Caveat 4.29.20
Ep 26 | 4.29.20

You will pay for that one way or another.


Dave Bittner: Hey, everybody - Dave here with a quick request. If you could leave us a review on whatever platform it is you listen to the show, it'll help spread the word and grow our audience. So, please, take a few minutes and share why you think this podcast is a valuable part of your day. Thanks. Here's the show. 

Joseph Cox: What people may not be aware of is that many of these apps are actually scraping the contents of the email inbox. 

Dave Bittner: Hello, everyone. And welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hi, Dave. 

Dave Bittner: On this week's show, I've got the story of a landlord who may run afoul of the Computer Fraud and Abuse Act. Ben wonders if Big Tech CEOs should be held liable for contact-tracking apps. And later in the show, my conversation with Joseph Cox. He's a senior staff writer at Motherboard. And we'll be discussing his recent article "How Big Companies Spy on Your Emails." While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. We'll be right back after a word from our sponsors. 

Dave Bittner: And now a few thoughts from our sponsors at KnowBe4. What do you do with risk? We hear that you can basically do three things. You can accept it; you can transfer it; or you can reduce it. And, of course, you might wind up doing some mix of the three. But consider this. Risk comes in many forms, and it comes from many places, including places you don't necessarily control. Many an organization has been clobbered by something they wish they'd seen coming. So what can you do to see it coming? Later in the show, we'll hear some of KnowBe4's ideas on seeing into third-party risk. 

Dave Bittner: And we are back. Ben, before we get into our stories this week, some quick follow-up. Last week, we talked about the notion that the Supreme Court may be taking on the CFAA, the Computer Fraud and Abuse Act. And since that episode was published, there's been some movement there. 

Ben Yelin: There has. So the case we discussed on our last episode was Van Buren v. the United States. And in the time since we recorded that episode, the Supreme Court has granted certiorari over that case, meaning they will hold oral arguments next fall and make a decision sometime in early 2021. So definitely listen to our previous episodes for the details on the case. But when we had discussed it, we said it was likely but only a possibility that they take up the case, and now we know that they, in fact, have taken up the case. 

Dave Bittner: Yeah. I've been seeing - on Twitter, anyway - that folks in the cybersecurity world seem to be kind of pumped up about this. 

Ben Yelin: Yeah. There's a lot of interest. I mean, it's - for compliance purposes, it's very difficult to have multiple interpretations of the Computer Fraud and Abuse Act, depending on which judicial circuit you happen to be sued in. So having the Supreme Court decide and hand down on tablets once and for all what the Computer Fraud and Abuse Act actually means and what the act means by unauthorized access is going to be a huge relief for people who rely on definite interpretations of the statute. 

Ben Yelin: The only warning I'll have is, you know, you occasionally get these cases where the Supreme Court can't really come up with a definitive decision, so there are multiple-part opinions joined by - you know, there's the plurality opinion joined by two other justices. And then there's a concurrence, dissenting in part, you know, type thing. So I hope we get a true, definitive answer and not one of those wishy-washy decisions that we see sometimes. 

Dave Bittner: All right. Well, time will tell. So obviously, we will keep a close eye on that. Let's move on to our stories this week. Ben, why don't you kick things off for us? 

Ben Yelin: Sure. So my story comes from CNBC. The headline is "Apple and Google CEOs Should be Held Responsible for Protecting Coronavirus Tracking Data, Says GOP Senator Hawley." So this is Josh Hawley, a freshman Republican senator from Missouri. As our listeners may know, Google and Apple announced they have developed a voluntary application to help with tracking of coronavirus cases. So it would use - and I think we've talked about it. It would use Bluetooth and alert people if they've come into close contact with those that have tested positive for the virus. 

Ben Yelin: Obviously, in the privacy and civil liberties community, there was a lot of concern. Even though this would be both a voluntary program and the data would be anonymized, we know that there's always the potential for anonymized data to be exploited. And, you know, you can unmask people just based on anonymized data. And that piqued the concern of Senator Josh Hawley from Missouri. He's kind of a rebel within the Republican caucus. He's a pretty staunch privacy advocate and has been a very large critic of the tech companies on this issue and others. And he wrote a letter to the CEOs of Google and Apple, who will probably put this directly into their paper shredders... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Figuratively if not literally. And he said that if you are going to introduce these applications, you, as CEOs, should be held personally liable for any privacy errors, for any privacy invasions of the users of these applications. So to put this in colloquial terms, that's not really a thing. 

Dave Bittner: (Laughter). 

Ben Yelin: The reason why companies incorporate themselves, turn into corporations is really for two reasons. One is for tax purposes, and the other is to shield themselves personally from liability. So you sue the companies. You don't sue, generally, the CEO of companies. That's what's called piercing the - you can try and pierce the corporate veil. But generally, the reasons corporations incorporate is to make it so that the senior officers are not subject to personal liability. 

Ben Yelin: So this letter is really more of a stunt. It's saying, you know, you have assured your consumers through various public disclosures, posts on Medium, et cetera that you are going to protect their privacy through this voluntary application, and you've promised them that this application will cease to exist once this emergency has passed. And what the senator here is saying is put up or shut up. You know, if you are so sure that you're not going to violate people's digital privacy, then why don't you make yourself personally liable, personally on the hook for any potential lawsuits? Well, you can never put it past politicians to engage in this type of gimmicky behavior. 

Ben Yelin: But I do think, you know, it's sort of a warning shot across the bow to these companies saying Congress is watching you. We appreciate that you're putting forth this effort. We know that one of the ways we're going to get out of this crisis is through this type of tracking and surveillance, but we're not going to let you do it in a way that exploits consumers. At least that's the view of this senator. 

Dave Bittner: I have some insights here. I actually did an interview with a researcher from Boston University who was part of a large team of folks who were putting together a system called PACT, which is one of the systems that is being put forward for contact tracing. And this - these are folks from Boston University, from MIT, folks who know about these sorts of things. If you're interested, there's an entire episode of it on the CyberWire's "Research Saturday" show, so a little plug for that. We go into a lot of the details. 

Dave Bittner: And let me say, I mean, these folks are focused on privacy. They are laser-focused on privacy. And their hope is to work along with Apple and Google, whose systems are very similar. It seems like all of these systems are coming at this from similar directions, so they're taking similar approaches. And I have to say after my conversation, I was very impressed with the degree to which privacy has been a priority for these folks and, actually, how little information - personal information is being gathered and exchanged the way that these apps work. 

Ben Yelin: Yeah. I mean, I've sort of been struck by the same thing as well, and that's an interesting insight. I mean, there are a lot of privacy barriers that these companies have put in place. First of all, you have to opt in to having your data collected. So, you know, there are a lot of applications that we use where this type of data sharing is not opt-in. You're going to hear about some of them on the interview in today's show. So that's certainly something that doesn't always exist. The contact tracing is done on a user's device with only nonidentifying keys stored on the Google and Apple servers. That's a pretty robust privacy protection. 

Ben Yelin: You can put into place all the protections you want. There are always going to be some vulnerabilities. And if you read the senator's letter, I think he identifies several of the potential vulnerabilities. If so many people are downloading this app onto their advice, there could be some sort of enterprising hacker who could exploit the system and steal personal information. But you have to strike that balance. There are pretty robust privacy protections. And in order for us to go to our hair salons again and, you know, to go to public swimming pools over the summer, we're going to have to do this type of contact tracing. So as a policy matter, given these robust privacy protections and given the necessity of this project, I think a lot of us, you know, are kind of willing to give this a try. 

Ben Yelin: I think what the senator is saying to these companies here is, give it your best shot, but if you screw up, this is on you and you should be bearing the brunt of any damage you cause in terms of stolen data or compromised data to the user. So, you know, I think in reality, this isn't going to make Apple or Google think twice about introducing this application. And, you know, senior people at all levels of government seem far more amenable than this senator does to this type of tracking technology, especially since it is a public-private partnership. But I thought it was particularly interesting that one senator was so gung-ho about putting these company CEOs on notice. 

Dave Bittner: Yeah. And I suppose there's something to be said for saying that, you know, we've got our eye on you, that we're going to be watching what you're doing here because it's important. 

Ben Yelin: It sure is. You know, one thing I worry about in general in this period that we're in is it's much more difficult for Congress to actually conduct oversight because they're not holding hearings. If we were not dealing with a global pandemic, Senator Hawley and, you know, his committee members could haul the CEO of Google and Apple to Capitol Hill via subpoena and ask them under oath, how are you going to protect user privacy? They're not doing that right now because Congress has largely been out of session. So I think that's just something to watch over as well. Oversight is a general concern when Congress is, you know, for probably good reason, not coming to Washington to do its work. 

Dave Bittner: All right. Well, yeah. I think it's really going to be interesting to see as these things are rolled out, to see how many people are comfortable using them and how useful they actually are. This is new ground, right? 

Ben Yelin: It is. 

Dave Bittner: This is new stuff for all of us. 

Ben Yelin: And it's like, we got to try something, you know? I mean... 

Dave Bittner: Yeah. 

Ben Yelin: ...I think that's the attitude of these companies and most governments in general is - you know, we just had a story this week that the state of Maryland, in an effort to procure enough testing kits, made a deal with the nation of the Republic of South Korea to obtain 500,000 testing kits. So it's sort of like we're all just trying our best to get through this. And I think... 

Dave Bittner: Right. 

Ben Yelin: ...Google and Apple are engaged in that effort. And I think it's important and good that they're trying. 

Dave Bittner: Yeah. All right. Well, it's interesting stuff. My story this week - this came via Twitter, and this is an exchange that has attracted a lot of attention. Because it has come through Twitter and because it is difficult to vet these sorts of things that come through online, I think it best for us to approach this hypothetically. 

Ben Yelin: Sure. 

Dave Bittner: (Laughter) But there are some very interesting things that this hypothetical exchange illustrates here. I tell you what, Ben. How about - this is a text message exchange. 

Ben Yelin: Should we do a dramatic reading? 

Dave Bittner: Yeah, I was thinking let's do a dramatic reading. 

Ben Yelin: OK. 

Dave Bittner: I will be the landlord, and you can be the tenant. And it starts off, and it goes like this. You got your stimulus. Just asking, are you going to pay rent or part of rent with any? I'm trying to close out the books for April. 

Ben Yelin: Hey, how do you know I got my check? 

Dave Bittner: Because I had to check several people today and checked yours, also. People were calling me. 

Ben Yelin: How did you check it? 

Dave Bittner: Online. 

Ben Yelin: Where? 

Dave Bittner: IRS. 

Ben Yelin: So you accessed this information on the IRS website. Did you, like, need to use my SSN for that or something? 

Dave Bittner: Yes. I did this for everyone who called me today and yesterday. So are you going to be making a payment towards rent so I can close the books out for April? 

Ben Yelin: And scene. 

Dave Bittner: (Laughter) All right. So, OK, let's unpack this, Ben. Let's say I am renting an apartment from you. And, obviously, as part of my rental application, there's going to be all sorts of information on that application, including my Social Security number. You may want to run a credit check on me - those sorts of things... 

Ben Yelin: Yeah. 

Dave Bittner: ...Regularly parts of doing business. And so we find ourselves in this situation now where there's a website that the IRS has put up where you can check to see if your stimulus check has come in. And so in this hypothetical situation, we imagine a landlord using the information that they have from that rental application - Social Security number, those sorts of things - logging on to the IRS' website as the tenant to see if they got their money. Help me understand the many things that are wrong with this (laughter). 

Ben Yelin: Yeah, there are many things wrong here. First of all, let's start with what the IRS has done wrong, which I think, you know, in creating this portal, they really had to do it under a rush timeline. The stimulus was passed, you know, in the last month, and they had to work very quickly to give people a portal to look up whether they've received their payments. Now, to enter that portal and to get information on your own stimulus check, I think you have to enter your date of birth, Social Security number, was it maybe, like, the return - you know, maybe for additional information you had to put in the amount of refund you got in the previous tax year or something like that. But I think for just basic information, it might've just been date of birth, Social Security number. That's something that's readily accessible to a landlord. 

Dave Bittner: Right. 

Ben Yelin: Not to mention, beyond a landlord, those are the types of things that can be found on the dark web. I think I read somewhere else that because of that Equifax breach, a lot of that information for millions of users is online. 

Dave Bittner: Yeah. 

Ben Yelin: So, you know, I could find out probably if my neighbor received her stimulus check. You know, so that's problematic behavior on the IRS' part. I guess that gets to the problems with the landlord, which are obviously significant. This seems like a textbook violation of the Computer Fraud and Abuse Act. If you go to that IRS website, they have a very clear user agreement that says you can only access this database for an authorized purpose. And if you access it for an unauthorized purpose, you are potentially going to violate both the Computer Fraud and Abuse Act and various IRS laws or regulations about unauthorized access to tax returns. So this is likely illegal. 

Ben Yelin: If you've determined that your landlord has been going into that portal to see if you've received your stimulus check, to see if you are able to pay your rent, it's probably worthwhile to contact your attorney in those circumstances. It certainly strikes me as a violation of that user agreement with the IRS and a pretty clear-cut violation of multiple federal laws. So certainly not the best behavior on the part of this landlord. And I understand, you know, landlords are in a difficult position right now. Many of them have voluntarily said to their tenants, you know, you don't have to pay rent for a couple of months. I'm trying to be generous. I want to be one of those wonderful landlords that shows up on John Krasinski's "Some Good News" program. 

Dave Bittner: (Laughter). 

Ben Yelin: I'm so nice. You know, you won't have to pay your rent. Blah, blah, blah. 

Dave Bittner: Right. Sure. 

Ben Yelin: Other states have suspended evictions. 

Dave Bittner: Yeah. 

Ben Yelin: So if people are unable to make rent payments, the landlord is unable to evict the tenant. And, you know, that puts the landlord in a pretty difficult financial position. 

Dave Bittner: Right. 

Ben Yelin: So you can understand from the landlord's perspective, like, look; is this guy getting his $1,200 and whatever from the federal government? I know he has told me personally he can't pay rent, which is - whatever... 

Dave Bittner: Yeah. 

Ben Yelin: ...Six hundred dollars a month, but I know he - I, you know, have documented proof that he has that money. 

Dave Bittner: But how I handle my budgeting is not my landlord's business nor concern. 

Ben Yelin: It certainly is not. 

Dave Bittner: (Laughter). 

Ben Yelin: It certainly is not. And that's why that's clearly an unauthorized use of this IRS database. 

Dave Bittner: Right. Right. 

Ben Yelin: So, you know, if you are a landlord, you know, I do think we have to be sympathetic because everybody is going through a difficult period here, financially, but this is not a way to handle that difficulty. 

Dave Bittner: Some of the follow-up to this thread on Twitter say that appropriate law enforcement people have been notified and are - have expressed interest in following up on this. So we'll see how it plays out... 

Ben Yelin: Yeah, it seems like... 

Dave Bittner: ...Hypothetically, of course. 

Ben Yelin: ...The Justice Department expressed interest. And they probably - there's probably, like, you know, out of the 1,000 things that the Justice Department expresses interest in, they probably take action on less than a hundred of them. 

Dave Bittner: Uh-huh (laughter). 

Ben Yelin: But it's certainly worth watching. 

Dave Bittner: Yeah. 

Ben Yelin: And it's not just something isolated to this potentially nonverifiable Twitter exchange. I think we've seen it. There have been many cases across the country of landlords engaging in this behavior. 

Dave Bittner: Yeah. All right. Well, be kind to each other, everybody. It's - we're all in this together in this tough time, so have a little empathy, right? (Laughter) Those are our stories. A quick reminder that if you have a question for us, we would love to hear from you. Our call-in number is 410-618-3720. That's 410-618-3720. You can also email us. It's Coming up next - my conversation with Joseph Cox. He is a senior staff writer at Motherboard. And we're going to be discussing his recent article, "How Big Companies Spy on Your Emails." 

Dave Bittner: But, first, a word from our sponsors. So let's return to our sponsor KnowBe4's question - how can you see risk coming, especially when that risk comes from third parties? After all, it's not your risk, until it is. Here's step one - know what those third parties are up to. KnowBe4 has a full GRC platform that helps you do just that. It's called KCM, and its Vendor Risk Management module gives you the insight into your suppliers that you need to be able to assess and manage the risks they might carry with them into your organization. With KnowBe4's KCM, you can vet, manage and monitor your third-party vendor security risk requirements. You'll not only be able to prequalify the risk; you'll be able to keep track of that risk as your business relationship evolves. KnowBe4's standard templates are easy to use, and they give you a consistent, equitable way of understanding risk across your entire supply chain. And as always, you'll get this in an effective automated platform that you'll see in a single pane of glass. You'll manage risk twice as fast at half the cost. Go to and check out their innovative GRC platform. That's Request a demo and see how you can get audits done at half the cost in half the time. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: And we are back. Ben, I recently had the pleasure of speaking with Joseph Cox. He is a senior staff writer at Motherboard, and he recently penned an article. It was titled "How Big Companies Spy on Your Emails." Some really interesting insights here - here's my conversation with Joseph Cox. 

Joseph Cox: On the Apple App Store or the Google Play store, there are plenty of different apps that promise to either streamline or professionalize your email inbox. Maybe they get rid of clutter. Maybe they make your replies a bit smarter with machine learning or AI or something like that. But they basically try to offer some sort of benefit when it comes to email. Now, of course, a lot of these apps are free. And many, many people do download them. What people may not be aware of is that many of these apps are actually scraping the contents of the email inbox and then developing products off that. This isn't just the metadata - who sent to whom, subjects, that sort of thing. It's the actual content of the inbox itself which these apps are culling and then making a product out of that. And then these companies sell it. 

Dave Bittner: To what degree are they keeping this information personalized? If someone's scraping my email box, can that be traced back to me? 

Joseph Cox: It varies from company to company. Some will say that they keep the data purely anonymized or pseudonymized. So they may take the information - say, oh, this person has a load of receipts from Uber while this person has a load of receipts from Lyft. Then maybe if we have a large enough data set, we could maybe work out, you know, well, maybe this ride share platform is more popular - that sort of thing. It's sort of consumer insights. So it does vary. But it's still just something that individual users, at least the ones I spoke to of a very particular app called Edison, they weren't aware that this was happening. On the Edison website and the app, it says that they provide research. The users didn't necessarily understand that actually meant, well, we're scraping the contents of your emails. 

Dave Bittner: Yeah. So that was a particularly eye-opening thing to me when I read that in your article. That phrase - create research - makes it seem sort of benign. But I suppose some of the folks that you interviewed, when they found out this information, they didn't feel that way about it. 

Joseph Cox: Yeah. The term research does give sort of a academic tinge to it. I don't think the story is so much of the actual scraping itself. I mean, a lot of us are going to be used to targeted advertisement, people getting our browsing history - that sort of thing. It is more just that the companies, at least according to the users I spoke to who actually use these products, the companies weren't necessarily clear with what they're doing with user data. 

Dave Bittner: Could this run afoul of GDPR, for example? 

Joseph Cox: I mean, there could be the case that the privacy policies have not been clear enough. And then that could be an avenue for, you know, debating whether this has violated certain laws or not. I'm not a lawyer. I wouldn't make that legal argument. But the fact that these users were confused or were not aware that this data collection was happening, I mean, it shows that there could be a case to be made. 

Dave Bittner: How much of this do you suppose falls into the user's lap for responsibility? I mean, there's that notion that if you're getting something for free, that should make you wary in itself. 

Joseph Cox: Yeah. I mean, as you say, if you download a free app today, it would be great if users considered, hey, how am I actually paying for this? It's almost become a cliche at this point, but it just keeps cementing itself over and over again. If you're downloading this app for free, you are paying for it in another way. And in this case, your data. It would be good if users did exercise that skepticism a little bit more. But, ultimately, the responsibility is on the companies to be clear in the first place, and then users can make an informed decision whether they want to download it or not. It would be different if the companies were very clear and were very upfront and then the user didn't actually read the app description and they still downloaded it. Well, the onus is on the user. But it seems that if these users are to make informed decisions, the companies do need to be clearer and not use words such as research, which is, you know, ambiguous. 

Dave Bittner: Do these apps have an option to opt out of this sort of data gathering? 

Joseph Cox: It does vary from company to company, and with some, you can opt out. And this seems to have especially changed with California's new consumer protection law when it comes to data privacy. So you could go and say, hey, please don't sell my data or please opt out. And, of course, as we saw with GDPR as well, it kind of makes sense for a lot of companies not to only enforce these sorts of measures for just the Europeans because then you have to, you know, maintain two different computer systems essentially and the same with the Californian law. When those measures came into effect and these companies implemented systems, they just apply it to everybody. But still the user needs to be aware of and they need to know that they can opt out. But if you dig through, it can be possible with some services, yeah. 

Dave Bittner: Help me understand the value here to the organizations that are buying this data. If that data has been anonymized, I would imagine keeps them from being able to directly market to me. So what are they getting out of this? 

Joseph Cox: So the way we came across this story, first of all, was through a leaked document from JPMorgan sort of the investment side and it has dozens and dozens of companies described in there that would be of interest to investment bankers. Maybe some will get location data so they could see that, oh, there are a lot of phones on this oil platform. Maybe this area of the world is particularly resource heavy. Or in this case, they can look through email inboxes and then develop a product from that. When it comes to investment bankers or hedge funds or anything like that, the value may be maybe they could spot the early signs of a successful startup - had a lot of people getting receipts from this company, and it's coming out of nowhere. 

Joseph Cox: Maybe now would be a good time to invest. Or they may be able to see if, you know, a company is declining in the number of customers as well. And you could do that even if the data is anonymized. You just need to know how many receipts are going into somebody's inbox to do that. So it's of particular interest to investment firms, bankers and, like, that sort of financial sector. And they are huge on the so-called alternative data industry, which includes all of these sorts of sort of novel not-first-party ways of getting information. 

Dave Bittner: That's fascinating. What has the response been since your article was published? Have you seen any pushback? 

Joseph Cox: Edison published a blog post on their Medium page, if I recall correctly. And they, you know, just laid out sort of what they do with the data and defended their position. And to be clear, I'm not - you know, I'm not attacking any individual business or anything like that. It's just when the users weren't aware, it seemed like there was a story to be written and, well, people aren't aware of this and they're even using the app. So Edison has become a bit clearer on what it does with the inboxes it scrapes. 

Dave Bittner: In your estimation, what would be the ideal outcome here in terms of these apps alerting their users as to what they're doing and giving them options to control the amount of data they're sharing? 

Joseph Cox: I think the ideal outcome is just that users can make informed decisions. They can look at an app. It's clear on, you know, what they are paying with the app when they download it, be it their data or something else. And they can decide whether they want to do that or not. Again, if a user sees that and they decide they want to use that product, that's absolutely fine. And it's - their prerogative (ph) is up to them. But if the customer's not making an informed decision, then I think there's a problem there. 

Dave Bittner: Yeah. I mean, it strikes me as being sort of not unlike what a lot of grocery stores do where, you know, you have a loyalty card or something like that. And in exchange for discounts on products, the grocery store gets to track the things that you do or the things that you buy. And for many people, that's a reasonable exchange to make. But, again, as long as you're informed on that, then it's fine. But I guess the point here is that when they're burying things inside of EULAs and so on and so forth, as you mentioned, calling them research, that's not exactly forthcoming. 

Joseph Cox: Yeah, that's a good comparison. As you say, with the grocery stores, I mean, people are very used to these loyalty card programs. And maybe even if you and I and others may say that, you know, well, if you're not paying for the app, you're paying some other way, maybe there is still a little bit of a gap there because people clearly aren't actually aware of it to the same degree that we are with loyalty cards and other more, you know, established sort of data programs. 

Dave Bittner: What are your recommendations for people who want to do a better job staying on top of this sort of thing? When you're out there in the App Store looking for tools like this that legitimately could help you streamline your day, what are some of the things you should be aware of? 

Joseph Cox: I would say, first of all, carefully read the description in the App Store, as in the one in the Apple App Store or the one in the Google Play Store. When you go to download the app, there'll be a description there of the service. Carefully read that and see if there are any flags. If they say, we don't sell personal data, OK, that's not the same as selling we don't sell data. If we don't sell user data, again, that's not exactly the same thing. And then maybe try to make a decision off that. I don't think users should have to go read, you know, a small fine print really long privacy policy, though, because that's going to be very tiring to the ordinary user. It may be opaque anyway. And they may come away not actually understanding what the app does. 

Joseph Cox: I think just exercise skepticism, vigilance and just consider it. And if you're OK with giving permission to a service to access your inbox, you can do that. I mean, when you download an app, it will say things such as this wants to have access to your Gmail. This wants to have access to your Outlook. You may not know the exact nuances of what that product is doing, but just think whether you want to grant that access. After Cambridge Analytica and various other privacy stories, there's just so much more renewed focus on this sort of thing. And especially with the new California law as well, we're just going to see more and more of these companies not necessarily getting into the space but more people paying attention to how transparent they're actually being. 

Dave Bittner: All right. Ben, interesting stuff, huh? 

Ben Yelin: Yeah. It's one of those proverbial no free lunch stories. Any application that you are going to download for free, as Mr. Cox said, you will pay for that one way or another. That's why I always feel better when I see advertising on my applications because if that's the way I'm paying for it, that's probably among the better alternatives than them collecting personal information about you. And I do think it was interesting that he talked about the sort of misleading nature of what these applications were claiming to be doing, saying that it was for research purposes. 

Dave Bittner: Right. 

Ben Yelin: And as he said, that sounds very academic, and it doesn't sound like what they are doing, which is scraping your information for business purposes. So I think it's sort of a warning, especially to people who aren't as literate in these things as our listeners are, you should be very wary of downloading free applications and agreeing to their terms of service because you really probably are getting it for free because they're taking some private information from you. So I think the interview was an important reminder of that. And I definitely recommend people read the story he wrote on Motherboard. 

Dave Bittner: Yeah. It's an interesting shift, too, over the years, over really, I suppose, the past couple of decades of how we view some of these categories of apps. You know, time was back in the age when dinosaurs roamed the Earth and we were using dial-up internet connections, you paid for your email app. You know, you'd go and you'd by an email... 

Ben Yelin: Buy the CD, yeah. 

Dave Bittner: Yeah, for 40 or 50 bucks, you know, and that was the way it was. And now, any computer you buy comes with an app usually. And, of course, there's free apps like Gmail and so on and so forth. But as Joseph points out and you highlight as well, there's no such thing as a free ride. 

Ben Yelin: There really isn't. And it reminds us to always be more suspicious, you know, the more free benefits we're getting. I'll also say, like, some of the services that these applications are providing just sort of raised my hairs a little bit in terms of suspicion. Something about, like, going in and cleaning up your email, whatever it is they're claiming to do just seems like do I - you'd have to stop and think. Like, do I really need that as a service? And why would they be offering that to me as a service? 

Ben Yelin: There are lots of different ways to unclutter your inbox. It would take, you know, a minimal amount of effort on the user's part, just a matter of time to unsubscribe from all of the lists we've subscribed to over the years. So it just sort of would ruffle my feathers a little bit and make me a little suspicious to see an application promising a service like that. You know, anybody who is claiming in so many words that they're going to go through my inbox for whatever purpose means, you know, it's at least wise to be somewhat suspicious of that. 

Dave Bittner: Yeah, absolutely. All right. Well, our thanks to Joseph Cox for joining us. Again, the article is "How Big Companies Spy on Your Emails." We do appreciate him taking the time for us. And we want to thank all of you for listening. 

Dave Bittner: And, of course, we want to thank this week's sponsor, KnowBe4. If you go to, you can check out their innovative GRC platform. That's Request a demo and see how you can get audits done at half the cost in half the time. Our thanks to the University of Maryland Center for Health and Homeland Security for their participation. You can learn more at The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.