Podcasts
Caveat
Ep 21
Caveat 3.25.20
Ep 21 | 3.25.20

Can smart surveillance keep us safe?

Show Notes
Transcript

Nancy Kim: The courts have tended to say that most of the time, if you knew that you were clicking on something that was labeled terms of service, even though studies have shown that almost nobody reads the terms, that you have agreed to the terms. 

Dave Bittner: Hello, everyone. And welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hi, Dave. 

Dave Bittner: On this week's show, Ben and I discuss the policy and privacy issues surrounding the global coronavirus pandemic and, later in the show, my interview with Nancy Kim. She is the ProFlowers Distinguished Professor of Internet Studies and professor of law at California Western School of Law. And she's also the author of several books, including "Consentability: Consent and Its Limits." Be sure to stick around for that. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. We'll be right back after a word from our sponsors. 

Dave Bittner: And now a few words from our sponsors at KnowBe4. You know compliance isn't the same thing as security, right? How many times have we all heard that? It's true, too - having checked the legal and regulatory boxes won't necessarily keep the bad actors out. They're out-of-the-check-box kinds of thinkers. But what about compliance itself? You've heard of legal exposure and regulatory risk, and trust us, friend - they're not pretty. So again, what about compliance? We'll hear more on this from KnowBe4 later in the show. It's not a trick question, either. 

Dave Bittner: And we are back. Before we dig into things here, I suppose we should mention for our listeners that you and I are recording remotely this week and will be doing so for the immediate future. Following the advice of all the health folks around there, the professionals, we are distancing ourselves, right? 

Ben Yelin: Social distancing. 

Dave Bittner: (Laughter) That's right. So we are doing our part. Usually, we record face-to-face at the CyberWire studios, but we are in undisclosed locations this week (laughter). So... 

Ben Yelin: I'm in a bunker somewhere, basically. 

Dave Bittner: (Laughter) We're going to start with some follow-up, actually. One of our listeners wrote in following up on a conversation we had in a recent show. I believe I asked you if there was any law against wearing a mask in public. And one of our readers wrote in and found a law - I believe it's a New York law - where, basically, if you're wearing a mask out in public and it's not Halloween or (laughter), you know, a social event where masks are part of the celebration, you can be charged with loitering. Can you give us some details here, Ben? 

Ben Yelin: Sure. So it is a New York state law. And this was a very good find by our listener. And what the law says is you are not permitted to disguise yourself in public, except - and I'm quoting - "that such conduct is not unlawful when it occurs in connection with a masquerade party or like entertainment if one such entertainment is held in a city which has promulgated regulations in connection with such affairs, permission is first obtained from the police or other appropriate authorities." This reads to me like what we call blue laws. Yes, it's on the books. I question how much this is actually enforced. If somebody did not get permission from the police and they were in a jurisdiction in New York where this law did apply, you know, it's really all a matter of enforcement. 

Dave Bittner: Right. 

Ben Yelin: So while, technically, you're - it seems like in New York state, you are not allowed to conceal yourself in public. I have my doubts as to how much this would actually be enforced on a day-to-day basis. 

Dave Bittner: Yeah. 

Ben Yelin: And I'll also say this is a New York state law, so it's not applicable necessarily in the other 49 states, although I have not done research to figure out how common this type of law is. But also, you can be charged with loitering, which is a misdemeanor, and it's not going to subject you to - unless you have a bunch of priors on your record... 

Dave Bittner: Right. 

Ben Yelin: ...Any sort of significant jail time. If it was to your advantage to disguise yourself to avoid criminal detection for something, then you might as well disguise yourself, take the penalty for the misdemeanor and avoid greater penalties - not that I'd ever encourage such a thing from our listeners. 

Dave Bittner: (Laughter) It strikes me that laws like this - I guess I think of it as there are proactive laws and there are reactive laws. In other words, you know, there are laws that it makes the most sense to be out there enforcing every day actively, and then there are laws that are on the books sort of as-needed, where if it comes up - law enforcement isn't out there looking to enforce these things, but if they need to, they have this on the books as sort of a backup to allow them to do their jobs. And I suppose this falls into that category. 

Ben Yelin: Yeah. You know, when we look at so many blue laws, there's always a story behind them, and some of them are extremely random, like you are not allowed to feed horses on streets in Kansas City, Mo., between 8:30 a.m. and 11:30 a.m. You're right. It is - it's reactive. It's based on a past experience. You know, usually, law enforcement will try to find an existing authority that they can use. Sometimes that authority doesn't exist, or they just simply would rather not do the research and just would rather pass a state law or an ordinance that would cover that circumstance, and that kind of seems to be what's happening here. I mean, there are certainly justifiable law enforcement reasons to have regulations on disguising oneself. 

Dave Bittner: Right. 

Ben Yelin: But, you know, there are law enforcement justifications for a lot of things. It's not inherently a dangerous thing to do, which is why, you know, I just question how much it is actually enforced versus just an interesting law in the New York state penal code. 

Dave Bittner: Yeah. All right. Well, thanks to our listener for sending that in. Very interesting, indeed. 

Dave Bittner: Let's move on to the topic of the day, which I think is, these days, everybody's topic of the day. One thing I read - someone on Twitter was saying that, you know, one of the things about this situation with us being in the midst of this global pandemic with coronavirus is that every podcast has become a coronavirus podcast. And... 

Ben Yelin: Absolutely. 

Dave Bittner: (Laughter). 

Ben Yelin: And we all have time to podcast now because we're all home, and there might be a podcast revolution out there. 

Dave Bittner: Yeah, that's right. It's also an opportunity for everyone to become a podcaster. So (laughter)... 

Ben Yelin: Unless you have kids. 

Dave Bittner: We'll look forward to that competition. But let's dig in with some of the specific issues that are relevant to us and this show. You had an interesting article from the folks at Vice about some surveillance companies that are making some claims in terms of detection. What's going on here? 

Ben Yelin: This is from the Motherboard page of the Vice site, which I know we've referenced many times, and it's entitled "Surveillance Company Says It's Deploying 'Coronavirus-Detecting' Cameras in the United States." It's - the article concerns a company called Athena Security, although they are certainly not the only company that is trying to deploy this type of technology. They've previously used artificial intelligence to identify things like guns and knives among individuals in big crowds. So they've sold this technology to places like airports, where it would be very useful for some sort of artificial intelligence to detect guns and knives. 

Ben Yelin: What makes this different is now they are advertising the capability to detect fevers, and they do that through thermal imaging. So they basically identify a person and then, using that thermal imaging, can measure that person's temperature. And according to their best estimates, they usually get the temperature correct within half of a degree, which sounds impressive, although I will say, you know, there's a pretty enormous difference between 99.5 and 100. But it's still rather impressive. And they're not only selling this to private organizations, but they're now selling it to governments as well, that they can use in crowded public places. 

Dave Bittner: Now, this is interesting because I think a lot of the reporting we've seen with the response globally is that other nations - and I'm thinking particularly some of the nations in Asia - have been using exactly this approach. If you're coming in and out of their country, for example, at the borders and so forth, I mean, they're scanning people for temperatures. They're using this thermal technology. So is this reasonable? Is this a good thing? How should we feel about this? 

Ben Yelin: I mean, we are living in extraordinary times, and as a result of that, our civil liberties have been curtailed. If you had asked me a month ago, would governors across the country be invoking their emergency powers for public health reasons, such that people are quarantined, businesses are closed, bars are closed, restaurants are closed, you know, that would've seemed extraordinary. But our legal system, particularly at the state level, is set up so that things that would not be justifiable in normal times are justifiable during emergencies. As to the current situation that we're in, I think in some ways it's acceptable because of the extraordinary circumstances. As long as they protect personally identifiable information and, as they claim, their notification is only going to the organization that purchased the surveillance technology, then perhaps it can be limited in some way. 

Ben Yelin: And frankly, you know, it could be very useful for public health purposes. I mean, we've seen in South Korea, one of the reasons they've been able to bend the proverbial curve is that so many people have been tested for this disease, and people who are exhibiting symptoms are able to self-quarantine, and that means that everybody else can at least resume the semblance of everyday life. So if we really were to make broad use of this technology, you could send people out into a location where this technology existed, notify them instantaneously if they were suffering from a fever, perhaps, you know, if they weren't aware of it for some reason, and then you could compel that person to isolate and quarantine. It might sound severe, but, you know, is that any more severe than what we're seeing right now in the San Francisco Bay Area, where there is a shelter-in-place order for 6.7 million people? 

Dave Bittner: What about this notion that there's no expectation of privacy when you're in a public place? Does that extend to my temperature? 

Ben Yelin: I mean, in some ways, I think it does. As you know, most of these digital cases where we're talking about being recognized in public, we're usually talking about video surveillance where they're doing facial recognition. So this is obviously a new phenomenon where they're not actually looking at a person's face, but they're looking at a person's temperature using thermal imaging. I think thermal imaging is potentially less personally invasive just because, you know, I think you can identify a person more by their face and learn more about them by getting access to their facial features than you would necessarily just by seeing that they have a high temperature, if all they were doing with this technology is that sort of thermal imaging. 

Dave Bittner: Let's extend our conversation here, and let's talk about some of the things that are going on in terms of both the federal government, but in particular the states activating their emergency powers and what that means to all of us and the long-term effects of that. As you mentioned, these are extraordinary times, and so the states are activating these emergency powers. What does that really mean for us? 

Ben Yelin: So the states retain very broad emergency powers. Part of our constitutional system is that the states have what are called police powers to protect the health, safety and welfare of their citizens. And all 50 states have relatively broad emergency powers for particularly the governors. I know in the state of Maryland, the governor has the authority in a declared emergency to do pretty much everything that he has already done - mandatory isolation and quarantine, closing businesses, restricting travel. One thing that the governor of Maryland can do in a declared emergency is seize private property for public use. So these are pretty extraordinary powers, and they're very broad across states. 

Ben Yelin: You know, there is, of course, always a danger in granting these broad authorities. And, you know, sometimes we come close to a line that feels dangerous to us, dangerous to our democracy. I mean, I looked at what happened in Ohio the other day, where 12 hours before a scheduled primary election, the governor stepped in and said, because of the need for social distancing, we can't hold this election tomorrow. And I completely understand that from a public health perspective, but you can see how there's at least the potential for these emergency powers to be abused. Whether there's a check on the governor's use of this power depends, you know, on the state. Generally, the state legislature is the check. 

Ben Yelin: I know in Maryland, when we passed our emergency legislation here, it allowed the state Legislature to step in and declare that that state of emergency was no longer necessary so it could serve as a check on the governor's power. While they do have that authority, I mean, I think they're very reluctant to use it. And even with these draconian measures being taken across the country, I haven't seen much pushback from state legislators or even, frankly, the public on some of the drastic actions that the government has taken. You know, I think there's been complaints online, but I worried about significant civil unrest when you have governors of states saying that people can't congregate, people can't go out to restaurants and bars, schools are closed. So far, I think we haven't seen that, and I think that's largely just a recognition that this really is a public health emergency. And in times of crisis, the government retains extraordinary powers that seem scary in situations that are not emergencies. 

Dave Bittner: Let me take this to the extreme and bring up what I think is - in our history, some of our shameful episodes have been in cases of emergency or perceived emergency. And I'm specifically thinking about the internment of Japanese Americans during World War II. And obviously, you know, we're not anywhere close to anything like that, but, you know, that wasn't that long ago. And I guess what I'm getting at is, in these emergency situations, is it up to us to be vigilant that we don't go too far? 

Ben Yelin: It's absolutely up to us to be vigilant. There was a Supreme Court case in 1945, Korematsu v. United States, which upheld the internment of Japanese. Even though they said that it was obvious discrimination based on nationality, the justification from the court is, you know, those were extraordinary times. We were in a time of war. This was World War II, and we can justify this type of discrimination in these circumstances. And it wasn't until 2018 that that decision was formally overturned by the United States Supreme Court. And I think that is an absolute warning sign for all of us. 

Ben Yelin: I think we have to have some level of recognition that this is not business as usual. There are certain powers that the governors of states and the federal government retain for good reason - bans on restaurants and bars, closing schools. Those do seem like drastic measures. To a certain extent, it does curb civil liberties to prevent people from going out in public, where they might want to congregate, they might want to exercise their First Amendment rights. But right now, we are in the midst of a true public health emergency, and I think that's something that a lot of us are willing to sacrifice. 

Ben Yelin: But that doesn't mean that we should take our eye off the ball. It could certainly get worse. It probably will get worse. And I think it is up to all of us to make sure that the response from governments is consummate with the actual threat that we're facing. And we don't want to get into a situation like we had in the 1940s, where the emergency is used as justification for something very dark, like Japanese internment or even, you know, during the Civil War, when President Lincoln suspended the writ of habeas corpus, which allows people to challenge the legitimacy of their own confinement. And, you know, I just think we do all have to keep a watchful eye on it. This is something that's escalating very quickly. It's something that's unprecedented. And, you know, I think those of us who care about civil liberties have to represent everybody else who's just kind of going along for the ride and is unsure about the government's powers during these extraordinary times and the extent to which such powers are justified. 

Dave Bittner: Well, let's switch gears for a minute and talk about what I suppose is a lesser concern than, obviously, the health issues, and that is some of the issues of commerce. I've seen some commentary from folks who are saying that maybe a good thing that's come out of this is that it's unmasked some consumer policies that may not have really had any real purpose. For example, a lot of the telecommunications companies are lifting their data limits on accounts - things like that. And I've also seen some folks thinking that this is going to cause a shift or complete the push to make the internet companies - or internet service categorized as a utility. What's your take on those things? 

Ben Yelin: So I read a really interesting article. I'm not endorsing the conclusion of the article. I just thought it was thought-provoking. It was from Slate, called "America is a Sham." And I realize the title sounds extreme. 

Dave Bittner: (Laughter). 

Ben Yelin: And I - again, I'm not agreeing with it, necessarily. But the basic thrust of that article is we are doing all sorts of things during this emergency that, you know, we always thought we couldn't do. Some of the economic measures we're taking - you know, potentially a large trillion-dollar stimulus package where we're sending people checks - yes, that might be justified during a public health emergency, but, you know, why are we not doing that for the crisis of poverty or other infectious diseases? That's at least the point this article was making. 

Dave Bittner: Right. 

Ben Yelin: There are, you know, all of these municipalities that are suspending evictions or are releasing nonviolent offenders from state or municipal jails or prisons. I think it's led a lot of people to think, well, why did it take the biggest public health emergency in our history to take some of these actions? And I think a lot of things are actually going to be reconsidered once, hopefully, this crisis passes us by. 

Ben Yelin: You know, one thing that I've certainly seen talked about is telemedicine. There are a lot of regulations - I know in the state of Maryland, there are regulations on whether state health programs, such as Medicaid, will cover the cost of telemedicine appointments. And the governor of this state is waiving all of those regulations so that telemedicine can be facilitated. And I think the federal government is doing the same thing as well, which naturally leads to the question, why do we have these regulations in the first place? 

Dave Bittner: Right. 

Ben Yelin: So if there's one good thing could come out of all of this is that maybe a lot of things that we thought we could never do - because, you know, we're dealing with this extraordinary emergency, maybe we're realizing that maybe some of these things we can do, we would be justified in doing. Again, not to endorse that article. I just think it was provocative and interesting. 

Dave Bittner: Yeah. All right. Well, obviously, our thoughts are with everybody out there to stay safe, keep their family safe and follow the advice of folks like the World Health Organization and the Centers for Disease Control to keep everybody out there as safe as possible. 

Ben Yelin: Absolutely. 

Dave Bittner: Let's move on to our Listener on the Line. We actually had someone write in this week. And this is an interesting question, away from the coronavirus topic. This is from a listener named John (ph). He wrote in and said, the U.S. Department of Justice is investigating ZTE for possibly having bribed foreign officials. Assuming that these aren't U.S. officials being bribed, how would ZTE bribery have constituted a violation of U.S. law? 

Ben Yelin: So it's a great question. It is within our jurisdiction because ZTE does business in the United States. They sell to our consumers. And thus, whether they're facing criminal charges for bribing foreign officials, it is in the interests of the United States to protect our consumers from this level of corruption. There are certain circumstances where we don't have jurisdiction. I mean, if they did not do business in our country, if they weren't selling to American consumers, American companies, then perhaps we would not have that type of jurisdiction. But because this is something that eventually could trickle down to the users of ZTE technology and equipment, it's in the interest of American consumers, and it is worthy of investigation by the Department of Justice. 

Ben Yelin: You know, and oftentimes, the Department of Justice will do sort of extraterritorial prosecutions in some circumstances, like investigating the Russian hacking scheme in the 2016 election. There's never actually a consideration that those individuals will go on trial in the United States. Sometimes it's more of just elucidating a principle. Or, in this case with ZTE, it seems like it was part of the United States leveling fines and penalties against this company if they fail to comply with anti-corruption monitoring and measures. 

Dave Bittner: All right. Interesting, indeed. Thanks to John for sending in that question. We would love to hear from you. Our call-in number is 410-618-3720. That's 410-618-3720. You can also send us an audio file at caveat@thecyberwire.com. You can send us an email there as well if you want to just write in your question. 

Dave Bittner: Coming up next, my interview with Nancy S. Kim. She is the ProFlowers Distinguished Professor of Internet Studies and a professor of law at California Western School of Law. We're discussing consent and the conundrums we all face when we click I agree on those online user agreements. But first, a word from our sponsors. 

Dave Bittner: And now back to that question we asked earlier about compliance. You know, compliance isn't security, but complying does bring a security all its own. Consider this. We've all heard of GDPR whether we're in Europe or not. We all know HIPAA, especially if we're involved in health care. Federal contractors know about FedRAMP. And what are they up to in California with a Consumer Privacy Act? You may not be interested in Sacramento, but Sacramento is interested in you. It's a lot to keep track of, no matter how small or how large your organization is. And if you run afoul of the wrong requirement, well, it's not pretty. Regulatory risk can be like being gobbled to pieces by wolves or nibbled to death by ducks. Neither is a good way to go. KnowBe4's KCM platform has a compliance module that addresses in a nicely automated way the many requirements every organization has to address, and KCM enables you to do it at half the cost in half the time. So don't throw yourselves to the wolves, and don't be nibbled to death by ducks. Check out KnowBe4's KCM platform. Go to kb4.com/kcm. Check it out. That's kb4.com/kcm. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: And we are back. Ben, I recently had the pleasure of speaking with Nancy Kim. She is the ProFlowers Distinguished Professor of Internet Studies and professor of law at California Western School of Law. She's also the author of a number of books. And our conversation really centered around those EULAs - those end-user license agreements that we all sort of reflexively click on - and where our rights are when it comes to us as consumers. Here's my conversation with Nancy Kim. 

Nancy Kim: Well, we find ourselves in a very kind of "Alice in Wonderland" kind of place in that even though most people don't read the terms that they click to, the courts have tended to say that most of the time, if you knew that you were clicking on something that was labeled terms of service, even though studies have shown that almost nobody reads the terms, that you have agreed to the terms. So that's kind of where we are now. Hopefully, it's not someplace we're going to stay forever. But that's where the law is currently. 

Dave Bittner: And how has that played out? I mean, what are the real-world ramifications of that? Can you give us some examples of where that sort of thing has gone awry? 

Nancy Kim: Well, there was a very high-profile case a few years ago involving a woman who had posted a bad review about a company. And the company later contacted her and said that that negative post was in violation of the terms of service. So apparently, when her husband bought these items from this company's website, in the terms of service, there was something that said, you can't post anything negative about our company or else you'll have to pay - I can't remember. It was several - I think it was a couple thousand dollars or something. It was a nontrivial amount of money. 

Nancy Kim: So what's interesting is that it was her husband who bought the items, and she was the one who posted the negative review. But still, they tried to, you know, go after both of them and said, you know, she - that they violated the company's terms of service. They then proceeded to report this outstanding amount. And, you know, when the couple tried to get credit, they found that this would come up, and it was getting difficult for them to get credit. 

Nancy Kim: So that was a very high-profile situation because a law was later passed that said that, basically, companies are not allowed to put in their terms of service - that nobody reads - a provision that says that people can't post true negative reviews about the company. Of course, if you post false negative views, you're still on your own, right? It's still defamatory. 

Dave Bittner: Right. 

Nancy Kim: That's an instance where the Congress and state legislators actually did something about bad terms in these unread contracts. An example of something - of an instance where there's been a significant impact and nothing has really been done until very recently and, you know, maybe too little too late is in the area of privacy. I mean, you know, this has been going on for years, where companies were increasingly becoming much more greedy as far as data collection and tracking users online. And if you look at the terms of service, which is something I've done over the years, you... 

Dave Bittner: You're the one. 

0:27:04:(LAUGHTER) 

Nancy Kim: Yeah. You notice that companies kept updating their terms of service so that they were giving themselves permission to, you know, do evermore increasingly sort of intrusive things, like scan your emails. So if there was an issue that came up, like, for example, with Facebook, when Facebook came up - came out with - I think they called it Sponsored Stories, where, you know, they were able to sort of - if you bought something, it showed up on your friends' feeds as, you know, so-and-so purchased this item. And so there was a question about whether or not they were allowed to do that. And there was a lawsuit. And so in response, what Facebook did was they changed their terms of service to make it very clear that they could do that. So you start to see that every time a company kind of oversteps, they'll give themselves permission by modifying their terms of service in response to any kind of pushback from consumers. 

Nancy Kim: Now, maybe there's a handful of consumers and consumer rights groups that will notice these changes, but the vast majority of people don't notice the changes until it's really too late because it's a very sort of slow, kind of in the aggregate you see what's happening. So now, everyone sort of wakes up one day, and they're like, hey, wait a second; we have no privacy, right? Hey, wait a second; all our emails have been scanned, and these companies know way too much about us. When did this happen? And I say, it's been happening slowly, little by little, over time. 

Nancy Kim: And I've never joined Facebook. And the reason is I read their terms of service. 

0:28:45:(LAUGHTER) 

Nancy Kim: But it's very unrealistic to expect people to do that because, you know, I think the general public expects that somebody is going to stop this kind of, you know, terrible thing from happening. And, you know, eventually they do. But at that point, it's hard - especially when we're talking about privacy, it's hard to stuff the genie back in the bottle. Now your data's out there. 

Nancy Kim: And, you know, California, for example - I am from California - has passed this privacy law that now is trying to sort of make amends - right? - for not having done something for so long. And I'm very happy about it. But it's something that, gosh, I wish would've happened earlier on. I wish we could've provided guidance to these companies earlier on instead of letting them self-regulate because that never really works. 

Dave Bittner: Now, help me understand. In normal contract law, you know, if we're not online - and you have actually - you've written a book about contract law. 

Nancy Kim: Yes. 

Dave Bittner: Is this sort of retroactive ability to - for one party to simply change the terms of the contract - it seems to me like that wouldn't fly. 

Nancy Kim: So again, this is what I mean by this "Alice in Wonderland" world of consumer contracts. You're absolutely right that we're - if we're two businesses and we sign a contract - let's say that you and I have entered into agreement where you're going to record this podcast and do... 

Dave Bittner: Sure. 

Nancy Kim: ...I don't know - do something with it. 

Dave Bittner: Yeah. 

Nancy Kim: And we signed this contract. But in the contract, you have included a provision that says you have the right to change the contract at any time without providing me notice. Most courts would say that's not a contract. It's not a contract if you're not actually committing yourself to something, right? That's been the law forever. 

Dave Bittner: Interesting. 

Nancy Kim: But strangely, with certain contracts almost always dealing with consumers, courts have sort of tried to dance around this general rule regarding what's called an illusory promise. OK, so when you say that, oh, yes, I agree to produce this podcast or whatever it is - you know, sell you books or whatever it is - but you put in your contract that you have the right to change it at any time, the promise you've made me is an illusory promise because you're not actually - it sounds like a promise, but you're not actually making a commitment, right? So in contract law, that - an illusory promise is lacking in what's known as consideration. It's not a contract because contracts require consideration. 

Nancy Kim: But when it comes to consumer contracts, sometimes courts will enforce these if - and then there are all sorts of different kind of exceptions, and it gets very confusing. And it really came out of the world of credit cards, where a bank will be able to sort of change their terms of service of their credit card agreement, and that's generally going to be OK as long as it was something that was within the contemplation of the parties or something like that. So because, you know, I think courts understood that, OK, well, banks might need to change the way they do business because, you know, they have these long-term agreements with consumers and the credit card industry is, you know, heavily regulated. 

Dave Bittner: Right, right. 

Nancy Kim: The thing is terms started to seep over into the online contract world, where, of course, nobody read them. 

Dave Bittner: Right. 

Nancy Kim: And so now it's been years. And, you know, of course, you have people like me writing about it and saying, hey, wait a second; this is insane. But, unfortunately, not that many people were paying attention. 

0:32:13:(LAUGHTER) 

Nancy Kim: So, you know, we try. I wrote a book about it - you know, lots of articles. But at the same time, it's - people are busy, right? It's not getting the traction because people aren't hurting. They're thinking this can't - you know, they're like, you're making a big deal out of nothing because look at us. Everyone's fine. We're all healthy. It's good - until it's not, right? Until you get something sort of major, and then everyone's like, wait; how did that happen? You think, well, again, it's the nature of these incremental damages that happen, these incremental harms that we don't notice because it happens to people kind of - and people don't notice them until it becomes an issue, right? It's like insurance, right? 

Dave Bittner: Yeah. 

Nancy Kim: You don't realize you really needed the insurance until it's too late, maybe. I'll give you another example. And again, this came out of credit card agreements as well. It's an example of a right that has been taken away from consumers where most consumers didn't even realize it, and that's the right to sue in a court of law. Most people think... 

Dave Bittner: Right. 

Nancy Kim: Yeah - if a company does something to you that, you know, that they don't give you the product that you ordered or they overcharge you or something and you have some sort of dispute with them, most people think, well, then I can sue them - right? - because we live in a free country, live in the United States, and we... 

Dave Bittner: Yeah. 

Nancy Kim: ...Always have - we have our legal rights. Well, that's true. But you can contractually agree to give up certain rights, you know, in a contract. So if you and I enter into an agreement and I say, you know, I'll work for you as long as you sign a contract saying that you're not going to disparage me, and we can negotiate that, and you say, OK, fine, you know, and so you sign it. And that might be OK because at least you knew what you were agreeing to. 

Nancy Kim: It doesn't make sense if we're talking about a term in a consumer contract that we know nobody reads, right? So these clauses - mandatory arbitration clauses - have been sort of put into more and more consumer contracts. And now they're basically everywhere. And now it's very difficult for consumers to file a class-action lawsuit or to, you know, even file any sort of single, you know, action in a court of law because chances are that there's a mandatory arbitration clause in the contract that they've signed with the business even though they were not aware of that clause at the time they entered into the transaction with the business. 

Dave Bittner: Right. Now, you've mentioned a few times, and I'm in a hundred percent agreement with you, that no one ever reads these terms and conditions. They just click through. Is there any work being done on that end of things? Are there people trying to come up with a solution to make that a better situation, where, as consumers, we get a better idea of what we're signing up for without having to wade through hundreds of pages of legalese? 

Nancy Kim: Yes (laughter). People are working on sort of more effective notices. There are two really primary issues with that. The first is that most people are not going to understand the sort of significance of a right if it's not given its appropriate fanfare, if that makes sense. Like, for example, this idea of mandatory arbitration clauses - that's been in there for years, thousands of consumer contracts. And people have written about it. And I think most people's reaction is, it can't be because it's such a big deal that somebody would've done something about this earlier, right? I think it's just this disbelief, this kind of - it's a combination of a - like, the herd effect - you know, this everyone's kind of doing this. And at the same time, you have this feeling of, like, somebody's going to step in and do something if it were really that big of a deal... 

Dave Bittner: Right. 

Nancy Kim: ...Kind of like bystander-herd effect combo. And on top of that, you have, you know, academics on one side and a nonprofit or a consumer rights organization. And then on the other side, you have people who actually have money (laughter) - right? - companies and businesses who actually have a lot of money to lose. And so good luck. It's really not a fair fight. Academics have been writing about this for years. Policy organizations have been trying to get some, you know, traction. 

Nancy Kim: We thought that they might get some traction, and then there was an election. And there was going to possibly be a ban on mandatory arbitration clauses in bank contracts - well, that's been kind of put on hold the last I heard. So again, the political system - we have this democratic process, but it's, you know, it's heavily influenced by lobbyists and people who have the money to get heard. 

Nancy Kim: You know, we do what we can over here (laughter) with our words, but sometimes, people actually need dollars. And, in fact, the California privacy law was bankrolled. I mean, it was a good thing we finally got somebody who had money who was willing to put some dollars behind it because that's what it takes, unfortunately. 

Dave Bittner: Yeah. You know, I think for a lot of people, probably their main interaction with getting heavily into contract law could be when they purchase a house. 

Nancy Kim: Yes. 

Dave Bittner: And you go through that contract, and there's pages and pages. And you actually read through it. And there - and along the way, there could be things that get lined out. There could be things that get revised. There could be agreements along the way between the two parties so that everyone's happy. 

Dave Bittner: With someone like you, who has knowledge of these sorts of things, you know, when you get a credit card, do you have the ability to go through that agreement and line things out and say, you know, I'm not going to agree to that - I'm not going to agree? Or is it just for the credit card company to say, well, then fine? Don't use our credit card. We don't care. 

Nancy Kim: You know, the funny thing is I have actually done that. I've actually lined things out and initialed things. And there's very little case law on consumers who've done this. There have been a few cases where the courts have actually said, no, that's not OK. We're not going to take what the consumer has lined out here, which is very unfair, I think, because - so when the consumer actually does make a change, a court says it wasn't accepted. And so I find that a very sort of odd position. 

Nancy Kim: But I do it anyway. And I actually always recommend people do it. If there's a clause in a contract that you really don't like, then cross it out and initial it and send it back. And if they don't say anything - well, if they do, well, then you'll have to sort of make a decision. But most of the time, nobody reads it on their end either. 

Dave Bittner: Yeah. Well, what are your recommendations for folks who have that sort of nagging feeling that they wish they could do a better job with these things, but who has the time to read all these things? Any advice for folks? 

Nancy Kim: Well, the problem is we really are in a pretty helpless situation here because the only thing you can do really is opt out. Because what we really need is a collective, a coordinated action here because, as I mentioned, I've not joined Facebook, and I don't think Facebook is doing poorly because of that. Even the people I know who write on privacy and who are really sort of against what Facebook has done, they feel like, well - or Twitter, for that matter - you know, they're like, OK, fine. They have to because that's kind of where the conversation is - Twitter. I'm not on Twitter either, and I'm feeling like I really... 

Dave Bittner: Right. 

Nancy Kim: ...You know, you really feel this pressure as an academic to sort of join the crowd - right? - because... 

Dave Bittner: Sure. Join the conversation. 

Nancy Kim: ...Yeah - your voice doesn't get heard. In fact, I had this struggle here with you because I had to download Chrome (laughter). And they had new... 

Dave Bittner: Sorry about that (laughter). 

Nancy Kim: ...Terms of service. 

Dave Bittner: Right, right. 

Nancy Kim: And, of course, I was reading through, and I thought, I hate these terms. But I thought, OK, fine, and then I'll delete it after our conversation. 

Dave Bittner: Right, right, right, right. 

0:39:55:(LAUGHTER) 

Nancy Kim: So it's such a hassle if you're someone like me. And even then, my data's still being collected because it's the sort of - the surveillance economy is just so huge - right? - that I can't really... 

Dave Bittner: Yeah, yeah. 

Nancy Kim: ...Fight it. I can do my little, measly bit to make it not as bad as it might otherwise be for me, but it's still going to be bad for me because... 

Dave Bittner: Yeah. 

Nancy Kim: ...It's - we're just part of this larger system. So I really don't blame consumers at all. It's really up to the legislatures and the courts. And academics have to keep pointing it out. 

Nancy Kim: There's another part of this that doesn't get enough attention, and again, because it's a little ivory tower-ish. But again, sometimes what happens in the ivory tower doesn't stay in the ivory tower, unfortunately. It spills out. 

Dave Bittner: Yeah. 

Nancy Kim: And this is this idea of efficiency. And a lot of what came out of the Chicago School of Law and - you know, this law and economics movement, which focused on not so much, you know, kind of fairness and what the law is typically supposed to be about - you know, individual liberties and so forth - it was really focused more on efficiency, and, you know, especially in the area of contract law. And because of that, it really had a lot of influence in the way courts decided cases, the idea being that, well, if consumers really cared about a particular term, well, the market will respond. But now we know that's a ridiculous argument, right? I mean... 

Dave Bittner: Right. 

Nancy Kim: ...The market can't respond because there are coordination and collective action problems and there are cognitive biases, but that doesn't mean that people don't care about their right to a trial in the event that they are treated unfairly by a corporation. It's just not top of mind when they are, you know, trying to get on this podcast, for example... 

Dave Bittner: Sure, right. Right. Absolutely. 

Nancy Kim: ...Things like that. So it's a very unrealistic view of the world, and it's focused just on sort of the marketplace and on corporations, and not so much on the way that people are affected by some of these laws and rules. 

Dave Bittner: Well, Nancy Kim, thanks so much for taking the time for us. We really do appreciate it. 

Nancy Kim: Sure. It was great talking to you. 

Dave Bittner: All right, Ben, interesting conversation. What do you think? 

Ben Yelin: So I was very glad to hear from the professor. I would tell a lot of my students, if you want to get a crash course in interesting concepts in contract law, that segment might be very good for you. She explained illusory promises very well, for example. 

Ben Yelin: But she brought up some really interesting points. None of us - and she was realistic about this - you know, none of us actually read the terms and conditions when we click to accept those terms and conditions. It would be completely unnatural to do so. They are hundreds of pages in length, and all we want to do is, you know, check our Facebook page or, you know, listen to a new song on Spotify. But these are enforceable in a court of law. And oftentimes, not only are there provisions that would potentially lead to privacy violations, but, as she mentioned, a lot of times, these terms and conditions will prevent users or consumers from legal avenues review. So many of these terms and conditions contain mandatory arbitration clauses or limits on lawsuits. 

Ben Yelin: And, you know, until people like the professor or other civil liberties experts actually pore through these terms and conditions and notice these sort of anti-consumer measures, they'll continue to be in those terms and conditions, and the rest of us will suffer the consequences. So I guess I would say I'm just thankful to have people like this good professor out there who are doing the yeoman's work of reading these terms and conditions for the rest of us. 

Dave Bittner: You know, one thing that struck me in our conversation was how it seems as though things are tilted against the consumer. In other words, even with contract law, it seems like on the B2B side, even judges enforce things in a different way, perhaps, than they do when it comes to consumers. 

Ben Yelin: I mean, there are a lot of political reasons for that. You know, not to get too conspiratorial here, but businesses do have a lot of political power. And it's not just through political spending, but just general influence that they retain over the people who make these laws and the people who appoint these judges. 

Ben Yelin: But there is a justification for that from the consumer's perspective. If businesses were overregulated and subjected to these types of lawsuits and couldn't have mandatory arbitration clauses, then they would be sued a lot more and, presumably, there would be a lot of judgments and settlements, and those costs would be passed down to us, the consumers. So I think it's always kind of important to remember. It is absolutely true that the deck is stacked against consumers. Not only are we generally monetarily powerless relative to the big companies of the world, but we're relatively politically powerless as well. But, you know, I think there are legitimate public policy reasons for limiting lawsuits against large companies, largely because it is what many scholars call a tort tax, a tax that is passed on down to us. 

Dave Bittner: All right. Well, our thanks to Nancy Kim for joining us. Again, her book is titled "Consentability: Consent and Its Limits." So do check that out. 

Dave Bittner: And that is our show. We want to thank all of you for listening. 

Dave Bittner: And, of course, we want to thank this week's sponsor, KnowBe4. You can go to knowbe4.com/kcm and check out their innovative GRC platform. That's kb4.com/kcm. Request a demo and see how you can get audits done at half the cost in half the time. Our thanks to the University of Maryland Center for Health and Homeland Security for their participation. You can learn more at mdchhs.com. 

Dave Bittner: The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.