in and see if there are any opportunities to engage with them.
