Caveat 2.19.20
Ep 16 | 2.19.20
Rigging the game.
Transcript

Drew Harwell: Is this level of surveillance too much? Is this privacy invasive? Is this something that the students even really understand what we're doing? And so there's this big debate on a lot of colleges as to whether this is an appropriate level of student supervision or whether this has gone too far. 

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hi, Dave. 

Dave Bittner: On this week's show, Ben describes a decades-long global espionage campaign alleged to have been carried out by the CIA and NSA. I share a story about the feds using cellphone location data for immigration enforcement and later in the show, my conversation with Drew Harwell from The Washington Post. We're going to talk about his article about how colleges are turning students' phones into surveillance machines. While this show covers legal topics, and Ben is a lawyer, the views expressed did not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: We'll be right back after a word from our sponsors. And now a few thoughts from our sponsors at KnowBe4. What do you do with risk? We hear that you can basically do three things - you can accept it, you can transfer it or you can reduce it. And, of course, you might wind up doing some mix of the three. But consider this - risk comes in many forms, and it comes from many places, including places you don't necessarily control. Many an organization has been clobbered by something they wish they'd seen coming. So what can you do to see it coming? Later in the show, we'll hear some of KnowBe4's ideas on seeing into third-party risk. 

Dave Bittner: And we are back. Ben, why don't you start things off for us? A big story dropped this week. 

Ben Yelin: Yes. This is from The Washington Post in an article entitled "The Intelligence Coup of the Century." And the headline is certainly appropriate as this article was indeed eye-opening. 

Dave Bittner: Yeah. 

Ben Yelin: So the history of this story goes back to the end of World War II into the beginning of the Cold War. Many countries around the world, including some of our adversaries, trusted this one company, Crypto AG, to keep the communications of their spy soldiers and diplomats secret. And we found out through this article through information that was made public to The Washington Post and to a German publication that that company was actually working directly for the CIA, the National Security Agency and its antecedents. There was a secret handshake deal that took place in the 1950s where the owner of this company basically signed an informal contract with the CIA where other countries around the world would think that they were purchasing this advanced cryptological product, but really they were purchasing a product that would allow them to be spied on by the U.S. government. 

Dave Bittner: And Crypto AG is not a U.S. company. 

Ben Yelin: It is not. It is a company that is based in Switzerland. In fact, one of the things that was eye-opening about the article even though this company has been bought out and liquidated as of 2018, there is still actually a building in Switzerland that has Crypto AG lit up on the side of it. 

Dave Bittner: (Laughter) I see. 

Ben Yelin: So it's a company that exists in a modified form, but it is a company that has existed basically as long as modern cryptography has existed, dating back to World War II and the Cold War. So this was a joint agreement between the CIA, West German intelligence at the time and this company. And it was unknown to not only foreign governments but also to the U.S. media and media around the world. And these documents for the first time shed some light on that arrangement, which was really quite remarkable. It sort of confirms not some of the conspiracies but some of the allegations in the Edward Snowden disclosures of 2013 that the U.S. runs a pervasive global surveillance network. And nothing can be more pervasive than tricking countries into buying cryptography products that are actually monitored by our intelligence agencies. And the upshot of this is that our intelligence agencies were able to gain quick access to our adversaries' conversations. And that was obviously a major boon for our intelligence during the Cold War, during our conflicts in the 1990s and even the early parts of the war on terrorism in the early 2000s, so certainly something that opened my eyes. 

Dave Bittner: Now, there were some interesting - first of all, the whole article is fascinating from The Washington Post. But some things that caught my eye were that not only were these devices sold to our adversaries but to our Allies as well. And there were some points where the Germans got a little cold feet about that, that maybe they thought the Americans might have been doing a little too much peeking at Allies' communications. 

Ben Yelin: Yes. So we were far less bashful than our German counterparts were in using this as an espionage tool even though this was a joint operation between us and BND, which was the West German intelligence agency, you're right that the German government did not like the fact that we - not only was this tool being used by adversaries of our government but also some of our Allies during the Cold War. I think part of that was to maintain the cover of the secret espionage technique. If this was a product Crypto AG that was only sold to our adversaries, perhaps that would open some eyes in foreign intelligence communities, including maybe some of our adversaries, that this was all a ruse, this was all an effort for the United States to breach the private communications of foreign countries. So in order to maintain our cover, I think part of that included selling this service or watching this service be sold to some of our Allies as well. 

Dave Bittner: Another fascinating aspect of this I saw come by this morning - a reporter for The Baltimore Sun who said that back in 1995, they had done research and had written a story about this very thing. And at the time, the CIA and NSA said this is baseless speculation, it's a ridiculous story, of course we don't do any of this. And interesting to see how as time marches on, we look back, The Baltimore Sun had it right. 

Ben Yelin: Yeah. Our local newspaper did quite enterprising work in 1995. And, frankly, looking back on it, it's now very impressive. Of course, the CIA and the NSA are going to deny it because they had been able to prey off the gullibility of foreign countries to use this product and were able to make a profit. Part of the arrangement we made with the individual who owned this cryptography company, Crypto AG, was that we would share profits of the sales. So he would get a stipend, but it was actually the United States government that was collecting profits of the sale of this technology. So, of course, in 1995 when this was discovered by The Baltimore Sun expose, it's understandable that our intelligence agencies would want to deny it. And that sort of leads me to wonder why they didn't quite deny it for this Washington Post article. Now, neither the CIA nor the NSA confirmed the contents of this article, but it was sort of a nonconfirmation confirmation... 

Dave Bittner: Right. 

Ben Yelin: ...Nod of the head saying, well, we're not saying this is not not true. We are saying this is not not not true. And, you know, I think there are a couple reasons for that. The main reason is that, as I mentioned, this company has been liquidated, so this arrangement, at least in the form that it existed for 60 years, is no longer in existence. I think that's probably the main reason. The other key reason is that, you know, the cryptography industry has sprouted up. Now there are a million enterprising companies that provide these services. Crypto AG had a monopoly on cryptography services for a long time, and we were able to take advantage of that - or at least a semi monopoly. Now with a bunch of competitors, it can't control the market in the same way. So it's not going to be as effective of a tool. You know, if there was one supermarket in a town, then we could put a surveillance camera in front of that market and see every single person that goes shopping. Suddenly, when there are 20 supermarkets, that becomes much more difficult. So I think that's one of the reasons why this program no longer exists in its identical form and why the CIA and NSA aren't exactly denying it at this point. 

Dave Bittner: Yeah. I suppose, as time marches on, this sort of cryptography is no longer the exotic thing that it once was - pretty routine to use strong encryption when you're sending messages back and forth these days just through software. 

Ben Yelin: Absolutely. And it wasn't always like that. I mean, that's why it was so secretive and so lucrative for so many years is this was an industry that was still in its infancy as electronic communications themselves were in their infancy. Now, cryptography itself has always existed. You know, people were writing with feathers and pens using secret code, and there were people trying to decrypt that encrypted information. But at least in its current form, this is something that's relatively new, and in the last 10 years or so, more of an industry has developed around strong cryptography. 

Dave Bittner: Do you suppose there'll be any fallout from this? Because the program is pretty much wound down, is this kind of something where probably all the players in this likely kind of knew it was going on and so it's sort of more historical than anything? 

Ben Yelin: Yes, I do. I don't see there being any repercussions. If this were the 1970s and we were still a country that was obsessed with pervasive secretive government surveillance efforts, then we could see something like the Church Committee, which was the congressional committee set up to unveil all these, you know, secret CIA programs - Nixon, you know, killing his enemies, that sort of thing, whatever the CIA was doing in foreign countries in the 1960s... 

Dave Bittner: (Laughter) Right. Right. 

Ben Yelin: ...You know. And we started to see a little bit of that political will show up after the Snowden disclosures. But my guess is this is sort of historical in nature. I think there's also kind of an assumption that we sort of look the other way with what our intelligence agencies do. It's sort of better left unknown. I mean, the CIA is subject to a lot of federal regulations. Many of them are classified. But it's sort of an area that lawmakers are generally very hesitant to touch. And that's why they get away with a lot, including this pretty massive heist that they were able to engineer for several generations. 

Dave Bittner: Yeah. Well, it's definitely an article worth checking out. It's from The Washington Post written by Greg Miller - "The Intelligence Coup of the Century." Do check it out. 

Ben Yelin: It is. And it's also just a very fascinating historical lesson. You could almost learn a lot about foreign policy in the last 60 years by simply reading this article. So, yeah, I would recommend it. 

Dave Bittner: Yeah. My story this week comes from The Wall Street Journal, and this is written by Byron Tau and Michelle Hackman. And it's titled "Federal Agencies Use Cellphone Location Data for Immigration Enforcement." A couple of interesting aspects of this - so Immigration and Customs Enforcement, ICE, part of DHS, they have been buying cellphone location data from private companies and using it to track down various folks of interest to them who may be crossing the border. They're saying they're using it for people entering the U.S. illegally, people who might be running drugs. This story says that they use this data to reveal a tunnel that went underneath the border. So on the one hand, I suppose you could say from a law enforcement's point of view, the purchase of this data from a private contractor, it has useful functionality for law enforcement purposes. But I'm going to guess that you have your own opinions about what's going on here, Ben. 

Ben Yelin: Yeah. I mean, certainly this presents civil liberties concerns both from a Fourth Amendment perspective and people who are concerned about overbroad authorities from our immigration enforcement would certainly be concerned about this article. Now, DHS didn't exactly tell The Wall Street Journal - understandably - what they were doing with this location data. But as you mentioned, we're suspecting that they're using it to track suspects, you know, figure out where these illegal entry ports are and you reference this potential tunnel under the border. They're claiming that they purchased data that was anonymized, and it is. All different types of advertisers purchase anonymized location data to make decisions on advertising targets. This is something we've talked about on the podcast many times. 

Dave Bittner: Right. Legal to do? 

Ben Yelin: It's absolutely legal to do. DHS can say that it's anonymized, but we talked about that New York Times article several times on this podcast. Well, per se, the information is anonymized. There are various ways to deanonymize it. 

Dave Bittner: Right. 

Ben Yelin: You can probably figure out who a person is if you spend all of your time tracking their location. So that's one concern. The other concern is that this is sort of a work around to the Fourth Amendment the United States Constitution. So we've talked about in 2018, there was a Supreme Court decision Carpenter v. United States... 

Dave Bittner: Yep, comes up a lot. 

Ben Yelin: It sure does. And it held that cellphone location data is protected by the Fourth Amendment. Law enforcement needs warrants to collect it. 

Dave Bittner: Right. 

Ben Yelin: But here we essentially have a workaround. It's not the government asking for judicial approval to access this data. They are simply purchasing it on a commercially available market. And there are a lot of companies that sell this data. It's available through many commercial exchanges. So you don't really have to get the lawyers involved. They can buy the data. It's theirs. It's anonymized. And, you know, it's a way to get around what they would otherwise have to do, which is go to a magistrate judge or a federal judge and get a warrant to get location data, historical cell site location data, on any individual. So that's another reason why it's concerning. Another thing I'll mention is from the Fourth Amendment perspective per a 1989 Supreme Court decision, Verdugo-Urquidez - I'm sure I'm pronouncing it wrong. The Fourth Amendment does not apply to people who are not part of the so-called national community, and that generally includes unlawful, undocumented immigrants. 

Dave Bittner: That was my next - that was going to be my next question to you, Ben. 

Ben Yelin: I'm reading your mind. 

Dave Bittner: You're reading my mind. 

Ben Yelin: Exactly. 

Dave Bittner: That's right. 

Ben Yelin: Jinks. 

Dave Bittner: Go on. Yeah. 

Ben Yelin: So, you know, that's another element to this. The Carpenter case, as is true for all Fourth Amendment jurisprudence, certainly applies when we're talking about U.S. citizens or U.S. persons who are in this country lawfully. But that standard is very different, for better or worse, when we're talking about people who are undocumented. Now, where this gets complicated is they're purchasing a lot of location data. Presumably most of that location data concerns U.S. persons. There are going to be certain segments of it that concerned people who are undocumented who are in this country. So the government has obtained a lot of location information that they could use to identify U.S. persons, even though maybe DHS and Immigration and Customs Enforcement is not using it for that purpose. So if you want to trust that, you know, once the government purchases this data they're only using location tracking as it relates to undocumented immigrants, then, you know, feel free to do so. But I think there is reason for doubt on that front. 

Dave Bittner: How would this workaround get shut down? How would someone come at this? The folks who believe that this is problematic, what would be their avenue to prevent agencies like ICE from using this sort of data? 

Ben Yelin: So I don't know if we have a bleep feature on our podcast here, but I would say they are S out of luck. 

Dave Bittner: (Laughter) OK. 

Ben Yelin: One of the reasons is standing. In order to sue the government, you have to have standing, and in order to have standing, you'd have to prove that your specific location data was collected. That comes back to a Supreme Court decision, Clapper v. Amnesty International. It's going to be almost impossible for someone to, A, know that they're being surveilled and, B, be able to prove it with the type of specificity needed to get oneself into court, you know. And then that doesn't even get to the problem of non-U.S. persons who basically would not have any legal cause of action to challenge this type of surveillance. So I guess you're not entirely SOL. You're one avenue is to go to Congress and perhaps write your legislator, tell them that they should prohibit ICE and DHS from purchasing location information from third-party vendors. I'm not guessing that there is a groundswell of support for such a policy in the current United States Congress. But that doesn't stop people from contacting their legislators in other contexts. So go for it if that's something that you believe in. Or contact the executive branch. You know, they get letters. You have a First Amendment right to tell the government to redress your grievances. So that is one avenue, but it's certainly not something where I would expect there would be some sort of legal injunction against this type of collection. 

Dave Bittner: Interesting. All right. Well, those are our stories this week. It is time to move on to our Listener on the Line. 

0:17:04:(SOUNDBITE OF PHONE RINGING) 

Dave Bittner: Our listener this week is Tim (ph). He calls in from Vancouver, Wash. And he's got a question about blockchain and GDPR. 

Tim: Hi, my name is Tim from Vancouver, Wash. I am calling about the implications of GDPR for things like the blockchain and specifically the right to be forgot and that sort of a thing. Now, GDPR specifically, as I recall, calls out any sort of unique identifier of a user could be used to add personally identifiable information. The blockchain is supposed to be anonymous, but as you know, it can easily be de-anonymized and your, like, Bitcoin address, for example, is a thing that uniquely identifies if not you as a person as least you as a user within the system and then can be de-anonymized to you as a person. So my question is, is the blockchain be necessarily something where you're not able to remove transactions or to be, quote-unquote, "forgotten," what about all these startups that are like Facebook but on the blockchain or whatever, you know, that they try to put everything on the blockchain because it sounds cool in their startup package and in their business plan. Does GDPR have anything to say about that kind of a thing? And does GDPR put something of a railroad spike through the ideas using blockchain for everything, which seems like a lot of companies are trying to do nowadays, especially startups. Thanks a lot for you time, guys. I love the "Caveat," love CyberWire and keep doing what you're doing. I appreciate it. Thank you. 

Dave Bittner: All right. So interesting question from Tim. Tim, thanks for sending that in. To me, this comes down to that basic tension that I've heard people describe with the GDPR's requirement of your right to be forgotten and that the notion with a blockchain that you have data that is immutable. 

Ben Yelin: Yeah. So this is certainly a conflict. There's a lot of scholarship out there about it. It's seemingly an intractable conflict. We have GDPR, which says that an individual has the right to be forgotten. They can have their personal data erased, but then we have blockchain technology, which is immutable. And so a lot of analysts have concluded, based on this dichotomy, that it's impossible to store any kind of personal information on blockchain and still comply with GDPR. 

Ben Yelin: I've seen a couple of articles out there point out some nuance in this that might give policymakers some clues as to how to resolve this apparent conflict. One is that blockchain isn't always immutable. So some of the new protocols make it so that data stored on blockchain isn't as immutable as it once was. So that's one consideration. 

Dave Bittner: Yeah, I've seen that, too, where you can say - within the blockchain, you can go back and say, there used to be data here and (laughter), you know... 

Ben Yelin: Right. 

Dave Bittner: ...It's not here anymore and here's why and so on and so forth. I'm sure I'm getting the details wrong, and there's probably people screaming at their computers right now. But yes, to your point, there's some interesting innovation there. 

Ben Yelin: Yes, yeah. They can scream at their computers all they want... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Though the thing that's probably more in my wheelhouse in terms of knowledge, since I probably know far less about blockchain than you do, is the details of the right to be forgotten. GDPR is not absolute on the right to be forgotten. So there are a couple of exceptions to the general rule that a person has a right to be forgotten according to GDPR. If processing is still necessary for the performance of a contract, for scientific or historical reasons in the public interest or to comply with a legal obligation or if there's a legitimate interest that overrules the interest of the data subject, then the right to be forgotten does not apply. So that could open up some potential avenues for blockchain users if they can figure out how to fit within one of those exceptions. 

Ben Yelin: The last thing I'll mention is that the definition of personal data and GDPR isn't entirely clear. There's been a lot of scholarship about some confusion as to what counts as personal data. So you know, some things that might be on chain - so there've been questions about pseudonymized data. And GDPR has tried to, through EU regulations, define exactly what that means. But those regulations have not yet been finalized. So you know, until that definition is finalized, we can't be entirely sure that whatever is on the blockchain counts as personal data for the purposes of GDPR. So while there is this apparent conflict, I think when we take these other factors into consideration, there's some nuance there that could allow the right to be forgotten and blockchain to coexist. 

Dave Bittner: Now, you mentioned an exception for fulfilling legal obligations. Could this be something that, through the typical gymnastics that take place - something with a EULA, with an end-user license agreement, that could provide some cover here? 

Ben Yelin: Yeah, it is, although those license agreements would still have to abide by the regulations inherent in GDPR. 

Dave Bittner: I see. 

Ben Yelin: And because companies have had to adapt to GDPR, that's going to apply to users outside of the European Union, including those in the United States. And now that we have the CCPA in California, those sort of end-user license agreements - compliance has become more difficult for these technology companies. So it is something you can account for there, but those are still subject to probably whatever the highest level of regulation that these companies would have to comply with, whether that's the European Union or the state of California. 

Dave Bittner: Yeah. All right. Well, Tim, thank you for sending in your question. It was a good one. 

Ben Yelin: Absolutely. 

Dave Bittner: We would love to hear from you if you have a question for us. Our call-in number is 410-618-3720. That's 410-618-3720. You can also email us an audio file at caveat@thecyberwire.com. We would love to hear from you. Coming up next - my conversation with Drew Harwell from The Washington Post. We're going to be discussing his article on how colleges are turning students' phones into surveillance machines. But first, a word from our sponsors. 

Dave Bittner: So let's return to our sponsor KnowBe4's question - how can you see risk coming, especially when that risk comes from third parties? After all, it's not your risk - until it is. Here's step one - know what those third parties are up to. KnowBe4 has a full GRC platform that helps you do just that. It's called KCM, and its vendor risk management module gives you the insight into your suppliers that you need to be able to assess and manage the risks they might carry with them into your organization. With KnowBe4's KCM, you can vet, manage and monitor your third-party vendors' security risk requirements. You'll not only be able to pre-qualify the risk; you'll be able to keep track of that risk as your business relationship evolves. KnowBe4's standard templates are easy to use, and they give you a consistent, equitable way of understanding risk across your entire supply chain. And as always, you'll get this in an effective automated platform that you'll see in a single pane of glass. You'll manage risk twice as fast at half the cost. Go to kb4.com/kcm and check out their innovative GRC platform. That's kb4.com/kcm. Request a demo and see how you can get audits done at half the cost in half the time. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: And we are back. Ben, you and I recently spoke about Drew Harwell's article in The Washington Post about how colleges are using cellphone information to track their students, some of the concerns there. We reached out to Drew, and he agreed to come on the show. Here is my conversation with Drew Harwell. 

Drew Harwell: This was an issue that was starting to bubble up from campus newspapers. Some of these college journalists were seeing, you know, strange emails alerting them to what, in some cases, was just called a new attendance monitoring system. And so there were a couple of colleges that were starting to write about this, but I didn't really have a sense of how widespread this was. 

Drew Harwell: Once we sort of dug in a bit, we found out that it was a lot of colleges, actually - maybe 60 or so across the country just using one of these two companies. You know, so we talked to the companies and found that there's kind of the creation of this new infrastructure for monitoring students' attendance but also their location in a really intricate way across campus using sort of Bluetooth beacons and these campuswide Wi-Fi networks to process en masse where students were going, when they were going there and kind of their behavior along the way. 

Dave Bittner: What is the exchange here? I mean, are these companies coming to the university and saying, hey, here's a capability that we can offer you and these are the benefits that you could get from it? 

Drew Harwell: Yeah. They're going to the campus and saying, you have all of these students, you have a problem of professors having to gather attendance in this kind of old-school way, and you want data on your student body as well. You want to know when they're going to the library and how often. And so here we have this product that can use pretty basic technology or the technology you already have on campus and give you that extra power and that extra knowledge in a really simple way. 

Drew Harwell: And so for a lot of the administrators, they feel like - hey, what's the harm, right? I mean, this is a fairly cheap system to turn on. We get a ton of information out of it. And the company, you know, does all the heavy lifting. And so it's, for some of these administrators, been an easy sell. 

Drew Harwell: But there's also been this ethical argument from some of the professors and administrators as well, too, saying, like, hold on a second. Is this a level of surveillance too much? Is this privacy-invasive? Is this something that the students even really understand what we're doing? And so there's this big debate on a lot of colleges as to whether this is an appropriate level of student supervision or whether this has gone too far. 

Dave Bittner: Are the students given any ability to opt out? 

Drew Harwell: In most of these cases that I've seen, yes, they are given the ability to opt out. With the Bluetooth beacons, they can say no and then kind of check in a much sort of slower, less efficient way in person with the professor. They still have to sort of mark their attendance in some way. But with the Wi-Fi one, if you connect on to campus internet, which is, you know, pretty much every student on campus, you are given an opt out, but it's sort of in a way that it suggests - the opt-in window says - do you want to, you know, increase campus security and, you know, make the experience better for everybody? If you choose to opt out of that, that's when you opt out of the program. 

Drew Harwell: But you know, as with every kind of conversation about informed consent for these, the feeling is that a lot of these students are probably seeing the window pop up and just clicking yes, as with all of us - right? - when we install a new app. And so there's a feeling from, even when I talked to a lot of these students, that they didn't really understand what the tradeoff was. They didn't understand what data was being collected and how sort of granular their schedules were being monitored. 

Dave Bittner: Yeah. One of the things you highlight in your story is how this could be applied to student athletes. And I can see there being extra attention to student athletes who are on scholarship. Obviously, you know, the universities have a big investment in them. 

Drew Harwell: Yeah. And this system actually got its roots in monitoring student athletes. The feeling was, for a lot of these athletes, you know, like you said, they are volunteers. They are already pretty hypersurveilled. They already have human class-checkers kind of go into their lecture and make sure that they're in class because, you know, the team wants them to be eligible to play on the weekend. And part of that is fulfilling some basic academic requirements. So the system kind of got its start by being - hey, let's automate this. Let's make it so you don't need a human to check in. They just sort of go on their phone and tell the team. And so right now, that system is in play to the tune of - if a student doesn't go to class - one of these student athletes - or if they're more than a couple minutes late, one of the advisers on the team or one of these sort of academic specialists will text the student athlete and say, where are you? How can I get you to class? 

Drew Harwell: So you know, there was a feeling that for these student athletes, it's OK - right? - because, you know, they get something out of the arrangement, too. And you know, for a lot of them, they're on scholarship; the school wants them to be there. But there's also been kind of this slide into the more general student population. And so this will be students that maybe are paying their way through school or maybe there's no real academic requirement except their own personal sense of responsibility. And that's obviously a bigger base of students as well. This isn't just the couple hundred that are kind of playing athletically to represent the school. It could be tens of thousands across campus. 

Drew Harwell: And so it becomes sort of a question of - is there a level of surveillance creep here to where it goes from student athletes to all students to maybe all faculty? And you see this going not just - you know, this kind of surveillance system's used not just on school campuses but increasingly in workplaces. And you just kind of see a couple colliding factors here. The technology is so cheap. The desire to gain that amount of sort of mass data by campus leaders, employers is really high. And it's just extremely easy to turn on. We all have sort of location trackers in our pockets at all times. So all of those dynamics are sort of colliding. And you know, you see it happen on schools. But who knows where it goes to next? 

Dave Bittner: What's the reaction to this story been? What sort of feedback have you been getting? 

Drew Harwell: There's been kind of an alarm from a number of students and parents and professors even that feel like this is incredibly invasive to students' privacy. You know, there's been a number of professors, though, too, and parents as well saying, you know, these are young adults that we want to make sure are doing the right thing. If we can increase their attendance, if we can increase their student performance, make them more successful graduates, maybe a couple nudges aren't that bad. 

Drew Harwell: And you know, there's also sort of this fatalism in terms of our locations are being tracked all the time by our phones anyway. If the school I go to thinks it's important to use that data in a way that can maybe even benefit me or benefit my college education, then what's the issue? 

Drew Harwell: But I think one sort of interesting kind of societal reaction has been from people who feel like this is like a technological nanny state. Right? You're taking these young adults who are put onto a college campus, expected to sharpen their own sense of personal responsibility, go through this period of adolescence, make mistakes - you know, do all the things that you're expected to do in a university environment. And they're taking that and making it so there's this extra layer of oversight by this technical system. And you're almost supplanting that sort of self-starter mentality that you're trying to grow in college and saying, you know, it's just another box to check; it's just another technical system to satisfy. 

Drew Harwell: So I think that part has been really interesting to me - this feeling that maybe these students are being infantilized along the way by having to make sure that their attendance point averages is satisfactory but not really having to think about - what's my sense of self-responsibility? Shouldn't I just be doing this because I want and not because I need to please some other system? 

Dave Bittner: I also can't help wondering about a chilling effect on people's ability to explore things, you know, or even, you know, visit a particular religious organization on campus or go to the health clinic or, you know, check out the LGBT community or something like that. If you know someone's looking over your shoulder, it could have a chilling effect on those sorts of things. 

Drew Harwell: Yeah, absolutely. And college is full of sensitive places, right? It's - and young adults do all sorts of sensitive things that they may not want a school leader or a parent or a professor or an administrator to know about. And we've often celebrated that, right? This is their independence. 

Dave Bittner: Right. 

Drew Harwell: We want them to build that sense of autonomy. And you know - and there has been research on this, too, that students and many of us, really, change our behavior when we know we're being watched. We don't pursue the kinds of activities or behaviors that we would do if we felt like our privacy was preserved. So it changes our behavior. 

Drew Harwell: You can see kind of the benefit in a system that could get students in class more. Right? But you can also see the peril of a system that can be used to prevent somebody from, like you said, I mean, going to a health clinic for a health scare or pursuing a different faith. The danger there is just so real. And even if these colleges aren't misusing the data - right? - that implicit fear from the students, that feeling that someone's always watching - you just have to worry about what that could subtly do to these young adults as they're kind of building out the rest of their life. 

Dave Bittner: You know, my co-host and I were joking when we were discussing your article that there's an opportunity here for some enterprising students to gather up other people's mobile devices and, you know, take them to the library and take them to... 

0:34:44:(LAUGHTER) 

Dave Bittner: ...You know, to places where there's healthy food and, you know, check them into their classes - you know, be that person. 

Drew Harwell: There's always money in fooling the system, right? I can imagine - if I were a student entrepreneur, that's what I would be pursuing. 

Dave Bittner: (Laughter) Right, right. 

Dave Bittner: All right. Well, Drew Harwell, thank you so much for taking the time for us. The article is "Colleges Are Turning Students' Phones Into Surveillance Machines, Tracking The Locations Of Hundreds Of Thousands." This is in The Washington Post. We appreciate you taking the time for us. 

Drew Harwell: Yeah, thanks for having me. 

Dave Bittner: All right, Ben. What do you think? 

Ben Yelin: Well, first of all, thanks for Mr. Harwell for coming on the pod. His article was fascinating enough for us that we did a segment on it, so I'm glad we were able to talk to him. 

Ben Yelin: I think a couple of things stick out at me. One is that this is much more of a human interest story, in some ways, than it is a technology story. We're talking about surveillance that is so pervasive that students are under constant fear that they're going to be watched. And that can change people's behavior. As Drew was saying, they may not seek to join certain religious institutions, or they might decide not to go to the health clinic for something, you know, that they might be embarrassed about... 

Dave Bittner: Right. 

Ben Yelin: ...And something that could actually end up being a huge health scare like, for example, some sexually transmitted disease. So in that sense, it could really have a profoundly negative impact on an entire generation. And the question of course is, granting that it would have an impact, is it worth it? You know, I guess it depends on what your priorities are. He did talk about some of the benefits of it. We can figure out if student athletes are going to class. We can get predictive data on, you know, students who might have depression, that sort of thing. 

Ben Yelin: But you know, it seems - at least from my view - the costs from a human interest perspective are so significant that they would seem to outweigh the benefits. And I'll note - you know, we all survived in college. You know, we all made mistakes. And we all went to places we shouldn't have gone and... 

Dave Bittner: Yep. 

Ben Yelin: ...Stayed up to hours to which we should not have stayed up. 

Dave Bittner: Yep. 

Ben Yelin: But we made it. 

Dave Bittner: Right. 

Ben Yelin: And you know, I just think - is this Big Brother-type system necessary to the extent that it would justify what's really a major invasion on civil liberties? And at - you know, at the very least, it's good that The Washington Post and, before that, some campus newspapers have shined a light on this because at least we can start to have this conversation. 

Dave Bittner: Yeah, one of the things I think about is that just the very fact that this data is being collected and there's a third party involved. And everybody, of course, says we're being safe about this and it's all very confidential and we would never use it for anything wrong. But as we know, time passes. Things leak. Things get cracked. Encryption gets broken. And I can imagine, 20 years down the line, that presidential candidate who's - they're at a debate, and someone says, you know, Madam Senator, back in college, we have this tracking information that says that, you know, you visited the health clinic half a dozen times over the course of a few days. You know, please tell us about that sexually transmitted disease you had... 

Ben Yelin: Yeah. 

Dave Bittner: ...And off we go. 

Ben Yelin: Or you know, this senator tells us she knows about political history, but she only showed up to one out of 24 Political Science 101 classes her freshman year. 

Dave Bittner: (Laughter) Exactly, right. Right - and she stayed up all night in her boyfriend's dorm. You know, what - I mean, yeah, we could do this all day. (Laughter). 

Ben Yelin: I'm already thinking about, you know, what my college could potentially have on me that might affect my future political career. 

Dave Bittner: Oh, boy. 

Ben Yelin: But at least I was not subject to this type of surveillance. Absolutely. Like I said, it's good that the conversation is starting. You know, one thing that is particularly bothersome about all of this is it's not like there's a general announcement on the first day of school, you know, when you're checking into your dorm, like - hey, just so you know, we're conducting this very intensive, personalized surveillance. So... 

Dave Bittner: Or even just make it opt-in. 

Ben Yelin: Absolutely... 

Dave Bittner: Right? 

Ben Yelin: ...'Cause it's not opt-in, and you can't really opt out. You could decide not to get on campus Wi-Fi, but then you can't really do anything. You can't do your homework. You can't do research. You know, you can't make social arrangements. So yeah, I mean, to me, it's very problematic. It seems like a solution that's going to end up just causing more problems than it fixes. 

Ben Yelin: But then again, my kids are too young to go to college. So maybe I'll feel differently when they're 18 and... 

Dave Bittner: (Laughter). 

Ben Yelin: ...You know, I want to know how many times they're going to their intro to poli sci class. 

Dave Bittner: Yeah, yeah. It does happen, Ben. It does happen. 

Dave Bittner: All right. Well, big thanks to Drew Harwell from The Washington Post for joining us. I also want to give a shoutout to one of our producers Kelsea Bond, who's been really out there getting us these great interviews. She's just doing great work and really just helping to make this show as good as it is. So thanks to Kelsea for putting in all that work and getting us these great guests. 

Ben Yelin: Absolutely. Thank you, Kelsea. 

Dave Bittner: That is our show. We want to thank all of you for listening. And of course, we want to thank this week's sponsor KnowBe4. If you go to kb4.com/kcm, you can check out their innovative GRC platform. That's kb4.com/kcm. Request a demo, and see how you can get audits done at half the cost in half the time. 

Dave Bittner: Our thanks to the University of Maryland's Center for Health and Homeland Security for their participation. You can learn more at mdchhs.com. The "Caveat" podcast is probably produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.