The Dev is in the Details
This podcast is about the world of Software Development in particular and technology in general. Here, you will find thoughtful discussions about tech leadership, AI, the future of technology, and success stories told by the people who made them happen. Your host is Lukasz Lazewski, a seasoned software engineer, tech leader, and entrepreneur.
The Dev is in the Details
From GDPR to GitHub: Steffen Gross on Redefining Data Privacy, AI and GDPR Compliance | The Dev is in the Details #12
► Can a lawyer become a tech disruptor?
In this episode, we explore the intersection of law, coding, and technology with a deep dive into the future of digital privacy. As AI continues transforming industries, how are privacy laws like GDPR evolving to keep up? How do companies navigate the complexity of compliance in an increasingly tech-driven world?
Steffen Gross, a privacy expert and founder of Simpliant, shares his unique approach to merging legal frameworks with technical solutions. We talk about the challenges of implementing data protection laws in the age of AI, how coding can make legal compliance more efficient, and what trends in privacy and cybersecurity are on the horizon.
Our guest 🌟
Steffen Gross 👉 https://www.linkedin.com/in/steffen-gross-028190115/
Privacy lawyer turned coder, Data Protection Officer, and a recognized expert in GDPR compliance and AI.
► In today’s episode:
- How legal expertise shapes the intersection of law and technology, redefining the role of modern lawyers.
- Insights into the transition from legal texts to coding—and the surprising lessons along the way.
- Challenges and misconceptions about GDPR compliance.
- Real-life applications of coding in GDPR compliance and IT security, highlighting how tech-savvy lawyers can make an impact.
- The evolving role of "coding lawyers" in AI, data privacy, and cybersecurity.
- Exciting trends in privacy, digital regulation, and AI—and how to stay ahead in a rapidly advancing field.
► Decoding the timeline:
00:00 Steffen’s journey into coding: What motivated a privacy lawyer to dive into programming?
5:11 What’s the biggest unexpected revelation Steffen discovered about AI technology?
8:22 How Europe is shaping the future of digital privacy with new technologies.
12:00 Misconceptions about GDPR and how it affects businesses today.
16:23 Cookie banners & user experience: Why cookie consent banners are often more hassle than help.
19:19 How legal frameworks are evolving through real-world "beta tests" of new laws and regulations.
24:22 Microsoft vs. Apple strategies: What can we learn from comparing these tech giants' approaches to privacy and data?
27:58 Why building smarter AI systems can be expensive—and what that means for businesses.
31:47 Legal regulations and AI bias: The potential dangers of AI bias in legal contexts and how to address them.
44:03 Evaluation of a creative approach to AI.
48:52 What does the future look like for developers as AI and coding continue to evolve?
***
The Dev is in the Details is a podcast where we talk about technology, business and their impacts on the world around us.
Łukasz Łażewski 👉 https://www.linkedin.com/in/lukasz-lazewski/
Write to us 👉 podcast@llinformatics.com
This gave me a better understanding of the end-to-end chain of data processing and, as it is all connected the hardware, the software, the code I think I gained a better understanding of what IT security is, how you can prevent data breaches. Where are human errors in the chain? From my experience, from some extreme cases apart, 99% of the business models and the thing you want to do with data you can do in a GDPR compliant way. What's very interesting for me personally and also for us as a software company, we also do software tools. It's the whole aspect. Democratization of tech through open source, through AI, Code becomes cheaper and the gatekeepers of big tech at least threaten, in their position, to be a blocking factor between Today we have an extraordinary guest, Stefan Gross, a privacy lawyer turned coder, data protection officer and recognized expert in GDPR compliance and AI.
Speaker 2:With a background in law and passion for technology, Stefan has made a unique mark by combining his legal expertise with coding skills to tackle some of the most complex challenges in data protection and digital regulations. Beyond his professional achievements, Stefan is a thought leader in digital law, a mentor to those looking to blend legal practice with technological skills, and an advocate for smarter, tech-driven privacy solutions. Stefan, we're excited to have you here and dive into your journey together. Welcome to the show.
Speaker 1:Thank you for hosting me.
Speaker 2:Let me start by asking you how did it happen that a lawyer is also tech savvy and code savvy? That's fascinating for me.
Speaker 1:Yeah, maybe I give a bit of background which explains the story how I got to being a coder myself. We founded Simpline six years ago because we identified a market need for GDPR compliance solutions. I was working in big law firms that were excellent in legal advice, but I saw that the actual transaction and the actual transition of the legal requirements into the reality of a company were done with means that were not up to date For example, big Excel spreadsheets sent over, and so I saw a market need to go to combine the legal expertise with a more technical approach to improve the actual transition from law to practice. So six years ago I decided we need both. We'd need the legal expertise and the software and tech to support it. So that's why, from the get-go, we plan to do a software company as well, combined with our legal practice. Planned to do a software company as well, combined with our legal practice.
Speaker 1:My coding history is pretty short, about one and a half years. I personally started with coding actually in my holidays, funny enough, the only time where you relax, you just wander with your interests. And it really came with a chat GPT. It actually started with a BBA script because I had to manipulate some Excel data and chat. Gpt wrote me the code and I saw it worked with having no coding experience, and that was quite amazing to see. And then I went from BBA scripts to Python scripts and went down the rabbit hole.
Speaker 2:Wow, amazing. That's really cool how currently I hear similar stories about the chat, gpt starting people's journey into coding as they start scratching the surface and then dwelling what's beyond it. And how do you feel your current experience and your past experience in the legal specialization first and then coding shapes your actual technology impact and technology experience.
Speaker 1:Yeah. So our main customer base are digital startups in Berlin, but also in London and France, digital startups. We have to comply with data protection and cybersecurity requirements. We act as external data protection officer. So basically, the technical most innovative companies come to us to make tech stuff happen in the broader sense. And for this advice this is mainly legal. They have to know okay, can I use this new tech feature? Is it in compliance with the GDPR? So you don't have to be an expert in the, let's say, technical details. You don't need to code to understand this. But now, with my own coding experience, I would say this even gave me a better understanding of the end-to-end chain of data processing and, as it is all connected the hardware, the software, the code I think I gained a better understanding of what IT security is, how you can prevent data breaches, where are human errors in the chain between people, tech and the tech stack. So I think this sharpened my view a bit more here, fantastic and certainly useful.
Speaker 2:And what was the biggest surprise or the biggest learning that you have had on your journey?
Speaker 1:Quite surprising for me was the hardware aspect of AI. When I saw that you can transcribe locally, when I saw that you can transcribe locally with an open source model with very high precision, I was quite astonished Because, of course, the best thing you could do data protection-wise is not send your data to third parties and I always thought before okay, you need massive compute to actually have a good transcription quality or to use AI models, and that you can actually distill an AI model to a couple of gigabytes and run them locally and use this technology. That was quite surprising for me.
Speaker 2:Fascinating and do you feel like this is becoming currently a crowded space or more complicated in the sense of the regulations? Especially in you are impacting how that innovation could go forward for a lot of startups and companies you work with?
Speaker 1:Yeah, that's, of course, the topic of the day. The European AI Act is enacted, we are actually advising our clients how to prepare and deal with it. The big question for Europe is can we transition into the AI age? Because the AI will happen if we like it or not, and the question is can we take part in this play?
Speaker 1:From my legal understanding and my experience, basically a lot of stuff is possible and even with the GDPR, there's a lot of leverage room, or lever room to basically do what you want to have data-driven business models, and I'm very convinced that a lot of people are scared more than they should of EU regulations, and that's basically also why I like my job so much, because the six years having founded some client, we almost always found a way to make the business project happen in a legally compliant way, and I see the same with AI. So what my big advice for founders is, especially European founders, don't scare yourself out of innovation and regulation regulation and I think also in the last year, I'm quite optimistic about the European tech space because Europe now understands, and the politicians also understand, that data-driven business models, that AI is crucial to participate in the new wave of innovation, participate in the new wave of regulation of innovation.
Speaker 2:So I think um europe is will be better off um than than we think and it will not be a big hindrance to to participate in the ai race to stay relevant right on the international level, um, but on the other hand, we have situations like apple right, which is just about to release um, you were recording this. On the other hand, we have situations like Apple right, which is just about to release we're recording this on the 25th right on the 28th, in three days, apple will release the latest iOS version and it will contain this new Apple intelligence feature, which is allowing you to tap into different models in the cloud for individuals, some free, some paid, as it's understood. Now, however, they already made a remark that they're not going to release this feature on the entirety of that feature set in the EU because of uncertainty of the regulatory matter for privacy data. Do you think this is going to get resolved or are they overly cautious? Or, yeah, if you could comment on that and what's your view on that situation?
Speaker 1:Yeah, good question. Funny enough, back in 2017, I saw Tim Cook live on a data protection conference and he had a very strong stance back there, back there. So basically the CEO of a big tech company going into the lines then, because this were all the data protection experts and authorities in this European conference in Brussels and he had a very strong speech criticizing big tech for weaponizing and monetizing data. So the Apple strategy to at least market that they are privacy first is not new To your question will we lag behind because of the regulation? It's hard for me to predict, but my assessment is that eventually tech will also arrive here, and especially now with AI.
Speaker 1:The first ones might not be the fastest in the end, and I give you one concrete example Copilot was pushed out very fast and I heard it from a lot of clients. They were not really satisfied with the implementation actually. So you had Copilot accessing data it shouldn't access. We had a big scandal around the total recall function where, without user consent, the screen was recorded every five seconds and so they had to actually roll back. So I'm not sure whether it will harm us as much as we think to be. A bit later with Apple intelligence. Bit later with Apple intelligence, but of course, especially now with open source models and so on. If we were always three months behind in this fast pace space in general, this obviously wouldn't be good.
Speaker 2:It just makes me wonder if we're going to create some sort of second market, so to say, because and I don't mean for you, but for accessing these features, because you know, when I give an example, when gambling was delegalized online gambling was delegalized in certain countries in you, to my knowledge what people did is they vpn in to the countries where it's legal.
Speaker 2:You know, and, like, gibraltar is very famous for basically having all sort of online gambling registered there because it's just legal. So people use VPN to get there and play the online casinos and everything and take money. I actually don't know how they move it back to their countries and how they justify that, but still, like you, can work around that, and especially in technology. So I wouldn't like to see the situations where people have to use VPN or install some special software that would allow them to just use or go to US to buy US version of the iPhone, right, so to say directly, so they can access these features. It's really crazy if you think about it, right, because the crowd, the consumer, actually the average consumer, my feeling is, and from what I'm discussing with different people in tech, they want those features. They don't care about privacy as much as some of these you know, privacy, uh aware people, and and what then? How do you connect the dots right between all of these different um groups of people having different expectations from it?
Speaker 1:I. I totally agree with the point that the users want the features and the normal user doesn't care too much. However, I think we're still very early in the AI journey and also in the privacy journey, and recent studies showed that actually, we in Europe have the preconception that the Americans don't care about privacy, but recent studies showed that a lot of Americans actually care about privacy and a lot of Americans are not happy to receive spam mail, to have government agency spying on them. So my prediction is that privacy awareness will grow. And also I think these are strong indicators when a big company makes such a big strategic shift like Apple that they say no, we now, on an app basis, prevent certain tracking situations. So yeah, it's hard to give a good answer there, but I also totally agree with you. It's not a solution that we're always a few months or even more behind and have to VPN into different countries to get the new stuff.
Speaker 2:All right, changing a subject a bit, do you feel like there is a lot of misconceptions about how GDPR helps or stops technology from developing In your field? I mean, is there a misconception between technology being in clash with regulatory things like GDPRpr and similar um similar legislation, or is it more? Yeah, what is the general feel in the public, in your opinion, about these two things?
Speaker 1:yes, yes, I would say so. Um, there is a clash of um or there is a yeah, misunderstanding about what the law says and what it prohibits. Gdpr is a very abstract law. We have very abstract legal norms there, for example, legitimate interest, and nobody really knows what this means, and so a lot of people interpret the law overly strict and other people rather try to use the space that the law leaves you to innovate. And because, especially lawyers are always cautious for liability, a lot of times the law is interpreted in an overly strict way, although this isn't necessary.
Speaker 1:And coming back to the point I mentioned earlier, I recently participated in a conference and we heard some people from the European Commission that actually said exactly this. Now, the new Data Act, for example, should encourage data sharing and data usage, so this doesn't conflict with the GDPR per se, and I think a lot of people are scaring themselves out or interpret the law overly strict. From my experience, from some extreme cases apart, 99% of the business models and the thing you want to do with data you can do in a GDPR compliant way.
Speaker 2:And can you speak to some of the cases when it cannot be done?
Speaker 1:Sure. One big topic is the situation where you process data on behalf of another company. So, for example, if you're the IT company that provides server hosting for a company, then of course you have a big interest to look into the customer data and maybe gain some insights from it or even use it for your own purposes. So, to make a concrete example, imagine you're hosting your customer database at Amazon and they look into it and send marketing emails out to your customers and say hey guys, we have this great service. This would definitely be a no-go. Another area is certainly video surveillance. There are certain spaces where you just cannot and should not do video surveillance. That's also a red zone of data protection. These would be two concrete examples where there's not room of the law.
Speaker 2:Let's pause for a second for the first example, because is this really what's happening? That's my first question and let's maybe stop here and let's address that. Is that really what's happening? That's my first question. Let's maybe stop here and let's address that. Is that really you think that server providers would go and look into the data of the company that they are serving to provide that hardware through the cloud service?
Speaker 1:No, they shouldn't. I don't have any concrete case I could name here. I just wanted to illustrate on this case. I was asked a lot of times in my legal career as a privacy lawyer from data intermediaries so to say it doesn't have to be a hosting provider. We have all this interesting customer data. Can't we use it for xy right? And there are there's not so much room to leverage, uh, to to lever I see what you mean.
Speaker 2:I see what you mean because the the scenario is scary because of not you know emails and data sending, but there could be conclusions in data right, because someone, because someone is doing research I don't know, I have some exposure to clinical trials myself and imagine that millions or even dozens and thousands of you know dollars are spent on that research to conclude how certain things work I don't know be it a drug or a condition in the real world that impacts people, or allergies or whatever. And to think that the owner of the server could look into something which is so secretive and so critical for the core business of the organization who rents that server just from them is a terrifying thought, basically.
Speaker 1:Yes, yes, it definitely is. And also there comes the GDPR into play. The GDPR basically says if you give data for one purpose, it should not be used for different purposes. So, for example, if you give your data for a clinical trial, you don't want it, from your hosting provider, to be used and monetized to send you advertisement for a pharma product, you might like?
Speaker 2:Absolutely no, of course, of course.
Speaker 2:All right, let's make a small twist on this.
Speaker 2:Most annoying things that I like to think GDPR brought in and all the regulations around that to you are cookies banners, right?
Speaker 2:I consider it one of the weakest possible implementation of the privacy laws because practically and technically, you have to have them because it's a technology that requires that site to work.
Speaker 2:So, in other words, you may as well just ask people do you want that site to open or not, instead of like, accept cookies and make it more jargon speech around what gets approved and what isn't, or what didn't get approved and you look into it and I ask myself right now, even browsers and plugins were invented and built for browsers where you just install it and and you know, I asked myself right now, even browsers and plugins were invented and built for browsers where you just install it and automatically accepts or rejects when possible for you. So it's not even implemented properly because people hacked around this. So my question is what do you think about this implementation and does it make sense to implement and enforce in the way around, which you can always automate anyways, right? Is it not just a necessary hassle for all of these businesses in the EU that had to install this, and other businesses that were created which just offered the cookie banner service, which is really funny. I would say, yeah, what are your thoughts on that?
Speaker 1:Yeah, first of all, I totally agree that the user experience and the energy that's needed to click all the cookie banners away is just horrible. I click on accept all if I want to read something on a website myself. I don't read privacy policies unless I'm paid for it. I don't read privacy policies unless I'm paid for it. And the big topic around this is also on the political landscape. For example, right now we have a minister of justice that comes. He comes from the Liberal Party and he wants to basically get rid of the cookie banners.
Speaker 1:So I would say this was a very poor and unrealistic implementation of the law. The internet tracking per se. The basic idea is users should have choice. The reality, however, is that this choice isn't really possible in the digital reality right now because we don't really know where the data is sent and tracked. So basically, it should be a decision of the legislative to say this tracking is allowed, this not.
Speaker 1:And, for example and we have this discussion since over eight years central user management. You could specify your cookie preferences, for example, in the browser, and then all sites take this in. So when I talk about my job to a non-legal person, I always jokingly say I'm the annoying guy that writes the cookie-bunner text and the privacy policy. Ouch, just to give a feel, because a lot of people don't know what does a privacy lawyer do. But yeah, overall I think data protection is important, but this bad implementation that's annoying for everyone has given the privacy folks a bad rap and this definitely has to be improved, and I'm happy that the political leaders in Germany are after this and I think in general in Europe there's a consensus that this should be altered.
Speaker 2:In the tech industry we have a concept of beta right, something which is still unpolished but released to the public or a selected group of people to test. Do you have, have? Do we have such a concept in law, in legal aspect, like imagine the cookie bunner was just releasing one region or one country for a year or two and afterwards it was turned off and study could be run about its impacts, positive and negative, and then the entire law could be revisited again, instead of, like launching it for eight years and now basically burning money and time and wasting energy right on trying to pull back on something that we have implemented ourselves on ourselves that that's a very good question.
Speaker 1:um no, in law, basically, we don't have this. Um we we have some laws that have a deadline and then cease to be effective, but in general, the process is the legislator sees a problem, makes a law and then the law is there. And when a law is there, it's not going away so fast. However, I heard recently that in the Netherlands they actually have a system where they have this kind of beta test and, before they enact a law, ask the persons or, for example, the companies being affected by the law how would you deal with this law in practice? And after this, I don't know the exact number, but I think 70% of the proposed laws get sacked because a lot of theory isn't enacted in practice.
Speaker 2:So I would totally support the beta law approach, or even something like lifecycle, because I would like to have a milestone at which each law has a review whether it's still applicable, right? I mean, uh, again, just from from conversations with other people I know there are still laws from like 17th and 16th century which still apply and they're sometimes very funny and they're still in the codexes, civil codexes and all other aspects, and they're really funny. And I wonder, you know, do we? Um, is it just natural order of things that eventually the book of law will be so big, you know, in an infinite amount of time, that no one will be able to comprehend and stay compliant because they will be contradicting each other, those legal requirements.
Speaker 1:Yeah, good question. I mean there are some reports that even in old Egypt people were struggling with too much bureaucracy and that the bureaucracy grows and grows and grows. That at one point you do A or B, and irrespective of you do A and B, both is illegal. That's of course a contradiction. So that's a general. Also in constitutional law principle things that are impossible cannot be a legal obligation. So to your question history kind of shows that the law grows and grows and grows.
Speaker 1:But there are some examples where, for example, there's really a political will behind it. They had a de-bureaucratization ministry that cut off laws, old laws that weren't suitable anymore, and this actually was successful. Another example would be in Argentina. They were very, let's say, overregulated. The rents were high, and this new president, milley, tried to really get rid of bureaucracy, and I think it's too early to say how good and how balanced this approach was, but at least the rents actually, for the first time, went lower for the ordinary people. So he called himself the chainsaw minister, because he wanted to cut off the bureaucracy and the institutions that aren't necessary with a chainsaw and based his election on this I don't know much about this, but I've seen, you know, obviously I've seen the youtube where he's doing this and it felt like.
Speaker 2:It felt like it's just pure marketing or he's basically promoting anarchy, because because he cut through all the ministries and he said like, okay, there's not going to be any any ministry, just kept one or two, and I understand maybe they had too many, right, but like getting rid of ministry of health and getting rid of ministry of education, so having no oversight of any of that was, um, it felt a bit crazy, to be honest, and I, is this the same guy who said he wants to peg argentinian peso to us dollar or something? Is that the same guy?
Speaker 1:I'm not not too sure about that, but um, yeah, there's of course, a lot of marketing in it, but look at trump. You have to be a marketing guy to have political influence these days yeah, absolutely.
Speaker 2:It's all the perceptions game. Let's don't go there. So tell me um what's the most exciting aspect like between ai, cyber security, product development among your clients. What's your, uh, most exciting aspect for a collaboration like this?
Speaker 1:I'm very interested in the um yeah intersection which between these three fields um data protection covers more the the legal side. It security is the backbone. We should not forget about IT security also in the AI hype, and AI is the new kid on the block which is kind of overlaying and soon will be in everything. So I'm quite interested to make the connection between these three fields. What's very interesting for me personally and also for us as a software company, we also do software tools.
Speaker 1:This is the whole aspect democratization of tech through open source, through AI. Through open source, through AI, Code becomes cheaper and the gatekeepers of big tech are at least threatened in their position to be a blocking factor between humans and tech usage, and I'm quite happy to see this. I recently heard of a study and they showed that the Linux users actually go up, the Windows users go down and when now a lot of people don't like that, Windows forces them in the cloud. It's all connected with your Microsoft account. When you start your computer, you're bombarded with bloatware and advertisements and more and more people find different solutions, which is also, of course, good for privacy, and these new developments are very interesting for me.
Speaker 2:That's fascinating. There's so much interesting stuff in that space, I agree, but also, you know, for example, microsoft example full disclaimer I'm not connected to them in any way, but I actually find it fascinating that they're actually copying Apple with what iCloud is for the Mac computers, right, and they receive so much scrutiny for it. If you think about it, right, and Macs are the same, I mean, you can launch it and use it, but unless you have iCloud, you're going to lose out on 75% of your experience or even more. And I think Microsoft is trying to do exactly the same with their OS right now and, to my understanding, most of the features are basically iCloud-like, you know, synchronized between your phone and your tablet and your right and your laptop, and store your documents in the cloud, like in the iCloud or Google Docs, right, and all of these things are interconnected. But because Microsoft does it and maybe because of how they do it I don't know, and it could also be a very good reason for it Again, I don't know they receive a tremendous amount of backslash where Apple just started that way and no one ever said anything.
Speaker 2:Right, if you think about it, at the same time to your point about democratization, I actually feel exactly the opposite, because massive companies such as OpenAI and hence Microsoft right as one of the owning factors, they basically can decide who uses their tools based on the subscription model right. So there will be people in the world who can always afford it. There will be people in the world who won't be able to afford it to full extent and those AI models they don't always are because of the power and the money that they have. They were able to create laboratories and the data centers they're able to process that. So I think, if anything, it unifies their power rather than distributes that power away with the AI age, isn't it like that?
Speaker 1:Good point. Certainly, if we look at the world as it is now, the most powerful models are accessible as closed source. I recently saw a video of Mark Zuckerberg and he made a bold prediction. He said at the end of this year 2024, the open source models will be better than the closed source ones. If this happens, I don't know, but I see a big potential in open source AI to at least be an alternative to the closed source models, and also I see opportunity and, at the same time, a risk at the landscape of AI models as it is now. We have Anthropic, we have OpenAI, we have Gemini, so we can actually choose and are not locked to OpenAI. If they increase their API costs or change their privacy policies in a very unfavorable way, they would lose market share to the competition. So I'm a bit more optimistic that it won't be that monopolized, like the current software landscape.
Speaker 2:Interesting. But I also wonder if Devil is not in the details, as they say, because, okay, you have an amazing model. But also for training purposes. The bigger you are as an organization, the more money you have, you can get more data and you can get more processing power to train your model better, right? So one thing is that you open source your actual neural network structure so people can copy and use that.
Speaker 2:But you're still you know, it's like to say you can open source anything about Formula One car and people could see how they're built down to the atom detail. But it doesn't mean that anyone that there is equal chance for everyone to just start building these cars right away because of the sheer cost of materials and it will be the same here with access to data, also even legal fees, because we know that there are some cases where they basically harvested the data of the users without asking and now they're getting lawsuits. But because they have a lot of money, they can iterate the lawsuits. Let's call it so from one perspective, the model is free, but does it give anyone a similar opportunity to use it in a similar fashion, where one person or one organization could still have a significant upstart based on their size and market share and whatnot.
Speaker 1:Yeah, no, no, I definitely see your point. To train models on that scale, you need massive compute and massive hardware, massive energy. Some companies announced now they want to build their own little nuclear power plants to power their data centers.
Speaker 2:Yeah, I've seen that.
Speaker 1:And you can't do this in your garage. So, yeah, that's definitely a point you have there At this point, now the normal user, the small company and now the normal user, the small company doesn't have access to funding or to this compute power, but there might be innovative approaches in the future that enables a more, let's say, shared use of such resources. And also, I think we, as of now, we look a lot on the capability of the models, and I just watched a video where they presented the model capabilities of 1.0 preview, the latest OpenAI model, with the model capabilities of 4.0. And for most use cases, 4.0 is good enough. And I think that we are looking too much at benchmarks for models and we're not looking enough on the data, because the context might be more important than the capability of a model, and I think that's why there might be opportunities for a decentralized solution.
Speaker 2:The context or the outcome, just to understand. Because, um, when you benchmark models you, I guess for me the argument could be listen, this model is better or worse for whatever terms, but if I get a specific output in a consistent way, every time I ask it to perform specific tasks it was trained for, then that's just all I need, right yeah?
Speaker 1:With the context. I mean, most of the tasks are very let's say, they're not rocket science. Book me a calendar meeting. Correct my typos in this email. The annoying stuff is that you always have to start from zero meeting. Correct my typos in this email. The annoying stuff is that you always have to start from zero and tell them I'm this person. I want you to do this.
Speaker 1:This is the context, and then they can perform a better context of yourself, and then these models that we have right now are good enough for 90% of the task.
Speaker 2:Yeah, I agree. It's an interesting conversation where AI can step in and replace people without an actual interface to real world or even specific tooling, even in the digital world right. And to that point, how do you feel about your own legal aspects and practices? Do you feel like there will be models so specialized in 10, 20 years that will be able to create arguments and quote law and represent people in court or companies in court? Do you think this is coming, or is there some sort of natural cap for this kind of thing before AI reaches certain breakthrough in its own possibility to think on its own? I don't know how to call it differently.
Speaker 1:Yeah, maybe on this point. I'm, since 2016, member of a legal meet-up, let's call it, and in the last meetings, of course, we talked mostly lawyers that are tech-savvy and we talked about how AI will change the legal landscape. I think the colleagues agreed the lawyer using AI will replace or be a strong competition to the lawyer not using AI, that we really have a fully automated legal system. I don't see this tomorrow. Never say never. But legal is special because you have to be precise with your words and I can produce very good sounding contracts with ChatGPT. But if you're a bit unprecise, this can do really harm, and speech and language has a lot of ambiguity. It's not easy to program this out. You have to use argumentation. So I think in the future, every lawyer will use AI in some sort, but I don't see tomorrow that we don't need lawyers anymore.
Speaker 2:I just think it would be really crazy to see court but I don't see tomorrow that we don't need lawyers anymore. I just, I just think it would be really crazy to see, like, imagine you have a court and I represents prosecution and I represents defendant, right, and then the AIs models are basically battling each other and I don't know, people are waiting for verdicts, you know what I mean. And because they're so much faster in the execution and the discussion, that could all faster in the execution and the discussion, that could all happen in a snap of the fingers. So that could be really interesting world where things would happen faster, but maybe not for the better, I don't know. It's interesting.
Speaker 1:No, I think this would be quite this topic because, for example, you have, as of now, if you would spin this or make this as a thought experiment, you would have data sets that are totally not, um yeah, neutral at all, and maybe the ai model would have some biases be it, uh yeah, of race, gender or whatever and then makes assumptions and and you go to jail because of a robo judge. I don't want to live in a world that's crazy.
Speaker 2:yeah, yeah, yeah, you're right, yeah, that would be the stop on like crazy cool. Let me go back to the one aspect which I missed, and maybe, when we put this together, maciej, I will reorder that. What I'm going to ask now for, and cut this bit how do you, on your day-to-day activities at Simpliant, how does your day look like between your coding and your legal aspects? I'm curious about that and I missed that question previously.
Speaker 1:Yeah, my day is mostly, of course, driven by the client work we do. So, for example, I receive an email inquiry of a client. They want to introduce the new cool ZaaS tool and ask me if this is in compliance with the law. Then basically I have a meeting or gather some information, read in the legal documents about it and then, for example, draft a legal memorandum stating how the legal situation is. So for the coding stuff, I'm much more involved in product development with our CTO, who actually is the head of technical development. So that's kind of the day-to-day tasks normally.
Speaker 2:That's fascinating. It's not very usual for a legal practice to have a CTO, is it?
Speaker 1:Yeah, it's quite unusual and maybe I have to add, simpliant sees itself as one company, but we have three legal entities One is a law firm, one is a consultancy and one is a software company, and the reason behind this is because you have to have all three to actually change the way and effectivize how GDPR compliance is done.
Speaker 1:You have to first understand the law. This is the job of the legal practice. You have to then implement it with the clients this is the consultancy and this has to be supported and enabled by a technology. This is the software company.
Speaker 2:Absolutely, and do you build your own product of any sort? You mentioned previously that you build some tools. How advanced is this, if you can speak to it?
Speaker 1:Yes, we built our own product even some months ago. We are using it every day, mainly for transcription and also safe day, mainly for transcription and also safe AI use, and we will soon bring this first to our clients to test it outside of some client and then also make some announcements on LinkedIn on how to launch this. And this basically evolved, trying to solve problems of the consultancy of the law firm to make us more effective, and this is how the product came into being.
Speaker 2:That's neat, nice, and yeah, so you can speak to it more before it's launched, can you?
Speaker 1:And, yeah, so you can speak to it more before it's launched, can you? I can say transcription speech to text in a data protection safe way is one big element of it, of the functionalities, and safe AI use is the second big functionality and this will be paired in a very nice product that's also looking good, has a good ui, and I couldn't tell much more about it because we're still in the in the launch and and testing phase. But, um, yeah, we will soon announce something on our linkedin page there.
Speaker 2:Cool, thank you. Thank you for sharing this, so I'll be refreshing your LinkedIn page now regularly. There's this interesting bit when you say legal and compliant AI way, since there is examples of poisoned models, right when they are normal model but with a tweak, where, for certain questions, they will always answer in a certain way. For example, when you ask them who is the greatest you know CTO in the world, they could say you know myself, because they're poisoned that way and they're released by me. So I influenced this and I influenced the context. Is there a way that it's regulated or is there a way that you aim to prove that these things don't happen? When you say that certain AI is compliant, certain model is compliant with I don't know, gdpr or any other regulatory legislation?
Speaker 1:yeah, good question. I don't really have the final answer to this. I think we humans all have biases and the models are trained on human knowledge and so the biases are translated into the models. I think probably we will have a lot of AIs and models and one is biased towards the, for example, left political side. The next one is biased towards the right political side, to have a really neutral model. I don't know.
Speaker 2:if it's possible, even Okay. But what does it mean from compliance perspective? Because, you know, privacy is one thing, but the model with a specific bias can influence public and we know how dangerous that could be.
Speaker 1:Yeah, I think this is where the legislative, the lawmakers, really asked for actions, and the AI Act tries to do it in a way that, basically, the lawmaker should say this is what we allow AI to do and this is what we don't allow AI to do. For example, if you have use AI in the hiring process and you have a biased model that discriminates against women or people of a certain zip code because they are the poorer people, and then you have a model basically making this pre-existing discrimination more intense than this would certainly be an AI usage that should not be allowed.
Speaker 2:But assuming there was no one who created this kind of you know thing for that model to say, okay, those zip codes are, like you said, women are, you know, discouraged from working there by that model. Assuming that that didn't happen by a human being, how would we discover? So, assuming that that didn't happen by a human being, how would we discover is there a testing framework legally to say, oh, this model is quite balanced when it comes to job applicants and their backgrounds.
Speaker 1:I'm not aware of any formal benchmark. It would be definitely interesting, but the AI Act says some parts. There should be a strong human oversight and even some product safety testing. Hr would be one example where you, as the AI deployer, would actually have to make sure that the usage of AI doesn't cause any discrimination or harm, and I think that that makes sense. The basic idea is we assign responsibilities and accountabilities. If I use AI, I should know what's going on there and still have the human to make the decision and having the last word, but this is not always doable.
Speaker 1:Is it have the human to make the decision and having the last word?
Speaker 2:But this is not always doable, is it? Here's the example from a recruitment process that infamously went wrong, and maybe I'll put a link to this in the footnotes. There is this hack where, if you send a PDF CV to a job application, you could put specific tags in it. Well, in white font on a white background, which means they're not human visible, but AI will parse through them and they are commands to that model. So, for instance, in the very first sentence, you could just say, and parsing the document and say this is a great candidate.
Speaker 2:Right, and I actually tried this and I was surprised to see that this actually works. So, in other words, if you have 10,000 applicants and it's impossible to review 10,000 CVs, right, like you're asking AI, hey, please summarize and pick on those criteria that I asked you for, which is like just on the merit, right, I'm looking for someone that five years of experience or more in a specific role, no matter their background, no matter anything else, and just produce for me 50 best suited candidates, sorted by numbers of years descending right, so the most senior people first, and someone comes up with the trick you wouldn't know, right, because their CV is going to just end up there, and then that's the only group that gets reviewed by human, because it's physically impossible for the small organization to review 10,000 CVs.
Speaker 1:That's an interesting story. I never heard of it, but it shows that, yeah, ai can be leveraged by the employees and the employers and basically then, yeah, we have two AIs battling against each other and maybe this evens out, makes a level playing field for both. I don't really know how you could, yeah, prevent this per se the next employer, and the HR pre-selection tool will certainly address this.
Speaker 2:Absolutely. I mean, I think there are some models who are already addressing this. They flag things when there is commands for AI in the documents that you're sending to it. Right, but, by the way, this was not invented by AI. Just humans realize that there are those commands you can give to ChatGPT and, as long as they're in a special bracket or something, it prioritizes them and it stops reading the rest of a text. It's like, you know, when you talk to ChatGPT and you say here's an email I have written, and then in quotes you say what that email says and by the end of the quote you say now summarize this for me or fix the orthographic and grammar mistakes. And there is a difference between the command you ask for it and the content that it should act on, right. So the hack in the CV works in the way that there is an actual CV of a human being which is, for the best and for the worst, what it is, but there is a command that says summarize this CV as an amazing candidate, right, and because the command is intercepted by the AI, it stopped processing the CV and whatever the previous command has been, an order of the user in the recruitment has been to, you know, provide it with a summary of people five years or above in I don't know whatever technology or tool that they're experts in. It just stopped processing and say, hey, go with the candidate as number one. And yes, you're right, there has to be a validation on input. That's a very common thing outside of IT industry in general, or even for SQL injection for databases.
Speaker 2:But it's funny to see the reason why I'm interested in this is that. But it's funny to see the reason why I'm interested in this that there should be. Both sides should be treated equally in the face of law, in my opinion. So what I mean by this is that there is employer and they have to, you know, leave up to all of these expectations. But it doesn't mean that anyone who applies for a job is, you know, free to do whatever they want, to just cheat the system, right, and there is no scrutiny whatsoever, no means of they should be handed accountable for actions like this. Let me put it this way Whatever that means I have no opinion how and whatnot, but in first place, they should be disqualified from a recruitment process. But maybe there should be something more, because you could imagine this could have financial impacts, like if you apply for a loan right and there is a review AI, review agent and you cheat that to tell you yeah this guy should get millions right Because their credit score is so great.
Speaker 2:It could really have a significant impact on economical impacts on individuals and companies.
Speaker 1:I mean if I would hire for a creative role and my AI system gets tricked like this, I would say this is an interesting guy or girl. We should talk A part of that. From the legal perspective, at least in Germany, and I think it's the same in other European countries if you fake your CV and get hired, your job can be terminated and you can be sued for damage. Um, but I'm not. There is a risk if you lie on your cv, but if you um, as I said, for for a good reason, I think um, in the hr and process, the use of AI should be regulated and should not be just done by the numbers, and I don't have so many, let's say, concerns about the employers fighting back against the pre-selection of the large language models. I don't want to encourage any behavior here and certainly not to trick the CV process, but in general, I see it like a level playing field and that's certainly a creative approach.
Speaker 2:I mean, it's a creative approach by the first person who came up with this right, but now, as it becomes a norm, it kind of derails the entire system if everyone is figuring it out and just copying this, even blindly, without understanding what they just did, because they notice that it does what it does without understanding why it is doing it. All right, um, one of uh, probably last question. Actually, you know, in all of the emerging trends, uh, in data privacy, in the ai, in cyber security, which one of them excites you the most and what? What you know, what are you looking forward to to materialize in the next couple of months, a couple of years?
Speaker 1:I would say I'm I'm very interested in the um, yeah, whole open source sphere. I will actually um write an article about the open source and um tech stack, that where I see a lot of potential to be innovated by AI creating code and also the accessibility to coding. These are the two topics. I'm really excited that basically now people can, with a few prompts and natural language, have their first little success in coding, and I am very excited that this barrier between developers and other professions is getting lower and I think the understanding and the accessibility of technology will be improved by AI. Fascinating.
Speaker 2:I would love to talk about this one a little bit more. Accessibility of technology will be improved by AI Fascinating. I would love to talk about this one a little bit more. So a follow up question.
Speaker 2:If, today, to start a developer, people need to understand some basic not even mathematical, but like logical operations and equations, so to say, right or ideas, basically right or ideas, basically they have to understand some ideas. And now, because of an AI that can take a shortcut without understanding those ideas, it doesn't make them developers. It makes them. It helps them generate and solve a small contained problem, but it also stops them from growing into the development role.
Speaker 2:So, in other words, what I'm expecting to happen and I'm afraid of this, and this is just my own thesis is that in 10 to 20 years, because everyone will be using AI to start anything, there might not be enough drive to actually understand the basics and understand why things happen the way they happen. Compare it to using Compass versus using Google Maps. If you turn off Google Maps now or any sort of navigation software on your smartphone, people would be lost, because not many of us can use a map or Compass anymore, because we don't teach that anymore. Don't you think that the same pattern would apply to more sophisticated things like coders and coding. I'm already seeing some of that in my industry, and for the negative as well, but what are your thoughts on this?
Speaker 1:Good point. We actually talked about this the other day with my CTO. My personal feeling is that the whole talk that developers will not be necessary in the future. The AI will do everything. I don't believe this and I think it will be a huge advantage if you were I say it a bit drastically if you belong to the last generation that actually wrote it itself, because you can debug it, you know what the AI does and this skill will still be needed. So I'm not fearing the disappearance of the developer mind and the developer experience and thinking At the same time. I think a lot of people and I'm the best example with a non-technical background and I'm the best example with a non-technical background can enter the field and kind of backwards engineer that's how I did it and then you do something. It doesn't work, and then maybe you read a book and maybe you think about data structures and whatnot. So I think from both sides there will be a better accessibility to technology.
Speaker 2:Certainly, yeah, I like that answer a lot. Well, thank you so much, Stefan, for sharing your journey from data law to coding today. It's been inspiring to hear you how you bridge the gap between these two worlds.
Speaker 1:Thank you, lukasz. Thank you for having me, and it was a pleasure.
Speaker 2:And to our listeners. Thank you for tuning in to this. Episode of Dev is in the Details and if you enjoyed the conversation, be sure to subscribe and leave a review with your thoughts and feedback Until next time.
.png)
.png)