Caveat 4.1.20
Ep 22 | 4.1.20
Never let a crisis go to waste.
Transcript

Lily Hay Newman: Users just don't want any of it. They don't want this persistent tracking. They don't want to be tracked across sites. They don't want their habits or behaviors captured. 

Dave Bittner: Hello, everyone. And welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hi, Dave. 

Dave Bittner: On this week's show, Ben and I discuss some more of the policy and privacy issues surrounding the global coronavirus pandemic. Later in the show, my interview with Lily Hay Newman. She's a senior writer at WIRED. We're going to be discussing browser privacy. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. We'll be right back after a word from our sponsors. 

Dave Bittner: And now some reflections from our sponsors at KnowBe4. What's a policy? We've heard a few definitions. Some say it's an elaborate procedure designed to prevent a recurrence of a single nonrepeatable event. Others say it's a way that the suits play CYA. Still others say it's whatever happens to reside in those binders the consultants left behind them right before they presented their bill. How about a more positive approach? As KnowBe4 can tell you, better policy means better security. And getting the policies right is a big part of security. So is setting them up in ways that your people can actually follow them. We'll hear later in the show about how you might approach policy. 

Dave Bittner: And we are back. Ben, of course, I think as you'd expect, the coronavirus continues to dominate the stories making headlines these days. But there are a lot of policy issues that are coming into play here. Many things that used to be theoretical - we're seeing them sort of play out in real time. Why don't you kick things off for us this week? You have an interesting story about some stuff coming out of the White House. 

Ben Yelin: Yeah. So this was a story that ran in The Washington Post. It was about a collaborative effort between the White House Office of Technology and a lot of companies in the private sector, including your Googles and your Facebook. And the idea was to start a public-private partnership for tracking of individuals in an effort to slow the spread of the coronavirus. It would be anonymized tracking. So the way one of the Google executives described it is it would be the same sort of tracking that Google uses to figure out whether the store that you're getting directions to is busy at any given time. The data wouldn't be specific to an individual. That would be completely anonymized. But there are always potential privacy concerns, as we've talked about many times on this podcast, even when the data is anonymized. 

Ben Yelin: This effort is still certainly in its preliminary stages. They created a task force. So this is separate from the White House's normal Coronavirus Task Force led by Vice President Pence. This is a separate task force led by members of the tech industry from Silicon Valley, some White House folks and public health leaders and other major leaders in the field. And they're still in the very preliminary process of collecting ideas. But the idea is you could measure how fast and where exactly this virus was spreading if you measure the movement of people. 

Ben Yelin: So for example, right now, the outbreak is hottest in New York City. And if you were to see mass movement from New York City to Bergen County, N.J., and all of a sudden, two weeks later there were a lot of hospitalizations and ICU beds being taken up in Bergen, N.J., then you'd have a very good idea about where people were moving and why. And you could start to make, you know, emergency plans based on that knowledge. So that's sort of the backdrop behind it. 

Dave Bittner: That's really fascinating. So you wouldn't necessarily need to have individual information on the per-person level. It's actually just tracking broad movements of people and, I guess, correlating that with later developments where the virus seems to pop up. 

Ben Yelin: Yeah. I mean, one thing that it would be quite good at measuring is social distancing. So a lot of states have required social distancing by, for example, closing bars, restaurants, even some public locations like city squares, parks. You could actually get good data on whether people are actually abiding by social distancing by using these tracking features. So for example, you know, I know in Maryland and, I think, other states people are currently allowed, despite what's essentially a lockdown of non-essential businesses, to go out into public parks to just get some fresh air, to take a walk. Well what this data might tell you is that too many people are going to the park at one time. 

Ben Yelin: They're not able to keep the recommended 6-feet distance to protect social distancing. And that might lead policymakers at the local level to institute greater bans on those gatherings. If you were to see that 10 devices were at the same basketball court, that would be violating the rules of social distancing. Even if you didn't know exactly whom those devices belong to, you could put into place new emergency policy that said, for example, we're closing all city basketball courts, tennis courts, etc. So it could be a major tool to inform where policy changes are needed. Once you build this tool now, you can also build it for future epidemics or pandemics. 

Ben Yelin: And unfortunately for us, it seems like most experts are predicting that this pandemic, even if it abates over the summer, is going to make a return. And we can better sort of track the return of the virus if that does happen once we already have a system set up to do this type of location tracking. 

Dave Bittner: Yeah, it's interesting to me how this is the response of sort of that all-hands-on-deck mentality that I think we're all in right now where the federal government and even at the state level are reaching out to these people who have expertise, and they're saying, hey, we'll listen to any idea you have. Let's have some of these good conversations. 

Ben Yelin: Yeah. I mean, it's really happening across all sectors of the government. Certainly, the tech companies have not been immune themselves. One of the first major outbreaks in the country was in Silicon Valley. Almost all of their employees are - of all these companies are working remotely, so they're affected by this. Their bottom lines are affected by this. So they certainly have an incentive even beyond, you know, the moral incentive to try and help out. And, you know, right now, they're involved on a voluntary basis. I think what we're going to start to see, if the president does invoke his powers under the Defense Production Act, is a lot of companies, including perhaps some Silicon Valley companies, will be conscripted to produce things as part of the effort to confront the spread of this virus. 

Ben Yelin: You know, we've already seen car manufacturers for example switch to manufacturing surgical masks and N95 masks and ventilators. And, you know, we're at that point where yes, right now, there's sort of this really nice, hunky-dory collaborative effort between the private sector and the public sector. But just due to the nature of the federal government's emergency powers, I think that relationship could get more adversarial if we start forcing some companies to engage in some actions that they otherwise would not be comfortable with. But that's just sort of the nature of the emergency. 

Dave Bittner: The president himself has used the rhetoric of claiming that he is a wartime president, that this is a wartime situation. I suppose it's certainly an emergency situation. Technically, no one has declared war, but I understand where he's getting with this. Do you have any insights on the differences between an emergency situation and an actual wartime situation in terms of what that empowers our leaders to do or not do? 

Ben Yelin: There are actually a lot of similarities between public health emergencies and declared wars in terms of executive power and curbing civil liberties. You know, emergencies are emergencies. So while the actions may be different, you do want to plan for all hazards. And a wartime footing can still invoke powers that aren't necessarily war-like - for example, this Defense Production Act that we just discussed. That was obviously designed during the Korean War to conscript private organizations, private companies to produce items needed for the war effort. And, you know, in the context of 1950s, that meant instead of building steel for buildings and elevators, they'd be building it for the war effort. And those powers didn't require a formal declaration of war to be invoked. 

Ben Yelin: I will note that I believe I'm almost 100% certain that the last time this country actually declared war was World War II. We've had these sort of quasi-war declarations since then, including for Korea, the Vietnam War the War on Terrorism and the War in Iraq. And we still made large use of some of these emergency powers, despite the fact that we haven't formally declared war. So I think it really is a mentality. As you said, it's a all hands on deck. We're not only going to bring the full force of the federal government and state governments and local governments, but we're going to commandeer parts of the private sector. And that's something that doesn't require a formal declaration of war. It's something that already exists under our emergency powers. 

Dave Bittner: Speaking of expansion of powers, my story this week - something that was certainly making the rounds over on Twitter. And there's a story from Vox written by Riley Beggin. It's titled "DOJ Asks Congress for Broad New Powers Amid COVID-19. Schumer says, Hell No." Unpack this for us, Ben. 

Ben Yelin: Yeah. I think it was Rahm Emanuel who once said that you should never let a crisis go to waste, which seems to be the justification behind this proposal. So this was not actually a proposal that had been formalized in any real way. It was reported by - originally by POLITICO. But it was that Attorney General Barr, under the direction of the Trump administration, would request authority from Congress to have certain emergency powers during the coronavirus outbreak. So, you know, for example, those powers would include asking judges to detain people indefinitely without trial during an emergency. It would suspend certain judicial proceedings as long as the emergency had been invoked or if the court in question were to close as a result of that emergency. And, you know, I think perhaps most frighteningly, the proposal would allow judges to pause, quote, "any statutes or rules of procedure at every stage of the justice process from prearrest to post-trial." 

Ben Yelin: Once that story came out - and I'm sure you and I were seeing the same reactions - there was really a swift pushback from Congress. And I think I saw members of both political parties use some profanities in describing their reaction to these proposals. I saw Senator Lee from Utah, who is a libertarian Republican, basically say this is - over my dead body will this happen. We are not going to suspend our constitutional system, even though we're in an emergency. And liberal members like Alexandria Ocasio-Cortez were saying the same thing. I know you and I have talked about this. 

Ben Yelin: There is a long history of the government abandoning its constitutional values during times of natural and man-made disasters, starting with President Lincoln suspending the right of habeas corpus during the Civil War and, of course, up into and including Japanese internment, which I know we discussed on the previous episodes. So what to me was promising about this is as soon as the proposal leaked, there was sort of a universal pushback from members of Congress and both parties saying, we can't let this crisis turn into an opportunity for the Justice Department to have these sweeping powers. 

Dave Bittner: Help me understand what the motivation would be here. And what I mean is in this case, we're dealing with a health issue. So in that case, there's no bad guy. There's no one to lock up. You know, there are no terrorists. That sort of boogey man threat, to me, isn't there in that there's a specific person that you'd want to be - I could see the impulse to slow down to keep in the justice system for reasons of security. Am I looking at this right? Does that make any sense? 

Ben Yelin: You're right. 

Dave Bittner: Is my thinking straight? 

Ben Yelin: I mean, it's not like after 9/11 where we did as a country make some decisions to limit constitutional rights for, for example, enemy combatants. Unfortunately, we cannot detain and interrogate the COVID-19 strain, although that would make a very interesting movie, I think, having a indefinite detention of a virus. 

Dave Bittner: If only. 

Ben Yelin: But besides that point, their justification would be to add flexibility to the court system. There are - because criminal defendants have the right to a fair and speedy trial, there are potentially logistical concerns when courts are physically closed and courts at all levels - federal level, state level - are postponing trials. They are postponing hearings that are nonessential. And I think the Justice Department is basically saying, we don't want to get into a situation where people are compelled to come back to court before it's safe to do so because, you know, they have a constitutional right to a fair and speedy trial. So I think that's largely the justification here. 

Ben Yelin: But again, I think it should always raise alarm bells - and it justifiably did - when the Justice Department is asking or demanding additional emergency powers. You know, our system of checks and balances requires us to be very wary every time we see a pronouncement like that. 

Dave Bittner: Yeah. And in this case, it seems as though it was stopped in its tracks. We really haven't heard any more about it. 

Ben Yelin: No. So Congress has enacted several pieces of legislation related to the coronavirus. You know, we had a sort of a small ball bill that that came out when the virus was first erupting, a larger bill dealing with paid sick leave and other items. This proposal was part of a discussion for the third bill, which would largely be an economic stimulus package. And one thing that Congress does is they tuck items into large spending bills that consist of policy changes. And very frequently, not even members of Congress will notice that those provisions have been stuck in there. 

Ben Yelin: This is something that's happened repeatedly. These are thousand- to 2,000-page pieces of legislation that are largely written in the offices of the House and Senate leadership. And you know, without a media that's frankly keeping an eye on all of this and doing work that legislators or their staffs cannot do, you know, we may not have found out about this before it was tucked into a large omnibus spending bill. 

Ben Yelin: You know, and that's one thing that's particularly difficult during an emergency. I completely understand the urgency to get something passed. The economy is in rough shape. People need economic security, and that's something that this economic package would potentially provide. But to exploit that urgency to put unrelated policy items in there, especially expanding powers as it relates to people's civil liberties, seems to be something that was beyond the pale for members of Congress. 

Dave Bittner: All right. Well. It's certainly interesting and a reminder that vigilance is necessary, especially in these times of challenge, I suppose. 

Ben Yelin: Yeah. You know, I think in a lot of our past emergencies, there's been an attitude that we have to trust our leaders. We're scared. We're fearful. We want action. In the case of terrorism, we want vengeance. And I think it's incumbent upon all of us to, whatever the saying is - stand athwart history, yelling stop - something like that. I probably messed up that quote, but I think you get the gist of it. 

Dave Bittner: Yeah, I'm sure our listeners will let us know, Ben. 

Ben Yelin: Yeah. 

Dave Bittner: (Laughter). Well, speaking of our listeners, it is time to move on to our Listener on the Line. 

0:15:57:(SOUNDBITE OF PHONE DIALING) 

Dave Bittner: Our Listener on the Line this week was an email that was sent in to us. It was from a listener who prefers to remain anonymous, so we will respect that. And they write in and they say, thank you for everything you do to keep the cybersecurity community informed. I've wondered for a while if the precedent of treating encryption as a weapon for international trade purposes and the track record of overreaching by the three-letter services - I suppose this writer means like the FBI and the NSA and the CIA, you know - has provided the foundation for an argument, encryption should be protected under the Second Amendment. Even if it forced citizens to join a militia in order to use it, I can see this putting an end to the debate if it were proven valid. Any reason this hasn't been tried or, if it has, why it failed? 

Dave Bittner: This is a fun thing to ponder, I suppose, here, Ben. 

Ben Yelin: Yeah, this is a fascinating question, something I had never thought about. So the Second Amendment says, the right of the people to keep and bear arms shall not be infringed. So I guess what the listener's justification would be is, encryption is a defensive weapon. So do citizens - and the Supreme Court has determined that this is a right that applies not just to militias but to citizens - do citizens have that right to use encryption under the Second Amendment? 

Ben Yelin: I would say, most likely, the Supreme Court would reject that argument. One reason I think they would reject it is they've taken a pretty originalist approach to Second Amendment questions, looking at exactly what the drafters meant by the right to keep and bear arms, what those particular words meant at the time. That was sort of their justification behind the District of Columbia v. Heller case which established Second Amendment rights as a personalized, nonmilitia-based right. 

Ben Yelin: If you read that case - it was Justice Scalia who wrote the majority opinion - it was largely going into the history of what arms meant at the time that the amendment was drafted - and you know, at that point, we were talking about muskets and those sorts of things - and you know, how that would translate into the kind of weapons that we use today. Because they use that originalist approach, I don't think the court, as it's currently constructed, would be willing to look more broadly at that Second Amendment right to include something digital, something that wasn't an actual brick-and-mortar pistol or weapon to protect oneself. 

Ben Yelin: And I think there's also something to the fact that we have that prefatory clause - a well-regulated militia being necessary to the security of a free state. Well, the Supreme Court has said that that doesn't preclude an individual's right to keep and bear arms. You know, I think that does sort of imply a context that we're also protecting our collective rights. And so maybe in that sense, encryption would be protecting our collective rights. But I think it's a really interesting and novel argument, but it's not one I would expect the Supreme Court to take up anytime soon. 

Dave Bittner: You know, it also strikes me that I know - you know, there was a time decades ago when certain types of strong encryption were categorized as ammunition, which I think is what our listener is pointing out here, and so there were export restrictions put on some types of encryption. But I suppose other weapons that would be exported - I'm thinking like a bazooka or a tank or a surface-to-air missile - I'm not entitled to have one of those, either. 

Ben Yelin: Well, no, you are not. Of course, that jurisprudence may change in the future. 

Dave Bittner: (Laughter). 

Ben Yelin: But generally, the right, as it's recognized, does not apply to so-called weapons of war; it's things that are generally used for self-defense - handguns, for example. That was at least the Supreme Court's justification in their 2008 decision. Now, frankly, they have not revisited that. We have not-a-largely-changed ideological makeup on the court, but there are new members who might be willing to take a broader view of what counts as a weapon for Second Amendment purposes. But from what I've seen, they've really tried to dig into history to figure out what it means to keep and to bear arms. 

Ben Yelin: And I would note, you know, I think we had talked on a previous segment about - encryption has existed in some form even in the 1700s and 1800s. It didn't exist in a digital form, but it existed at that time. And I'm not an expert on contemporaneous documents, but I don't think, when they were talking about the Second Amendment, they were contemplating encrypting communications, for example, as a defensive weapon. 

Dave Bittner: Yeah. 

Ben Yelin: And if we're going to use that as an analog to what's happening now, you know, I just think that context is important as well. 

Dave Bittner: Yeah. All right. Well, thanks to our listener for sending that in, certainly a fascinating and thought-provoking idea. 

Ben Yelin: Yeah. 

Dave Bittner: We would love to hear from you. Our call-in number is 410-618-3720. That's 410-618-3720. You can call and leave us a message. You can also send us an audio file. You can email that to caveat@thecyberwire.com. You can send your questions in there as well. Coming up next, my conversation with Lily Hay Newman. She is a senior writer at WIRED. We're going to be discussing her recent article about browser privacy. 

Dave Bittner: But first, a word from our sponsors. And now we return to our sponsor's point about policy. KnowBe4 will tell you that where there are humans cooperating to get work done, there you need a common set of ground rules to ensure that the mission is accomplished but in the right way. That's the role of policy. KnowBe4's deep understanding of the human dimension of security can help you develop the right policies and help you train your people to follow them. But there's always a question of showing that your policies are not only sound but that they're also distributed, posted and implemented. That's where the policy management module of their KCM platform comes in. It will enable your organization to automate its policy management workflows in a way that's clear, consistent and effective. Not only that, KCM does the job at half the cost in half the time. It's your policy after all; implement it in a user-friendly, frictionless way. Go to kb4.com/kcm and check out their innovative GRC platform. That's kb4.com/kcm. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: And we are back. Ben, I recently had the pleasure of speaking with Lily Hay Newman. She is a senior writer at WIRED, and she recently published an article all about browser privacy and how the different browser providers are approaching that. Here's my conversation with Lily Hay Newman. 

Lily Hay Newman: It's pretty tough, I think, for the average user to get a handle on it. But what's really new is that all the browsers are talking about this issue. You know, all of them are talking about anti-tracking features, privacy protections, data protections. And that is pretty new in the past few years. You know, formerly, you would have sort of privacy-conscious browsers and then everybody else. And the fact that all of them are, you know, needing to engage in this dialogue now is promising. They would all say that they've all always been on top of this and all over it. 

Dave Bittner: (Laughter). 

Lily Hay Newman: But, you know, I think the fact that there are so many new features lately and just a new framing that they're touting is pretty interesting. Conceptually, the way I think about it is - and, you know, what I talk about in the piece - is that there seems to be two approaches to dealing with browser privacy. And this is particularly in the sense of sort of online ad tracking, marketing tracking, things like that that are seen as big erosions of user privacy. Some of the browsers want to find ways to more privately provide the information that advertisers want - so kind of work within the status quo in a improved, more private way. 

Lily Hay Newman: And then others are saying, screw this system; we want to block everything, and we don't want to participate, you know, and our users don't want to participate, so we're going to provide them that protection. The simplistic way to think of it is like an ad blocker. They're saying, we're just going to cut it all off. And I think it's more compelling to me than I expected to even consider that that debate. My personal instinct would have been, you know, users just don't want any of it. They don't want this persistent tracking. They don't want to be tracked across sites. They don't want their habits and behaviors captured. That's it. 

Dave Bittner: Right. 

Lily Hay Newman: But, you know, the ad industry is huge industry that - it pays my salary (laughter). It isn't maybe something that we want to just completely wipe off the face of the Earth. It funds a lot of creative outlets. It funds news. So yeah, I don't know. It's tough to say which approach makes more sense. 

Dave Bittner: You know it's interesting to me as I was reading through your piece that - it struck me that an analogy that popped into my mind was that, you know, one group seems to be going after the symptoms, and another group may be going after the cure. 

Lily Hay Newman: Right. Yeah. 

Dave Bittner: You point out that Google Chrome has about two-thirds of the market share, but they're sort of caught in this tension because their business is built on delivering ads. So they're in a different place than some of these other providers are. 

Lily Hay Newman: Right. So they would say - and around the time I wrote this article, it was based on hearing some Chrome representatives, you know, speaking at a conference and, you know, talking to people around that time. They would say that their goal in finding a more private way to maintain the ad industry is not related to Google's business interests, but it's related to the interests of keeping content free on the web. They say that they're concern - and I think this is genuine. 

Lily Hay Newman: It's just also true that it aligns with their company's business interests. They say that, you know, their concern is that content is going to move into these siloed, walled gardens where you have to pay for it in an app, or there's sort of a paywall or something like that because the web in browsers as we've known it is too constrained. Companies and publishers and everyone can't get the data they want about their users. So they're going to move everything into other spaces where they have more control. Like, when you think about an app, it's connected to the Internet and it often sort of has a browser component or something. So you don't really - I at least don't always think of it as being sort of separate. 

Dave Bittner: Right. 

Lily Hay Newman: But you have to remind yourself when you're reading WIRED in the WIRED app, that's not a browser. It's a different venue. And, you know, publications or companies could change the rules of engagement within their app versus in the, you know, browser site. So that's the concern that the Chrome folks are outlining. And as I said, I mean, I do think it's genuine, you know, and that they want to sort of keep all the good stuff that's happening going on the web. And they don't want to just sort of create these roadblocks that make industry so frustrated that they go around back and do things in a more constrained way. But as we were saying, we just also have to consider that that reflects the business interests of Google and Alphabet. 

Dave Bittner: As you and I are recording this, just recently, the folks who make the Brave browser have filed a formal GDPR complaint against Google. They say that they're violating the GDPR our purpose limitation principle. Can you give us some insights? What's going on here? 

Lily Hay Newman: Right. So brave is saying that. Google's privacy policies are really vague that you know they're difficult to navigate for users and maybe that, you know, they're kind of disingenuous in that way. And it's a pretty, like, browser-on-browser assault because... 

Dave Bittner: Right. Right. 

Lily Hay Newman: (Laughter) ...The complaint, if I'm correct about that, is, you know, about Google generally - right? - not just Chrome. 

Dave Bittner: Right. 

Lily Hay Newman: Meanwhile, Brave is a Chromium-based browser. So there's just a lot of interesting dynamics here. But it's pretty contentious or sort of adversarial way of, you know, confronting Google and its privacy policies by taking it to sort of GDPR brawl. 

Dave Bittner: You know, it strikes me that when I think about all of this, that there was a time, you know, long ago, when dinosaurs roamed the Earth, when advertising took place without this sort of tracking. I mean, yes, we had, you know, TV ratings and radio ratings and all that sort of thing. But it seems to me like most of these arguments center around this notion that the advertisers must absolutely have this information, or they will cease to be able to do what they do. And I wonder if maybe that's part of what needs to be looked at - is, do they really need that? Could they function without it? 

Lily Hay Newman: Right. And I think Chrome and, you know, others to a degree, like Microsoft Edge - you know, their thought is, maybe we can, as powerful players in the browser space, in the tech space - maybe we can make sort of a counterargument and say, well, what if we offer you this? Instead of what you were - you know, instead of the firehose you were getting, what if we give you A, B and C, you know, categories of data? And they're going to be aggregated and anonymized or, you know, whatever the protections are going to be for the users. But look. You actually still could do X Y, Z advertising things you want to do or, you know, tracking preferences of populations - things like that. We're still providing you everything you need. So yeah, I think they would say that they want to kind of paternalistically help make that case on behalf of users. But it's pretty difficult to put the cat back in the bag or of whatever the expression is. 

Dave Bittner: Yeah, yeah, yeah. What an interesting place to find ourselves, where these privacy features are becoming a competitive advantage for these providers of browsers. 

Lily Hay Newman: Yeah. And as I was saying, I do think that is a very positive thing that now you can't just put your flashy, new features first, and that's it. You also need to, you know, have some type of acknowledgment about what you're doing on privacy and security. And that's kind of in the same category as the nifty, new innovations. That seems very positive to me. But it's just so difficult to navigate what's actually going on under the hood of all these products that I still think it's a challenge for consumers. But I think everyone is better off from the companies needing to take this seriously. 

Dave Bittner: All right. Well, the piece is titled "The Fractured Future of Browser Privacy." Lily Hay Newman, thanks so much for joining us. 

Lily Hay Newman: Yeah, thanks for having me. 

Dave Bittner: All right. Always a pleasure to speak with Lily Hay Newman. Ben, what do you make of all this? 

Ben Yelin: It was a really interesting article and a really interesting conversation. You know, I think the internet browsers are recognizing more and more that the market is looking for privacy. The market is looking for protection of personal information. And they're trying to balance that against not only ad revenue but improving the user experience. And the user experience, frankly, can be quite enhanced when, for example, a website collects cookies about us. You know, it makes internet browsing better if we didn't know that we were essentially having very personal information taken from us. 

Dave Bittner: Right. 

Ben Yelin: You know, I think one thing that's interesting about the private sector taking a lead on this is it does sort of allow the government to take a back seat and let these internet browsing companies compete over how private consumers want their experience to be and back. And that can sort of become the benchmark rather than the government stepping in and saying, here we are to - you know, to regulate this. And, you know, I don't think we know exactly where that balance is. Google Chrome, as she said, controls, I think, the majority of the market now for internet browsers. And they're just at the beginning stages of their effort to increase privacy within their browser, certainly to the degree that other platforms have done so. So, you know, this is definitely something that was eye-opening and interesting and something I definitely want to keep track of going forward. 

Dave Bittner: You know, one thing it reminded me of was a comparison that, you know, back in the '90s into the early 2000s, you know, thinking back to those days, you know, Sony was really the leader when it came to consumer electronics. You think about - you know, we still refer to a portable audio player as a Walkman. 

Ben Yelin: Oh, yeah. We all had them. 

Dave Bittner: At least people in my generation do. Yeah. And so if you think about it, the iPod should have been a Sony product, right? 

Ben Yelin: Right. 

Dave Bittner: I mean, they had the lead. They had the design. But Sony had so many internal conflicts because Sony owned a music company, and so the music company said, you can't put our music on that device. You can't, you know, convert it to digital. No one will buy our music anymore. And so because of that internal conflict, that provided an opportunity for a company like Apple, who didn't have that internal conflict, to come on and make something like the iPod. And I can't help wondering if we look at Google - if they're up against the same sort of thing, where so much of their interest, their very survival is based on ad revenue and being able to track people to sell those ads. Does that open the door for some of these other more privacy-focused browser providers to step in and differentiate themselves? 

Ben Yelin: I think it does, although I will say you have to look at it from the consumer's perspective. So there was major value added for the consumer when the iPod came to the market. It was sleek. It was well-designed. It could hold, you know, at that time, 2,000 or whatever songs. So it was a way cooler than anything that that Sony had come up with to that point. If a competitor to Google Chrome came along and tried to create a robust user experience with those same type - or with stronger protections against data getting shared, then, you know, they potentially could have that same impact on the market. I just think it's not as obvious to me that that's what consumers want. And I think people are really voting with their dollars. Or maybe it's their eyes because we're not actually paying to download these internet browsers. 

Ben Yelin: But I think there is a reason why Google has such a large market share at this point. And part of it is that their browser is integrated to the extent that when you go to a new website, your password has been stored. For most people who aren't attuned to privacy concerns, that's a matter of convenience. So, you know, I'm not sure that one of these other companies is going to do enough to improve the user experience or convince people that privacy is important enough of a consideration to abandon the internet browser that has this large market share. 

Dave Bittner: Yeah. It's interesting to me, though, that things have changed enough that we're at the point that this is even part of the conversation, that privacy could be a differentiating factor for some of these providers. So it hasn't always been that way. 

Ben Yelin: Yeah. And I think I would say in, like, the last five years, I think privacy has become a market concern more than just a policy concern. And I think more and more companies are realizing that there are at least a subset of consumers who care first and foremost about information privacy. It still is probably - and you would know this better than me - a minority of consumers. You know, if we had to choose between convenience and usability versus privacy, I think most people would still choose the former. 

Dave Bittner: Yeah. 

Ben Yelin: But the market has developed. We see it in encrypted applications where if you can prove that you can protect data better than your competitors, you are going to get a market advantage. And that's something that's, I think, relatively recent. 

Dave Bittner: Well, once again, thanks to Lily Hay Newman for joining us. As I said, it's always a pleasure to speak with her. That is our show. And, of course, we want to thank all of you for listening. 

Dave Bittner: And we want to thank this week's sponsor, KnowBe4. If you go to kb4.com/kcm, you can check out their innovative GRC Platform. That's kb4.com/kcm. Request a demo and see how you can get audits done at half the cost in half the time. 

Dave Bittner: Our thanks to the University of Maryland Center for Health and Homeland Security for their participation. You can learn more at mdchhs.com. 

Dave Bittner: The "Caveat" podcast is probably produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.