What We Do
Privacy is rarely the bottleneck people think it is. The bottleneck is usually a product organization that treats privacy as a review gate rather than a design constraint, and a privacy program that cannot articulate what it is optimizing for. We help clients navigate these kinds of structural challenges. We help design data products and infrastructure that make the privacy and utility trade-offs explicit and empirical.
Our team has shipped first-of-their-kind privacy infrastructure at global platform scale, advised regulators on the next generation of privacy law, and built privacy-respecting products from scratch.
How We Help
We work best with clients who are trying to do something hard with sensitive data — release a dataset, build a research program, ship a product into a regulated market — and need a privacy approach that survives both technical and regulatory scrutiny. We bring the technical literacy to evaluate PETs honestly, the policy fluency to engage with regulators, and the product discipline to ship something real.
Representative Work
Working Paper is a small firm by design. The work below reflects what you're hiring when you hire us — engagements led at Working Paper, and the senior careers our principals brought with them.
Privacy-enhancing technologies, end to end. Through a Senior Fellowship at the Future of Privacy Forum, we lead the subject-matter work on the NSF- and DOE-funded Research Coordination Network on Privacy Enhancing Technologies. We have built a global network of PETs practitioners, developed public guidance on expanding data sharing while meeting legal and ethical best practices, and worked with global privacy regulators to create a clearer regulatory environment for broader PETs usage.
First-of-their-kind privacy infrastructure at scale. We co-designed and delivered the first differentially private Facebook dataset, the first Facebook remote-access research tool, and the privacy infrastructure for the largest consented social science experiment ever conducted. We developed the internal frameworks Meta used to make privacy, security, utility, and impact trade-offs in data-sharing decisions. These frameworks informed major dataset releases including the Privacy-Preserved URLs dataset and the social mobility dataset published in Nature.
Privacy as a product strategy. At Yobi, a privacy-centric AI startup, we built the integrations and compliance systems that enabled ethically consented data acquisition and privacy-safe third-party data enrichment for Fortune 500 clients. We also managed privacy strategy and program implementation for Durin.ai's residential access-control system, ensuring that privacy was a core feature of the product itself — from the hardware upwards — not just compliance with GDPR, CCPA, and the EU AI Act.
GDPR and DSA data access. We founded and helped lead the EDMO multi-stakeholder working group that wrote the code of conduct for research data sharing under Article 40 of GDPR — the same framework that subsequently informed implementation of the Digital Services Act. Inside Meta, we led DSA Article 40 compliance interpretation and authored position papers that informed the resulting EDMO Code of Conduct.
Frontier AI privacy and confidentiality benchmarking. We product manage MLCommons' frontier AI privacy and confidentiality benchmarking initiative, applying the rigor we have brought to platform-scale data sharing to the privacy questions raised by frontier-model evaluation, agent infrastructure, and high-stakes deployments.
Privacy for agentic systems. We lead the Future of Privacy Forum Frontiers workshops on agentic infrastructure, re-identification research, and spatial privacy — helping the privacy community develop the analytical frameworks it will need for the next generation of AI products. We have also contributed to the NIST differential privacy deployment registry, helping document real-world DP deployments so practitioners can learn from each other.
Responsible data practice in low- and middle-income countries. We launched the Responsible Data Initiative at Medic, designing institutional policies and software practices to operationalize patient data rights for an open-source platform serving community health in low- and middle-income countries. Published at the ACM CHI conference, the work articulates the institutional pre-work required to make sense of a fragmented global data protection landscape and to design software that goes above and beyond regulatory compliance.
Open-source privacy infrastructure. We advise the Open Commons Consortium on data sharing, privacy, governance, and social science best practices, in support of Gen3 — OCC's open-source platform for privacy-preserved analysis and regulatory compliance.