Podcasts
Caveat
Ep 115
Caveat 3.3.22
Ep 115 | 3.3.22

Location data is the foundation of our modern economy.

Show Notes
Transcript

Jason Sarfati: Location data comes down to one of two concepts - either, No. 1, we identify where a person is or, No. 2, we identify where a device is.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my co-host Ben Yelin from the University of Maryland's Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today, Ben talks about the moment of reckoning for Big Tech companies during the conflict in Ukraine. I dig deeper into the executive order that enables our government's intelligence activities. And later in the show - my conversation with Jason Sarfati, taking a closer look on what location data is and the approaches that different levels of stakeholders are taking with it. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's jump in here. I think anybody who's been paying anything resembling attention these days has been focused on the situation in Ukraine. And that certainly has veered into (laughter) the topics we discuss on this show. What do you have for us this week? 

Ben Yelin: Sure. I remember you saying a couple of years ago when the pandemic first started that every podcast is now a COVID podcast. 

Dave Bittner: Yeah. 

Ben Yelin: And I think it's true now that every podcast is a Ukraine podcast... 

Dave Bittner: Right. 

Ben Yelin: ...Just because there's so much to talk about, and we've never seen this kind of hybrid warfare where there's kinetic activity happening. There are bombs and guns on the ground in Ukraine, but there's also the sphere of cyber warfare. So we've really never seen anything like it. 

Ben Yelin: I got my article from Ars Technica today by Tim De Chant, and it is entitled "Big Tech Spent Decades Skirting Geopolitical Issues. That is No Longer an Option." So Big Tech companies are obviously motivated by the bottom line. They want to be able to sell their services everywhere. 

Dave Bittner: Yep. 

Ben Yelin: They have tried to stay as neutral as possible in geopolitical disputes just because that's in their best interest. So they want Chinese customers. They want Russian customers. 

Dave Bittner: Right. 

Ben Yelin: The nature of the conflict that's taking place right now is forcing them to take actions that have the effect of taking sides. So they are no longer able to stay on the sidelines just because that's what circumstances demand. And that has manifested itself in a number of ways. One that's very interesting to me is - and this applies to both Meta - I still can't believe we're calling it that, but... 

Dave Bittner: (Laughter) The company formerly known as Facebook. 

Ben Yelin: Our friends formerly known as Facebook... 

: (Laughter) Right. 

Ben Yelin: ...And Twitter. You know, the Internet Research Agency in Russia, has done a good job of creating these troll farms - fake accounts that, you know, are purportedly from concerned Ukrainian citizens that just happen to support the Russian government. 

Dave Bittner: Yeah. 

Ben Yelin: So I ran into this great Twitter thread on one of these such scenarios. It's by a guy named Ben Collins, and he writes about Vladimir Bondarenko, who is a blogger from Kyiv who really hates the Ukrainian government. 

Dave Bittner: OK (laughter). 

Ben Yelin: This man does not actually exist, according to Meta, who ended up taking down his account in one of these moments where they really had to take a side. He was invented by the Russian troll farm, and his face - where he looks like this, you know, nice, handsome blogger - was made by AI. 

Dave Bittner: OK. 

Ben Yelin: So he is a non-existent person. 

Dave Bittner: Right. 

Ben Yelin: This is happening across all different types of platforms, not just Meta, but also on Twitter, where, you know, you have this phenomenon of fake accounts spreading fake information. 

Dave Bittner: Yeah. 

Ben Yelin: And you also have this problem of, you know, these companies want information to flow into Russia because, obviously, they're concerned about censorship, and they don't want the only thing that citizens to see in Russia be state media. So Twitter - and I know Twitter has already implemented this. I know Meta is in the process of putting a label from any state-run media source saying, you know, basically, you should take this with a grain of salt. This is state media. 

Dave Bittner: I saw a thing on Twitter this morning. Someone was saying that since restrictions have put in - have been put in place with Twitter and Russia that a lot of the trolls have gone silent. 

Ben Yelin: I've seen that, too. 

Dave Bittner: Yeah. 

Ben Yelin: Some of that might have to do with economic sanctions, which is very interesting to me. Obviously, the people who perpetrate some of these trolling actions, they have to be paid. 

Dave Bittner: Right. 

Ben Yelin: And some of their avenues for getting paid might have been cut off, which is interesting. But also, you know, the companies themselves have done, I think, a reasonably good job to the extent that they can in the past, you know, several days since the invasion - have really tried to institute best practices to prevent trolling, false information, et cetera. And this doesn't just manifest itself on social media, you know? Other big tech companies, no matter what their sphere is, have to confront what's going on. So I read a story, a separate story, about Google. You know, Google Maps has traffic - real-time traffic information... 

Dave Bittner: Right. 

Ben Yelin: ...So where roads are clogged, which restaurants happen to be busy, you know? If I want to get directions to my local diner, Google will tell me it's a very busy time of day there. 

Dave Bittner: Yeah. 

Ben Yelin: And they do that by tracking how many cars are headed to the restaurant at a particular time, how busy, you know, the roads are, et cetera. 

Dave Bittner: Yeah. 

Ben Yelin: That information can be absolutely crucial during an armed conflict, especially when you have 40-mile long Russian convoys going into Kyiv, when civilians are trying to conceal where they are, you know, especially as members of the - just civilians in Ukraine, people with no military training, are taking up arms. So Google has actually taken the extraordinary step of disabling real-time traffic information within the country of Ukraine over the past several days. 

Dave Bittner: Wow. 

Ben Yelin: So what's very interesting to me is kind of, like, how other international institutions have gone above and beyond expectations, in my view, in how they would react to this invasion. I think big tech companies, kind of seeing where - you know, how strong the political currents are, are stepping up as well and are taking actions against a totalitarian government that they, perhaps, would not have taken in the past. I think maybe they've just been kind of swept up in the images the rest of us have seen from this conflict. And, you know, perhaps they see it in their long-term financial interests to take clear stands here. They're not saints, you know? They're not doing this out of the goodness of their own heart. But I just think it's been really interesting to see them get involved in ways that they just have not in the past. 

Dave Bittner: Yeah. Though, all of the oil companies divesting themselves from, you know, Russia has been fascinating as well. 

Ben Yelin: Yeah. I mean, in all spheres of life, people are making financial - and companies are making financial sacrifices. You know, there's a question of how big those sacrifices are. Can, you know, the - can we make up the revenue that we lost from this sanction? Can we make it up elsewhere? 

Dave Bittner: Yeah. 

Ben Yelin: That - you know, that still exists. And we can't deny it. But the fact that people are willing to sacrifice their own financial situation to try and join this incredibly broad, international effort to impose economic sanctions is unprecedented. I mean, we have not seen this in our lifetimes, where they go after not just the low-hanging fruit in terms of economic sanctions - you know, you can't do business in our country - but going after the central bank, where, yeah, your stock market, if it opens, is going to crash. So that... 

Dave Bittner: Right. 

Ben Yelin: You know, the ruble will have the value of a piece of toilet paper, so you better not open your stock market. I mean, we've just never seen anything like that. And I think, from these companies' perspective, they wanted all the benefits of being a global company - you know, monopolizing the world's communications, being able to go where the people are and, you know, collect those paychecks - without having any of the responsibility of getting caught up in geopolitics. And I think we might have finally found a situation where they've been forced to take these types of positions that they just would not have done in the past. 

Dave Bittner: How does this inform how countries like China are going to behave going forward? I mean, I, you know - a couple of decades ago, I joked that, you know, we hate the civil rights issues but, boy, do we love $30 DVD players. 

Ben Yelin: Right. 

Dave Bittner: Right? And so you look at so many things that come out of China, our iPhones - I mean, every - any electronic device is pretty much - comes out of... 

Ben Yelin: Yeah. Look at the tags on your clothes. 

Dave Bittner: Yeah. 

Ben Yelin: Let's just start there. Yeah. 

Dave Bittner: So how does a country like China look at what's happening to Russia in regards to Ukraine and think about how they're going to - does this alter how they may think about, for example, Taiwan? 

Ben Yelin: That's a really hard and difficult question. I think there are some significant differences. 

Dave Bittner: Yeah. 

Ben Yelin: And again, I'm not an expert in this. I'm sure you could talk to people who know more about each of these countries and the interplay between China and Russia. This is just kind of me freelancing on this a little bit... 

Dave Bittner: Yeah. 

Ben Yelin: ...Which is always dangerous. 

Dave Bittner: (Laughter). 

Ben Yelin: I think China is a little bit more economically self-sufficient... 

Dave Bittner: Yeah. 

Ben Yelin: ...In that they're less likely to be impacted by these types of sanctions. They're less dependent on financing from the West, for example. 

Dave Bittner: Their chunk of the world's GDP is a lot larger than Russia's is. Yeah. 

Ben Yelin: Yeah. I mean, magnitudes larger. 

Dave Bittner: Yeah, yeah. 

Ben Yelin: You know, I'm not sure that they have the national security capabilities necessarily that Vladimir Putin has, although I can't claim to know much about either. 

Dave Bittner: Yeah. 

Ben Yelin: Much about that, either. I mean, I just think generally, we have less leverage to completely cripple their economy because they - as you say, they have higher GDP. Until very recently, they were growing far rapidly... 

Dave Bittner: Yeah. 

Ben Yelin: ...Than the rest of the world. And they make so many of their own products that probably a regime of international sanctions and, you know, steps from Big Tech companies to take a stand or divest is just not going to have the same impact. 

Dave Bittner: Right. Their ability to cripple the rest of the world is much stronger than Russia's is, for example - economically. 

Ben Yelin: Right. Exactly. Now, they've done a better job looking out for their own economic self-interest over the past couple of decades than Putin has, so they might be a little more disinclined to take their chances. Not to say that that's necessarily going to stop whatever their plans are with Taiwan. But I don't think our arsenal, whether it's our country or the Big Tech companies that are mostly based in our country, has quite as much power over China as it does over Russia. 

Dave Bittner: Right. 

Ben Yelin: But I do think this is a warning shot that - you know, we've kind of been in a period where a lot of international actors and some domestic actors have done a lot of things that have been wrong - morally, geopolitically - and they've just kind of gotten away with it because we weren't willing as a society or as an international community or as tech corporations, the United States, really willing to do anything. And now we finally have a situation where whatever the line was, Russia has crossed it. And that means for the first time, we've seen what a mobilized response would look like. We know that it could exist, and that might be a warning to China. 

Dave Bittner: Yeah. Yeah, it's really fascinating to see, particularly, the European community come together in ways that I think far exceed what people expected. 

Ben Yelin: Absolutely. I mean, we've never seen it in our lifetimes, as I said, and it's certainly not what most analysts expected prior to this invasion, just because they haven't had the will to take these types of actions in the past, which I also think is similar to tech companies who, you know, have been faced with things like censorship, human rights abuses and haven't already - haven't always acted in the public interest. Not to say that they're perfect right now, but the fact that they're forced to reckon with this, I think, is very indicative of where the winds are blowing on this issue. 

Dave Bittner: All right. Well, you know, more to come. Time will tell, as they say. We'll keep an eye on it. We'll have a link to that article over on Ars Technica and, of course, just tons of coverage of all this all over. So not a hard story to follow, but we'll have a link to the one that we mentioned here. 

Dave Bittner: My story this week actually is some follow-up from a listener, a regular listener, a superfan of our show, who is also an Intelligence Community insider - asked to remain anonymous, and I'm going to honor that request. And they wrote in about the conversation you and I had recently about Executive Order 12333. What's the - there's a nickname for that. 

Ben Yelin: 12333. 

Dave Bittner: 12333. There you go. And a really thoughtful bit of follow-up here. I'm going to read it. There's quite a bit here. Feel free to chime in as we go here, Ben, and we'll comment on it as we go, all right? 

Dave Bittner: So this reader writes, regarding some of the intelligence concerns mentioned in the February 17 episode "Balancing Port Security and Protecting the Supply Chain" - first, a clarification. Executive Order 12333 is the overarching document that grants the IC - that's the Intelligence Community - the authority to conduct intelligence activities. It's like the Constitution for the IC - general big picture, original source of authority and limitations. It's been in place since Reagan and gets signed by every subsequent President. EO 12333 authorizes the NSA to do SIGINT, the CIA to do HUMINT, et cetera. Numerous other statutes, policies and procedures govern the specifics of those activities, including, most importantly, the Fourth Amendment to the Constitution. No matter what activity occurs and where, the Fourth Amendment always protects U.S. persons from unreasonable searches and seizures, including the digital kind, no matter where they are, including overseas. 

Ben Yelin: Can I stop you there for just a second? 

Dave Bittner: Yes. 

Ben Yelin: So obviously, this is all said with the utmost respect. 

Dave Bittner: Yeah. 

Ben Yelin: And, you know, I think most of the points he's making here - or he or she... 

Ben Yelin: Yeah, they. 

Ben Yelin: ...Mr. or Mrs. Anonymous... 

Dave Bittner: (Laughter) Right. 

Ben Yelin: ...Are completely valid. 

Dave Bittner: Yeah. 

Ben Yelin: Saying that the Fourth Amendment also applies to intelligence activities has less of an effect that you might - than you might think in these circumstances, just because, A, one thing that's unique about Executive Order 12333 is there's very little oversight of activities done pursuant to that executive order. Until very recently, bodies like the Privacy and Civil Liberties Oversight Board had never looked at these intelligence collection activities that weren't covered by FISA. There is no approval process for any programmatic surveillance that's done pursuant only to executive order 12333. So with that lack of oversight, it means there's a greater chance for potential Fourth Amendment violations. Also, the Fourth Amendment itself, you know, doesn't protect U.S. persons to the extent that some U.S. persons probably want it to protect them. What I mean by that is if your communications are incidentally collected via executive order 12333, our courts have said no matter what the language of the Fourth Amendment says, those conversations are fair game without a warrant. You don't need a warrant to access those conversations. They go into a database that is searchable if you're communicating with overseas terrorist targets. So, yes, the Fourth Amendment does apply to all U.S. persons. It does not apply to non-U.S. persons overseas, by the way. But it does apply to U.S. persons, but it's not always as clear-cut as I think we want it to be. 

Dave Bittner: Well, let me continue here because there's more. Our listener writes, Ben suggested that FISA does not cover intelligence activities overseas. That's not accurate. He's right when talking about the original FISA - electronic surveillance and physical searches for foreign intelligence purposes of person's facilities or properties inside the U.S. - but FISA has been amended numerous times to address changes in digital technology, networked systems, extraterritorial databases, cross-border data flows, et cetera. FISA now includes authorization and oversight for intelligence activities conducted outside the U.S. Specifically, Section 702 authorizes the targeting of foreign persons believed to be located outside the U.S. with the assistance of service providers, while also providing oversight to protect the constitutional rights of U.S. person data scooped up in the process, called incidental collection. Meanwhile, sections 703, 704 and 705 provide authority and oversight for surveillance of U.S. persons overseas given probable cause. So again, FISA oversight covers intelligence activities outside the U.S., but that's certainly not the only control in place to protect your rights. I'm going to pause here. There's a lot there. You want to chime in, Ben? Any... 

Ben Yelin: Yeah. I guess what I meant to say - maybe I was unclear about it - is executive order 12333 is the backstop. If there is a situation where FISA does not apply, then the only governing authority is executive order 12333. So yes, there are circumstances, as this listener mentions, where FISA does apply internationally. Section 702 is an interesting one because technically that was designed to solve a problem that existed in the 2000s, where we had all of this data in the United States because most of the service providers are located in the United States. But because these were the conversations of non-U.S. persons that were picking up incidental collection, we didn't have a legal mechanism to collect that information. It would have been too cumbersome to demand traditional FISA searches for people that are overseas terrorists. So we have the Section 702 process where you can compel the production of online communications of non-U.S. persons that may incidentally include U.S. persons. 

Ben Yelin: I think the way to think about executive order 12333 is for any sphere where FISA does not apply or other statutes - there are plenty of other electronic surveillance statutes - where that does not apply, then all you have is executive order 12333. And I think that contemplates scenarios where collection largely is taking place overseas outside the realm of, you know, the internet backbone in the United States or from our own internet service providers, even with the provisions that he mentions. 

Dave Bittner: All right. Well, here's where I think this gets even more interesting. So he goes on. Now, for the complicated discussion of policy and oversight on the books versus on the ground. As with any technology, there are opportunities for misuse, regardless of what laws are on the books. These risks are mitigated by policy, procedure, training and oversight on the ground. On the ground, intelligence activities are designed to limit how much U.S. person information is incidentally collected. This pre-review is done by individuals with unique training and certification in targeting and legal procedures. 

Dave Bittner: Additionally, very few people are authorized to see the raw data from the activity that is unprocessed and unminimized information which is managed through both policy and technical controls. In order to access raw data, an individual must go through unique training and certification that covers legal authorities, oversight mechanisms and ethics. Other people can only see minimized information, which is a term of art that means all identifying details of U.S. persons are removed from the information. Every activity is also audited by trained and certified auditors. If anything is amiss, or if the auditor gets the sense that some process wasn't followed correctly, they flag the information for review, deletion or investigation by a senior auditor or the IG. 

Dave Bittner: At the end of the day, the people who implement these controls, are your neighbors, drinking buddies, coworkers, classmates and just as American as everybody else. You might have an occasional bad apple, but the vast majority are more passionate about privacy and security than anyone. They take the Fourth Amendment seriously for themselves and for others. For something truly illicit and illegal to fall through the cracks, a lot of procedures have to go wrong all at the same time. That's not to say it's impossible, but it's rare and unlikely. Just like how the diversity and variety of our national election infrastructure creates an added layer of security, the diversity of the U.S. intelligence community and variety of oversight controls creates an added layer of protection for your rights as a U.S. person. What do you think? 

Ben Yelin: This is very well-taken and true. 

Dave Bittner: Yeah. 

Ben Yelin: In a lot of my classes, I've had people who work in - for the NSA or just generally in signals intelligence. They are uniformly smart, committed. They believe in the restrictions of the Fourth Amendment. They believe in our Constitution. 

Dave Bittner: Yep. 

Ben Yelin: They have, you know, the utmost respect for the rule of law, certainly more so than, you know, some of my other students, to be frank. 

Dave Bittner: (Laughter). 

Ben Yelin: They're some of the best students I've ever had in any of my classes. 

Dave Bittner: Right. 

Ben Yelin: And I think it's because they've been well trained. They believe in the mission, and they believe in our Constitution. So I think all of that is absolutely true. It's the processes where certain things are - can become problematic. Yes, as he says, there might be bad apples occasionally. But generally, the people that make up the intelligence community are, as he says, our neighbors and friends. I, for one, value their work immensely. 

Dave Bittner: Yeah. 

Ben Yelin: I've learned a lot from them. I've gotten winks and nods in my classes from students who say, you know, I can't divulge information publicly, but maybe the way you're describing something isn't how it actually works in practice. And so I have a lot of respect in that sense. So that is all - that is absolutely well-taken. 

Dave Bittner: You know, it's been my experience in the conversations I've had with people in the intelligence community, interviews I've had with folks of various levels of places like NSA - one of the takeaways for me is that the incidental collection of information is a pain in the butt for these people. 

Ben Yelin: Right. 

Dave Bittner: Like, they don't want to have that happen because it creates a lot of work. 

Ben Yelin: Absolutely. 

Dave Bittner: It's all this - like, oh, crap. We got all this paperwork now. Now, it triggered - it automatically triggers a bunch of stuff that just is kind of a pain in the ass, right? 

Ben Yelin: Yeah. 

Dave Bittner: So they - you know, it's not - I think the impression that a lot of us have - and from movies and from, you know, spy thrillers and things like that - is that, you know, you have curious people who are out looking for that - you know, that thing, and they're willing to bend the rules, and... 

Ben Yelin: Right. Let's use this database to look up my evil ex-girlfriend. 

Dave Bittner: Right. 

Ben Yelin: Right. 

Dave Bittner: Right. And, you know, bad apples notwithstanding, I also believe that, you know, this is taken very seriously by the folks who do this work, and there are many layers of oversight in place. And then layering on top of that just the practical thing that if you inadvertently do gather something that you shouldn't, it's just - it slows down your day. And so there's a practical thing, and people don't want that to happen. 

Ben Yelin: They certainly do not. I mean, one thing I got from the whole Carter Page fiasco where they opened the book on FISA surveillance and there certainly were institutional problems with what went into those applications, so much of that to me is, like, people - not that they're lazy, but, like, the amount of work that you have to go through to dot all the i's and cross all the t's if you stumble across information concerning a U.S. person is extremely cumbersome. 

Dave Bittner: Yeah. 

Ben Yelin: And, you know, you might have a good faith intention to go through the constitutional process. And it's just - it's really hard to do because of the way the process works. That doesn't excuse it. 

Dave Bittner: Right. 

Ben Yelin: But I just think, to add to what you have to say, yeah, there - for the most part, there isn't any interest in breaking the rules. 

Dave Bittner: Yeah. 

Ben Yelin: It's - sometimes, you are - stumble upon something that does require robust civil liberties protection. And I'm sure in many circumstances, that's very annoying 'cause you see your mission as stopping the bad guys. You don't want to be, you know, bogged down by paperwork. 

Dave Bittner: Right. 

Ben Yelin: Nobody does. 

Dave Bittner: Right, right. All right. Well, thank you very much to our kind listener who sent in this information, taking the time to write this up. I mean, this is - really goes above and beyond what we would expect from someone. And it's great to have this insider's point of view to sort of, you know, fill in some of the gaps in the conversation that we had previously, so - very much appreciate it. 

Ben Yelin: Absolutely. And if you have your own area of expertise and we've said something that doesn't comport with your experience, send us a long email, too. You could be featured on the show as well. 

Dave Bittner: That's right. It's caveat@thecyberwire.com. All right, Ben, I recently had the pleasure of speaking with Jason Sarfati. He is the chief privacy officer and VP of legal at Gravy Analytics. And we are talking about location data and exactly what that is and what it means for stakeholders who take advantage of location data. Here's my conversation with Jason Sarfati. 

Jason Sarfati: So for starters, the state-level legislators are asking themselves this question all the time, and we're getting 50 different answers. So my answer will likely also vary upon what you also hear. But the way I look at it, and a way I think most reasonable folks look at it, is location data comes down to one of two concepts - either No. 1, we identify where a person is or, No. 2, we identify where a device is - a specific, identifiable device. If one of those things is not true, then it's not location data. 

Dave Bittner: If we look back historically, I mean, is it really that location data has become a thing of interest since we all started carrying around devices with GPS sensors in them? 

Jason Sarfati: That's sort of the idea, but let's think about the points of collection that exist in today's world that did not exist 10, 15 years ago. So for starters, the classic point of collection for location data is, of course, our smartphones. And the amount and the accuracy of the information that they collect has increased exponentially not just in this last decade but the last half decade. But today, we have so many other devices that are collecting location information. Automobiles are collecting, in order of magnitude, more data than they used to. Drones, scooters - we live in a connected economy where every single device is now collecting, in most forms, some form of location data. And if that were to disappear tomorrow, the society that we live in would - and I'm not exaggerating - begin to collapse. 

Dave Bittner: How come? What would trigger something that grave? 

Jason Sarfati: Well, just look at your phone right now and look at all those little squares in those apps and think about, for a moment, the apps that would suddenly not work, or at least not work the way you want them to, if location data would not be collected. So all your ride-sharing apps, events that you attend, a lot of the targeted advertisement that runs off of location-based signals - there are so many aspects of our society today that rely upon where mobile phones are, where automobiles travel, that I think a lot of people take for granted. And especially as we progress into the next part of this decade where we're trying to tackle problems like automated driving and on-time delivery and automation of certain functions, none of that's going to be plausible without accurate location data. 

Dave Bittner: Do you think the average person out there has a good sense for the degree to which this data is being collected and aggregated? 

Jason Sarfati: I think some people know. So when I attend barbecue parties and things like that and I tell people what I do, most people are like, yeah, I see those little notices on my phone location data, and I say yes because I just need to know where I'm going. Or, yeah, I'm calling an Uber. How the hell is the Uber going to find me unless they know where I am? So in a sense, I do think people are generally aware that phones and other devices collect their information. What I don't think people are aware of, on the other hand, is the sectors of the economy that rely on this location data. So they understand it as it relates to them personally. But there's a back end. There's a B2B space where so many sectors of the economy, from supply chain and logistics to municipal planning - all of that relies on location data today. And if that were to disappear, I don't think people would be ready for the results of that. 

Dave Bittner: Can you give us some insights? I mean, what are some of the areas that rely on this that people probably don't have top of mind? 

Jason Sarfati: So for starters, the modern-day supply chain - right? - once upon a time - let's go back a generation ago - widgets were built within a certain local region of an economy, right? So you could build all the components of a physical thing within even a particular state. Today, supply chains are global, and companies - and not just the transporters of these widgets but also the end distributors and ultimately commercial resellers - they need to understand A to Z how their supply chain begins and all the way - and how it all the way ends up hitting a customer, the consumer base. All of that is done today by identifying relative changes and relative movements in location signals. And again, if that were to suddenly disappear, then the supply chains that we have constructed, that we have matured in the last five years, would suddenly become inapplicable to the world we live in. So it is the foundation upon which everything that we consume, everything that we touch, everything - everywhere we go is designed. And again, that's the thing that I don't think people have fully digested yet. 

Dave Bittner: To what degree does the government play a part in this? I mean, you know, it strikes me, obviously, the foundational element here. The GPS system is a government program that all of this sort of relies on to be able to track the locations. But, you know, to what degree can we consider this to be kind of a public-private partnership? 

Jason Sarfati: The innovation that is happening in this space absolutely needs greater involvement from our regulatory and our government partners. A top-of-mind one that I know is a blaring issue is drone technology. The fact that drones half a decade ago could easily fly into controlled airspace, the FAA was quick to realize all the innovation that's happening in the space needs some sort of regulatory involvement. Otherwise, the companies are going to be quite literally flying blind. And we need more involvement. So I do believe that at the agency level, a lot of the rank-and-file employees have understood that. They're getting more involved with companies and coming up with commonsense rules and industry norms. However, in terms of strategy, I don't see - and I know a lot of my colleagues share this opinion - a federal vision for how our government should enhance and encourage commonsense regulation and also innovation as well. This doesn't get much play in the presidential debates. It ought to. This doesn't get much play even in the news. But this is, again, the foundation of our modern economy, and I wish it did get more attention. 

Dave Bittner: You know, you say, you know, commonsense regulation, what sort of things do you put into that category? 

Jason Sarfati: Well, so for starters, there is no defined rule on what locations, especially as it relates to targeted advertising, companies should not sell. So there are now groups like the NAI, the Network Advertising Initiative, that is drafting a potential blacklist of locations, places of worship or schools, hospital. There are some concepts that, you know, maybe there are certain locations we shouldn't sell this data, at least as it relates to. And the industry players need that kind of leadership. Thankfully, some of the think tanks are getting involved, but we don't really see any leadership on the part of our national lawmakers. And I do think it is dragging a lot of the overdue development in this sector of the economy. 

Dave Bittner: Where do we stand in terms of regulation? I mean, is the - it seems to me like most of the action is happening at the state level. Is that an accurate perception on my part? 

Jason Sarfati: It is. And it's kind of tragic, to be honest, because phones and devices don't inherently change when you cross state borders, right? This is something that absolutely requires a federal approach, and we just don't have it. Now, you could blame a deadlocked Congress or other priorities being top of mind right now, and data privacy or location data just isn't at the top. But, again, we do need federal leadership on this. The state-level legislatures have less of a roadblock. Also let's think about it - that's 50 test tubes instead of one, so other folks can take their own crack at it. California and Virginia have already passed some definitions of location data. But, again, it doesn't make sense for us to regulate this at a state level. This needs to be approached from a federal perspective. 

Dave Bittner: And what do you suppose is a reasonable balance here? I'm trying to imagine what equilibrium would look like. 

Jason Sarfati: So there are some buzzwords that you hear of. So for starters, one of the tenets of privacy law has always been notice and transparency, the idea that individuals should at least be aware of the data categories that are being collected and maybe who they're being shared with and some of the use cases around that. So that sort of has become a national trend, whether or not it's actually captured in a law. We just see that happening in real-world circumstances. But again, something that we don't see is identifying with precision what location data actually is. So that's a huge problem. Companies don't know whether or not they're processing location data because the definition of it varies depending upon what state you're looking at or what industry group has put out a certain perspective on it. So we certainly need a concrete definition of what location data is and how we know we are processing it versus when we're not. And the only way that's achievable, at least from my perspective, is a federal privacy law that touches on location data. 

Dave Bittner: You know, my co-host Ben Yelin and I have often talked about when we see stories that mention, you know, anonymization of location data of how - I don't know - it almost seems like a fool's errand in that, you know, even if you take the name off of a device, well, if that device spends every night at this location and then every day at this location, pretty easy to figure out, you know, that that's someone's home and that's someone's office. And, you know, the total number of people who sleep there and work there probably can be, you know, winnowed down to one or two. To what degree is that an element in all of this, the ability to have - to gather this information where it is truly useful, but then also be able to truly anonymize it in a meaningful way? 

Jason Sarfati: So for starters, the steps that need to be taken to anonymize location data are going to be different than the steps that are required to anonymize other categories of information like biometrics or health data or financial data or even classical PII. The reason for that is there are just so many unique attributes to how location data is collected and processed. I will however push back on something. There are actually countless number of use cases for purely anonymized location signals. So for example, our company did a study on the relative change in visits to gas stations during the Colonial Pipeline cyberattack. And one can, without identifying who's actually at these gas stations, identify, hey, there are 30% or 40% more devices suddenly at these gas stations. We can start predicting the price of gasoline based upon relative demand faster than anyone on Wall Street can, simply because - and with more accuracy, because we can understand that there's nothing more intimately related to consumer behavior than where people go to open their wallets. You don't need to know who's opening the wallet or even how much they're actually spending once they're at that location. You just need to know that there is a relative change in people who are going to that location. So there's actually a lot of use cases for it. 

Dave Bittner: Yeah, I certainly understand it and agree with you. I guess the point I'm getting to is that if you contrast what you're describing there, which I would describe as being a good-faith effort to understand something that will lead to, you know, meaningful information that that helps us all in the end, that same information could be used by someone else who's not up to so much good, and they could use methods to de-anonymize it. And that, I think, is a peril that needs to be considered. 

Jason Sarfati: Yeah. So the potential for de-anonymization or reidentification - whatever word you want to use - is certainly something that's inherent to the location industry. Things that can be done to prevent against that - No. 1, having a positive conversation with the players in the market, understand what their use cases are. No. 2, identifying locations - right? - that are sensitive. So we don't probably want to monitor the behavior of kids and schools and playgrounds. There are certain things that should be off limits. And then No. 3, all of the devices carry, for the most part, something called a persistent identifier, the idea being - it's kind of like the license plate of your phone or your car or your drone or your scooter. And the more that those persistent identifiers are removed from data processing activities, the more we can mitigate against some of that potential peril that you're describing. There's no way to get to 100% mitigation. That's that's never possible in anything in life. But again, focusing on certain locations that are just too sensitive and then certain categories of data that if we attach to location information is just too dangerous, I think that's where the conversation needs to start. 

Dave Bittner: OK. How optimistic are you that we're headed in a good direction here? Do you - is there any hope in the near term of seeing anything come out of the feds? 

Jason Sarfati: So I don't have any optimism as it relates to at least a national federal privacy law. They've been talking about it for the last decade, frankly. I don't see it happening anytime soon. And part of the problem is that the issues that would need to be resolved in a comprehensive privacy law expand with each passing year. And so the - what could have actually been achievable back in 2017 or 2015 is now even more difficult because the problems we need to tackle are actually much more significant. One thing that I do think, though, that we will see is that there will be such a proliferation in the private industry as it relates to acquiring location data and all these other new categories of information that federal legislation will have to come about because there will just be so much industry demand for us to get rid of this patchwork system and just have a comprehensive approach. 

Jason Sarfati: So one of the, I think, misconceptions that we see in the news is that big business or any - or big tech is against regulation. I don't think that's true at all, and I don't think most folks view it that way. We actually do need guidance so that we can have a healthy space for these players in the market to grow. 

Dave Bittner: Ben, what do you think? 

Ben Yelin: So funny how some of the themes that we've talked about on this podcast just keep coming up. 

Dave Bittner: Yeah. 

Ben Yelin: We've started to see states take a stab at regulating location data, as he talked about. Certainly, the California law is a start. We've seen that in Virginia and in other places. But he reiterated, just like we have, the need for some type of federal guidance because ultimately this is a national problem. 

Dave Bittner: Yeah. 

Ben Yelin: The companies operate nationally. When you're tracking location, you're generally tracking it across different states. So that, to me, is kind of the upshot here is it's another area where we just need some type of federal regulation. 

Dave Bittner: Yeah. Yeah. All right. Well, again, our thanks to Jason Sarfati from Gravy Analytics for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. The “Caveat” podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Kolide
Sponsored by Kolide

Kolide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices, right inside Slack. Kolide is perfect for organizations that want to move beyond a traditional lock-down model. Learn more.