Red, white, and for you page.
[ Music ]
Dave Bittner: Hello, everyone, and welcome to "Caveat," N2K CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner, and joining me is my cohost, Ben Yelin, from the University of Maryland Center for Cyber, Health, and Hazard Strategies. Hey, there, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: On today's show Ben has the story of the potential sale of TikTok to US investors. I've got the story of a looming deadline on renewal of a key cybersecurity information sharing bill. And later in the show, Ben's conversation with Michele Kellerman, Cybersecurity Engineer for Air and Missile Defense at Johns Hopkins University Applied Physics Lab. They're discussing women's health apps and the legal grey zone that they create with HIPAA. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. [ Music ] All right, Ben, let's jump into our stories here. You want to kick things off for us?
Ben Yelin: Sure. So we're revisiting a story we've talked about pretty extensively, and that's the sale of TikTok.
Dave Bittner: Yeah.
Ben Yelin: So as a quick refresher, Congress passed a law which was signed by then President Biden in 2024, requiring TikTok to be sold to US investors. Basically the rationale was that it was bad for our national security for TikTok to be owned by ByteDance, a company that's kind of an agent of the Chinese government. They control the algorithm, they control the "For You" page. So they get kind of a bad influence on our nation's youth who --
Dave Bittner: Right. [Laughs]
Ben Yelin: -- use TikTok in extremely large numbers.
Dave Bittner: Our adversary is hardwired into the hearts and minds of our nation's youth.
Ben Yelin: Exactly. [Laughter] Poor young people. Kids these days.
Dave Bittner: Right, right.
Ben Yelin: So this law was challenged in court. The Supreme Court unanimously upheld that it was constitutional. President Trump came into office and just kind of didn't enforce it.
Dave Bittner: Hmm.
Ben Yelin: So there were a couple of provisions in the law that you could extend the period for which the US could finalize a sale to US-based investors without shutting down TikTok, but there wasn't really a sale in place, which was a prerequisite of that provision being in place. But nevertheless, the President still just kind of kept kicking the can down the road. He has grown to like TikTok. I think he attributes his success in the 2024 election to votes from young people --
Dave Bittner: Yeah.
Ben Yelin: -- in a way that Republican candidates haven't gotten in a quarter of a century. And one of the reasons, at least he thinks he did so well, was because of the influence of TikTok, so --
Dave Bittner: And he was against it, or well he was --
Ben Yelin: He was. He was tried to ban it himself when -- during his first term in 2020 --
Dave Bittner: Right.
Ben Yelin: -- for national security justifications and --
Dave Bittner: Okay.
Ben Yelin: -- reversed himself and has been against trying to shut down TikTok for most of this year. But it does seem that there is a deal in place where the US, led by a group of investors, would own about 90% of a TikTok spinoff, so it would be a US version of TikTok. The algorithm will remain in ByteDance's hands under this proposal. And hold onto that thought for just a moment because --
Dave Bittner: Hmm.
Ben Yelin: -- that's kind of a big deal. [Laughter] But there would be a series of investors. Most to the President's political allies, including Larry Ellison from the Oracle fortune, Jeff Yaas, Rupert Murdoch and his family, and a couple of other major investment groups. So this is going to be a US joint venture owned by -- mostly owned by American investors. Again, it's not a 100% American ownership, even under this proposal, but according to the White House this ownership group is patriotic and loves America. So that's good news.
Dave Bittner: [Laughs] Okay. As if there were any questions. [Laughs]
Ben Yelin: Right. So there are a couple i's that need to be dotted and t's that need to be crossed here.
Dave Bittner: [Laughs] Okay.
Ben Yelin: China and the United States have kind of agreed to this in principle, but the deal has not been finalized. So this week the President's going to sign an executive order jumpstarting that process, and hopefully over the next 120 days, at least according to the White House, the deal will come into place satisfying the law's requirements to allow TikTok to continue operating in the US.
Dave Bittner: Hmm.
Ben Yelin: But there are a couple of issues with this deal. For one, as I mentioned, ByteDance still controls the algorithm. So there will be a US-based algorithm for this TikTok spinoff, but ByteDance still controls like the algorithmic formulas. So one of the main purposes of the law -- one of the main purposes of divestment was to sever the ties between ByteDance and what US users see on TikTok. And while we've severed that partially by having a spinoff application, ByteDance still maintains proprietary control of basically how the algorithm works.
Dave Bittner: Is there going to be any oversight?
Ben Yelin: There's going to be executive oversight by a group of cybersecurity/data experts chosen exclusively by the White House. So I don't want to be unfair to the White House, but there are a lot of quotes in here from various academics saying like this isn't good enough, you need an independent panel where the experts aren't chosen by the White House itself.
Dave Bittner: Yeah.
Ben Yelin: It has to be kind of a multidisciplinary panel. And maybe you use some type of executive office that doesn't directly report to the White House, like an inspector general's office or something like that --
Dave Bittner: Hmm.
Ben Yelin: -- an office of oversight. But as of right now, the group is going to be made up of White House selected experts. So that's kind of --
Dave Bittner: Okay, what could -- I am sure they won't have their thumb on the algorithmic scale. [Laughs]
Ben Yelin: They -- yeah, and that's kind of another aspect of this that's drawing some concern. So --
Dave Bittner: Yeah.
Ben Yelin: -- when you have the White House that's going to be controlling the oversight panel, you'd want there to be perhaps some private sector pushback to prevent the White House from using its own hidden hand to control TikTok in the United States.
Dave Bittner: Yeah.
Ben Yelin: But given who the investors are, that's just not going to happen. These investors, including the Ellison family and the Murdochs, of course, are huge allies of the President, and they're making out bandits here. I mean, this deal is going to net them billions and billions of dollars --
Dave Bittner: Hmm.
Ben Yelin: -- under people who are already the President's political supporters. And so there's at least allegation that these so-called "media moguls" are capturing the information space.
Dave Bittner: Hmm.
Ben Yelin: It's not just happening with TikTok. I mean, we've seen other media sources recently purchased -- I think CBS is one of them, that was recently purchased by similar investors with similar political leanings. So it's part of a broader pattern of these major media companies being purchased by three or four individual rich guys who seem to want to control the flow of information.
Dave Bittner: Was there any bidding process here, or were people --
Ben Yelin: [Laughs] No.
Dave Bittner: Oh. [Laughs]
Ben Yelin: No bidding. You'd think that would have been a good way to do this.
Dave Bittner: Well, it would be a -- you'd think that would be in the nation's best interest, right, in terms of the raise, the money made off of this deal.
Ben Yelin: Right. So a guy named Rush Doshi, who is a former Biden official --
Dave Bittner: Mm-hmm.
Ben Yelin: -- who's now at the Council on Foreign Relations, said the process had, quote, "The appearance of crony capitalism, because of how much Trump allies stood to gain.
Dave Bittner: Hmm.
Ben Yelin: The TikTok deal doesn't look opened to all market participants, just those mostly close to the administration already, including its political supporters." I think a fair process would have put this out to bid. For one it would have been better for the financial interest of the United States because that's what competitive bidding does.
Dave Bittner: Right. Capitalism, Ben, capitalism.
Ben Yelin: Woo-hoo. [Laughter] But that's not what happened here.
Dave Bittner: We can't be picking winners and losers, Ben, right? [Laughs]
Ben Yelin: I think what -- yeah I mean, I think their concern was that somebody who was not an ally of the President would have come in with the lowest bid. They would have been a US investor, which would have satisfied provisions under this law, but the White House wouldn't have the type of operational control that they're going to have over TikTok.
Dave Bittner: Hmm.
Ben Yelin: Which is seemingly what they want here. So this is just I think kind of a -- perhaps a sad ending to a story where Congress in good faith was worried about the national security implications of this major application that's extremely popular with young people in this country, was concerned about the algorithm being controlled by a Chinese entity, that they were turning us against one another by poisoning what we see when we open that application. And the threat that Congress had come up with was to shut down TikTok in the United States unless that national security concern could be mollified.
Dave Bittner: Mm-hmm.
Ben Yelin: But now since ByteDance still has propriety control over the algorithm. We are solving this problem without really solving it. And we're also making people rich who are allies of the President.
Dave Bittner: Richer. [Laughs]
Ben Yelin: Richer, yeah, they're already quite wealthy.
Dave Bittner: Right. Right.
Ben Yelin: So this just ends up being kind of an unsatisfactory conclusion to this TikTok/ByteDance saga, if the deal goes through, which it seems like it probably will.
Dave Bittner: Do you have any insights on the intersection of the original legislation and the President's executive orders? Like what are the legal obligations that the White House has to follow the things that were set out in the original legislation?
Ben Yelin: They have an obligation to follow them under the law in order to continue -- or in order for TikTok to be legal in the United States after the deadline, which was January 19th of this year, there had to have been a deal in place -- there's some language in there about like a deal has to be close to being finalized or --
Dave Bittner: Hmm.
Ben Yelin: -- in the process of being finalized in order for TikTok to remain legal in the United States.
Dave Bittner: Okay.
Ben Yelin: But they never did that. The President signed an executive order right after he came into office basically saying we are just not going to enforce this provision.
Dave Bittner: Hmm.
Ben Yelin: So there's a little wiggle room there in that he was negotiating with potential investors this whole time. So if I was an attorney for the Department of Justice, that's probably what I would argue in a court proceeding, that --
Dave Bittner: Right.
Ben Yelin: -- well they were trying to effectuate a deal. But that's not really what the legislation said. You had to be further along in the process. And frankly, to their credit, a lot of conservative legal commentators who are otherwise very Trump-friendly have criticized him relentlessly for not enforcing this law.
Dave Bittner: Hmm.
Ben Yelin: I think that's one of the few areas where I've seen significant pushback so far this term from those in the conservative legal community who think that this is pretty much a blatant violation of the intention of that statute. But seemingly this deal, if it is ratified, would at least satisfy the terms of that legislation, even if perhaps it doesn't satisfy the spirit of what Congress was attempting to do, which was to sever the ties completely between the Chinese government and this application.
Dave Bittner: So does this solve the problem?
Ben Yelin: I mean, I don't think it solves the problem, one, because of ByteDance's continued ownership of the algorithm --
Dave Bittner: Mm-hmm.
Ben Yelin: -- which ensures that we're still going to have those concerns about censorship, disinformation, that sort of thing. If your interpretation of solving the problem is that we still get to use TikTok, and slap some incredible memes out there, and make some kickass videos, then the problem is solved from that respect. I think --
Dave Bittner: Well, yeah, my -- I would define "problem" as being the national security problem.
Ben Yelin: It doesn't seem like those are going to be resolved. Now, Oracle, which is part of this deal, is still going to control kind of the security protocols, as they have been through their data processing facility in Texas.
Dave Bittner: Hmm.
Ben Yelin: So I guess that's a partial solution to this problem, but again, without having full control over -- or proprietary control over the algorithm, you can't really stop the evil that Congress was trying to prevent.
Dave Bittner: Yeah.
Ben Yelin: Oracle is just the security provisor and they will have auditors to review the app's underlying code, at least according to Larry Ellison, Oracle's cofounder who's --
Dave Bittner: Mm-hmm.
Ben Yelin: -- a major investor in this. But again, with ByteDance still having its own interest in the algorithm, that's not being severed by this potential deal, I don't think -- at least according to Congress's own intent when this law was passed in April 2024 that we're having proper divestment here. So you could say that this entire effort to ban TikTok has kind of backfired in a way, because the solution is really not solving the problem that we had originally identified collectively over a year ago.
Dave Bittner: And so is this a matter of Congress not standing up for themselves against the White House?
Ben Yelin: Yeah, I mean, Congress is not going to do anything here. I think there were a lot of reluctant supporters of this legislation, even when it did pass.
Dave Bittner: Hmm.
Ben Yelin: Because you don't want to anger your younger constituents whose main source, in many cases of news comes from TikTok.
Dave Bittner: Mm-hmm.
Ben Yelin: But the law did pass. It did survive legal scrutiny at the Supreme Court. And I think at least for members of Congress who don't want to push back against the President or don't want to be seen as, you know, the nanny state who's shutting down everybody's favorite application, I think there's going to be some giving the White House the benefit of a doubt here and having plausible deniability by saying they want a divestment and they're at least getting 90% divestment. And that's good enough to keep TikTok rolling, we've put this problem behind us. You have to kind of look under the hood just a little bit to see that not having control of the algorithm means we actually are not solving this problem. But I think members of Congress could get away with saying, "I saw this deal. Ninety percent of it is going to be owned -- 90% of this company the spinoff is going to be owned by US investors, so that's good enough for me."
Dave Bittner: Right.
Ben Yelin: I think that's probably the type of statement that we're going to see coming out of members of Congress.
Dave Bittner: Right, don't let the perfect be the enemy of the good, I suppose.
Ben Yelin: Yeah. And I think one thing that we started to realize, even when this was under consideration at the Supreme Court is there was an expectation in the interim period from when the law was passed to when the Supreme Court heard the case and when the law was supposed to be coming into existence this past January. There was real apprehension and reluctance like, "Are we really going to do this? Are we really going to shut down this extremely popular application?" There's going to be huge backlash. I mean, TikTok was sending out notifications to all of its users in January when Biden was still president basically telling its users, "Joe Biden is going to take away your access to this application.
Dave Bittner: Hmm.
Ben Yelin: Be very angry. If you're angry about this, email your member of Congress." And that has a big impact. And I think probably members of Congress, even those who theoretically supported putting these tough restrictions on TikTok saw how angry people were when it appeared as if TikTok was going to be shut down, and probably got a little apprehensive about it. So this just might be the easiest solution -- or the path of least resistance, I should say, for many members of Congress.
Dave Bittner: Who brought it in front of the Supreme Court?
Ben Yelin: The US government in seeking enforcement of the law defended this case in court. It was the last case defended by the previous Solicitor General under the Biden administration, Elizabeth Prelogar. They had been sued by TikTok ByteDance. And like I said that decision was unanimous, so you had the consensus of all nine judges.
Dave Bittner: Wow. Hmm. Wow. [Laughs] Right?
Ben Yelin: Yeah, which is rare to get. And it -- the case was heard in an expedited manner. So usually you have oral arguments in the case, sometime, you know, between October and April, and the decision comes out in June. This was oral arguments one week, the decision I think less than two weeks later. So this is something that the Supreme Court, at least, took very seriously. And yeah, it was -- I am just seeing the dates now. It was argued January 10th, decided January 17th.
Dave Bittner: Hmm.
Ben Yelin: That is quite a rarity in terms of the speed of making a decision.
Dave Bittner: So what kind of timeline are we on now in terms of this being finalized?
Ben Yelin: Within 120 days, at least according to the law, this would have to be finalized lest, again, TikTok would be shut down within the United States, theoretically. Now, given Trump's love of TikTok, I still don't think he would actually shut it down. I mean, he's been --
Dave Bittner: Right.
Ben Yelin: -- required to do so, but that is the timeline that we're on right now. Within 120 days this deal that's been agreeing to in principle has to be signed by all of the relevant parties. Another element of this is that China held this kind of as leverage against the United States in trade negotiations. So we are -- I mean, I don't really understand the trade aspect of this, this is not my specialty, but we granted some trade concessions to China in exchange for them agreeing in principle to this deal --
Dave Bittner: Hmm.
Ben Yelin: -- since China knew that the US, according to the law that had been passed, was going to have to come up with a deal for divestment that allowed TikTok to continue in the United States. So China said, "Fine, we'll play ball, but we'd like XYZ in trade policy."
Dave Bittner: Hmm.
Ben Yelin: And so that did end up being part of these negotiations.
Dave Bittner: All right. Well, we will have a link to that story from the folks at the Washington Post. We will be right back after this message from our show sponsors. [ Music ] My story this week comes from our friend, Tim Starks, over at CyberScoop. And this is looking at the real possibility that a very important piece of legislation, the Cybersecurity Information Sharing Act of 2015, referred to as "CISA 2015", which we've talked about here before, is set to expire at the end of this month. And it's looking more and more like that's going to happen, or is a real possibility of happening. Lots of people -- in fact I'd say most people, wanted it to be reauthorized, but the concern is that it's not, and so a lot of people -- well let me back up here. What this -- one of the main things that this legislation does -- and chime in here, Ben, if I am incorrect or incomplete, is it allows information sharing between the private sector, between themselves and government. It takes away risks of liability when that information sharing happens.
Ben Yelin: Right.
Dave Bittner: Is that the fair way to describe it?
Ben Yelin: Right. So this is not a law that imposes any mandates on private business, it is legislation that just enables -- it enables a platform for cyberthreat information sharing.
Dave Bittner: Yeah. So I was talking to someone yesterday, someone in a leadership position at a global telecommunications company who was telling me that the CISOs of these companies are -- they're getting memos from their legal teams saying, "This is what we're going to have to do. If this law doesn't get renewed we're going to have to pull back on our information sharing because of the potential liabilities, and that will have a real impact on our ability to stay secure and safe through information sharing."
Ben Yelin: I hate to make this story about Senate procedure.
Dave Bittner: Okay. [Laughs] But --
Ben Yelin: But I'm going to make this story about Senate procedure, at least very briefly.
Dave Bittner: Okay.
Ben Yelin: So --
Dave Bittner: Educate us, Ben. [Laughs]
Ben Yelin: -- everybody who is in support of reauthorizing CISA 2015, which is what this law is commonly known as to --
Dave Bittner: Yeah.
Ben Yelin: -- distinguish it from CISA, the agency --
Dave Bittner: Right.
Ben Yelin: -- industry groups, private sector advocates, the Donald J. Trump administration --
Dave Bittner: Yeah.
Ben Yelin: -- bipartisan members of Congress, the holdup is Rand Paul, a senator from Kentucky, who has long been opposed to CISA 2015, basically for libertarian reasons, he thinks even the perceived pressure to share information could violate the privacy rights of individuals and companies and could be an affront to the First Amendment.
Dave Bittner: Hmm.
Ben Yelin: And this goes against members of his own party, members of Kentucky business groups who have urged him to support a clean reauthorization while coming up with another piece of legislation to address his concerns.
Dave Bittner: Hmm.
Ben Yelin: But Paul is not just any other senator, he holds a committee chairmanship. And the way Senate rules work is many things can only happen with the unanimous consent of all senators. So a couple of times democratic senators -- they mentioned Senator Gary Peters here, has requested unanimous consent for a 10-year clean extension of CISA 2015. Rand Paul objected, as is his right under Senate rules. We've decided to have rules in the Senate where 99 senators could support something, but if it doesn't have the consent of all 100, you'd had to jump through a bunch of procedural hoops which Senate leaders just don't want to do.
Dave Bittner: Hmm.
Ben Yelin: It's very time-consuming. Congress there's another deadline that's coming up on September 30th besides CISA '15 and that -- 2015, and that's federal funding. So the House of Representatives passed what's called a "continuing resolution", which would continue federal funding at current levels for a short period of time, I think it's two months.
Dave Bittner: Yeah.
Ben Yelin: And this is supported by the President, it's supported by House and Senate Republicans. And this included a two-month extension to CISA 2015 as well. But Senate Democrats filibustered the attempt to pass this continuing resolution for kind of nebulous reasons. They're saying it's because a provision to restore subsidies under Obamacare has not been included. But really I think they just kind of want to see the table here and they're trying to use the little leverage that they have.
Dave Bittner: Hmm.
Ben Yelin: But that incidentally is holding up a two-month extension of CISA 2015. There's also the National Defense Authorization Act, which sets policy for -- I'm still calling it the Department of Defense, because that's what its legal name is.
Dave Bittner: [Laughs] Right, right.
Ben Yelin: The Chairman of the House Homeland Security, Andrew Garbarino, tried to add an extension to the -- an extension to CISA 2015 as part of the NDAA, which passed the House, but that was stripped out in the House Rules Committee --
Dave Bittner: Hmm.
Ben Yelin: -- and Rand Paul got it stripped out of the Senate's version of the NDAA as well. So that's not a vehicle that can be used.
Dave Bittner: Hmm.
Ben Yelin: So it's just amazing the power of one single senator when he or she feels strongly about stopping something. You can really grind the gears, even if this is something that has bipartisan, bicameral support, the support of the presidential administration, and really the unanimous support of those in the private sector.
Dave Bittner: And a senator who I guess prides himself on his resistance to peer pressure from his senatorial peers.
Ben Yelin: To his credit. And there are -- honestly there are a lot of 99-1 votes where I think Rand Paul has a righteous claim to be speaking out for an unpopular minority position.
Dave Bittner: Mm-hmm.
Ben Yelin: I mean, I think there is something that is admirable about it. But if you want to live in a country where even if majority doesn't rule, a super majority might -- or probably should have the power to effectuate policy, then the rules of the Senate that gives so much power to individual senators to put holds on popular policies might not be the best way of doing business. And there's not enough institutional support in the Senate to prioritize this over government funding or judicial nominations or anything else that's making its way through Congress right now. Like if Senator John Thune, who is the Senate Majority Leader, cared enough about this, he could go through the process of filing cloture, which needs 60 votes, and requires 30 hours of debate.
Dave Bittner: Hmm.
Ben Yelin: But I don't think he's interested enough to use precious Senate floor time to pass an extension of CISA 2015. And that's why we are where we are.
Dave Bittner: Yeah. So if as it appears more and more likely that this is not going to be extended, that leads -- I know people I've talked to are very concerned about it weakens our security, because people will not feel as though they are protected when communicating threat information with each other and with the government.
Ben Yelin: Right. And without the protections of CISA 2015 in place, they may feel that revealing threats could subject themselves to legal liability --
Dave Bittner: Mm-hmm.
Ben Yelin: -- which they're supposed to be shielded from under this law. I think the best hope is that whatever deal Congress eventually comes up with for a continuing resolution of government funding, they just tuck this provision in there, which I think they could get away with, because Rand Paul is going to vote against an extension of government funding anyway --
Dave Bittner: Right.
Ben Yelin: -- so you're going to have to do it with non-Rand Paul votes --
Dave Bittner: Mm-hmm.
Ben Yelin: -- if that makes sense, and --
Dave Bittner: [Laughs] The math, that's the way the math has to be, you know.
Ben Yelin: Right.
Dave Bittner: Right, you have to presume -- right, yeah.
Ben Yelin: And I think if there's a bipartisan deal on government funding, then the floor leaders will take the time to make sure that it gets passed. Now, the prospects as of this recording of that happening seem pretty low --
Dave Bittner: Mm-hmm.
Ben Yelin: -- but the government's not going to be shut down forever. Eventually, they're going to come up with some deal. And I would guess that a temporary extension of CISA 2015 is going to be part of that deal one way or another.
Dave Bittner: Yeah.
Ben Yelin: If not, I think there will probably be an effort to do a standalone piece of legislation to reauthorize it, and then it's will Rand Paul use his committee chairmanship of the Senate Homeland Security Committee to try and stop that clean reauthorization in its tracks. And I think that's a definite possibility.
Dave Bittner: Right.
Ben Yelin: And he has major levers he can use to make that happen.
Dave Bittner: And then if that were to come to pass, would that be a process of legislators then sort of stripping out the components that Rand Paul was concerned about and so that as much as possible could pass in a revised bill?
Ben Yelin: Yes, although a lot of what Rand Paul is demanding is something that Congress is never going to accept.
Dave Bittner: Hmm.
Ben Yelin: So he wants to remove FOIA protections, Freedom of Information Act protections, related to information sharing under CISA 2015, which I think is a DOA proposal for many members of Congress.
Dave Bittner: I see.
Ben Yelin: And he also wants federal preemption here, which is also DOA, at least the way I see it. I think the private sector thinks that those provisions would undermine private sector participation -- voluntary participation in this information sharing program.
Dave Bittner: I see.
Ben Yelin: So I don't think that's a realistic solution at this time.
Dave Bittner: Hmm. Yeah.
Ben Yelin: I guess, you know, the other thing that could be catalyzing is if there is a major cyber breach that happens while this law is on pause. And even if you couldn't fully attribute that to the expiration of CISA 2015, if you could partially attribute it to it, then that might cause a political ground swell to restore support for the legislation.
Dave Bittner: Right.
Ben Yelin: So I don't wish for that to happen, but that's just something that I could see happening.
Dave Bittner: Yeah. All right. Well, we'll have a link to that story in the show notes. Again, that's courtesy of our pal, Tim Starks, over at CyberScoop. We would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's caveat@n2k.com. [ Music ] And we are back. Ben, you have the interview duties this week, and you recently had the pleasure of speaking with Michele Kellerman. She is a Cybersecurity Engineer for Air and Missile Defense at Johns Hopkins University Applied Physics Lab, my old job. [Laughter] Sorry, it's an old -- I just --
Ben Yelin: That's an old --
Dave Bittner: -- stole a joke from Bill Maher.
Ben Yelin: -- radio host joke, yeah.
Dave Bittner: Yeah, yeah. [Laughs] Apologies.
Ben Yelin: Thanks, Jay Leno.
Dave Bittner: Yeah, exactly. But -- so but you're not discussing air and missile defense.
Ben Yelin: We are not, no.
Dave Bittner: You are discussing women's health apps and the legal grey zone that they create with HIPAA. Here's Ben's conversation with Michele Kellerman.
Ben Yelin: So today we're going to be talking about period tracking apps and digital privacy, especially in the Post-Dobbs era. So we are now three years after the Supreme Court's decision in Dobbs, which held that Roe versus Wade was overturned, there's no constitutional right to an abortion, it's an issue left to the states. Can you just kind of talk about the context of this issue, why you became interested in it, what the implications are of these period tracking apps?
Michele Kellerman: Yeah. So when the Dobbs decision was made, women obviously were trying to figure out what this meant for them, what this meant for their safety. But then as the dust settled from the immediate shock, we were looking into how does this affect our everyday lives and things other than just wanting strict access to abortions, and that includes all reproductive health. So on a lot of women spaces, on Reddit, or you know, on social media, people started talking about how you need to delete your period tracking apps. And the conversation was very confusing because we were all under the impression that our health information was safe and protected. We were all raised that your doctor is the only one who has a right to know what's going on in your doctor's office. So this huge shift was really surprising. And to look at period tracking apps, come to find out they're not protected under HIPAA.
Ben Yelin: So yeah, that was going to be my follow-up question. So our listeners are probably thinking like, "Oh, private health information, that triggers HIPAA." Why are period tracking apps not covered under HIPAA?
Michele Kellerman: Health information specifically is a unique case. A lot of times when we have -- when we talk about tech law, a lot of the current coverage is coopted from older laws that we see over the last three or four decades. But that's because it covers a data type, a type of information. HIPAA is unique. It covers entities. It doesn't matter what type of data it is, it matters who is owning the data, so doctors, clinics, you know, psychologists, hospitals, your health plans. It only covers specific entities, not the type of information as a whole. So it's not covered because an application is not a doctor. It's not a covered entity.
Ben Yelin: Before this became such a live issue, was there any effort in Congress or at the state level to amend HIPAA or state-level equivalence to include applications; like was this something that was on the radar or is it just, you know, an issue that's never really come up?
Michele Kellerman: It's come up in congressional inquiries, so with Cambridge Analytica and Facebook selling your data to these data brokers. But it didn't get into health-specific information, it was just your online privacy as a whole coming up in these bigger inquiries by Congress, but not an effort specifically that's legislated outside of data privacy laws. But health isn't always covered in data privacy laws. Practically only about 50% of them do.
Ben Yelin: Whereas, at the federal level, it's more the absence of a data privacy law anyway. [Laughs]
Michele Kellerman: That's what they're great at.
Ben Yelin: As we all know. So can you kind of walk us through how period tracking apps could be used by law enforcement in a case relating to reproductive rights and if there is any case law on what happens in those scenarios?
Michele Kellerman: Before we get to that, there was an effort to amend HIPAA, luckily, by the Biden-Harris Administration. They added a new provision in 2024, June of 2024, that prohibits a HIPAA-covered entity from releasing PHI for the purpose of conducting criminal, civil, or administrative investigations, and the identification of anybody involved with reproductive health that was specific to reproductive health. So HIPAA now covers -- has a specific health provision for reproductive health. So they are -- there are amendments to it very recently in wake of the Dobbs decision.
Ben Yelin: Is that something that the Trump administration has tried to reverse? I'm kind of surprised they haven't, either through like the Congressional Review Act or just through promulgating new regulations.
Michele Kellerman: So they overturned two Biden-era executive orders that were about allowing better access to reproductive health, and then also protections. So there were two Biden-era executive orders that have been overturned for access to reproductive health, including abortion.
Ben Yelin: Got you. Okay, so now we can kind of go back to that original question, just walking us through what a typical case would look like, and then where we are in terms of state case law, or federal case law, for that matter, with these period tracking applications.
Michele Kellerman: When you install a period tracking app, it asks for standard health information about you, your name, your age, your gender. And then it gets into date of last period on the most basic level. And then you have other -- you have some applications that get more into it, your mood swings, how heavy your -- how like heavy your other -- your period symptoms are or your symptoms when you're not having your period, are you tracking fertility, are you attempting to have a child, even things like fertility monitors. Like Inito is one of them where you can have all that information and you can have your body temperature, blood work, you can have any -- like a wealth of information that go to these applications that are not doctors. Inito and other fertility monitors and period tracking apps are completely separate.
Ben Yelin: Can you talk about state laws or state applications where law enforcement has been trying to use data from either period tracking apps or otherwise in criminal or civil cases relating to reproductive rights?
Michele Kellerman: We haven't seen any cases at this moment where they specifically name period tracking apps, but we are seeing a patchwork of laws try to come from the states. So Virginia in 2023 presented a bill that would have been policed from looking at data in period tracker apps when executing a search warrant. As you know, search warrants are very broad, it can be on the device in general. But this bill would have barred period tracking and health apps from the scope of a search warrant. Unfortunately, Governor Youngkin's administration opposed it and it died in chambers. We are also seeing Massachusetts just updated their shield law strengthening protections for providers and patients. And actually, the law prohibits Massachusetts state and local authorities from cooperating with any federal or out-of-state investigation. So it's not just up to the local municipality if they want to get involved in helping an additional -- a different state like Texas, for example, who is attempting to criminalize out-of-state abortions. This law actually bars the process altogether from cooperating with other states. So we're starting to see states get involved, but it's very patchwork and it's very dependent on the political wins.
Ben Yelin: What is kind of the horror story that you're anticipating with period tracking apps? Like what is the data that they are going to pull out to potentially use in a prosecution? Like how would a prosecutor try and build a case based on a period tracking app? And then I think with that context, we could talk about remedies and potential solutions to this issue.
Michele Kellerman: I would be concerned about criminalizing miscarriages and abortions. So somebody that -- because we see a lot of times there's just an idea of like, "Oh, we think that she's pregnant." People will make assumptions on a woman's fertility status constantly for free, just with -- even though it's none of their business. That's just the natural state of how people are. So I'm concerned of people making assumptions about somebody else. We saw with Texas, they -- one of the private entities involved in this released a website where you could snitch or report other people who were getting out-of-state abortions. So we're already in this state of reporting other people based purely on speculation, and then you would have these apps where you would have a consistent -- maybe if your cycle is regular and you have a monthly period, and then all of a sudden you don't, they can make the assumption that you're pregnant. And then if you don't have a child, you could be potentially prosecuted for a miscarriage. Even if it's a fallacy, it's still a grueling, awful position to be in. Even if eventually the evidence comes out that you were never pregnant or never miscarried, or had an abortion, it's still criminalizing just a woman's body functioning.
Ben Yelin: And this is what sort of gets me about this is obviously in this country abortion is -- and reproductive rights generally are a divisive political issue. I wouldn't think that even for those who are rapidly pro-life there would be a lot of enthusiasm about obtaining data from private period tracking applications. Like I guess maybe this is an unfair question, but how is this an issue? Like what is -- where is the opposition to keeping this data private or adding some type of HIPAA level protection on these applications?
Michele Kellerman: I think people are -- have gotten so used to being in everybody else's business. With social media and everything that you do being somehow available for public comment, we've lost the desire for privacy. And we also have come to expect that we just don't really have it anymore with every time we get a credit report breach and monitoring your credit cards, at this point, there have been so many, we don't care anymore. And it's a given now that your personal information is just out there. And we still hold the criminalizing a woman's body as this farfetched idea, as if it's not really happening, whereas a baby can be right in front of you and you only see what's directly in front of you. So I think there's just not an appetite for fighting for this amorphous idea of privacy when we already exist in a world where we don't expect it.
Ben Yelin: So I guess there are two questions that flow from this. So there's solutions at the individual device level. And we can -- I think it's important to get into what those are, certain settings that you can use as a prophylactic measure against government surveillance. So why don't we start there and then we can get into potential policy changes after that? But like what can an individual who is concerned about this or somebody who loves an individual who is concerned about this, what advice would you give that person on protecting your extremely personal private data here?
Michele Kellerman: Well, my desire is obviously to go with less technology and information on your device., so you can always go back to manual tracking of your symptoms and your cycle. There -- we've circled the date on the calendar for many, many, many years of when we are expecting our cycle to start. There's also you can do research into certain apps to see which apps based on their privacy policy or their personal statements. So for example, Clue is based in Belgium. They have put out a public statement explicitly stating that, "We will never cooperate with a foreign investigation into your reproductive rights." And they are based in the EU doing some -- that are subject to GDPR. So you can find certain applications. You have to really, though, do your research. But there's still a risk of we don't know how this is going to play out in court. We don't know how this is going to be litigated. This is still very early on and you don't want to be the test case, so just not putting it on your phone. Or I've seen some more unique ways to go about it of using Siri automated responses. So if you say -- if you create a set of automated responses in your phone when you say, "Hey, Siri, I'm being pulled over," all of your apps get closed out, your -- if you're on any phone, hang up, your music gets paused, and your period tracking app gets deleted, or you can put it behind a specific code -- like passcode. You can lock and hide apps now on your phone so it wouldn't be able to be caught by a basic search warrant that, you know, a police officer on the side of the road is executing.
Ben Yelin: Very interesting. So I guess like reading the ULA, which nobody actually does, is more important than this situation than pretty much any other circumstance you can possibly imagine.
Michele Kellerman: And the ULAs are deliciously vague, as they always are, for their intended purpose. For example, the ULAs, they have, "We're not going to share it." We saw it with the Flo lawsuit they just wrapped up that that turned out not to be true. And we see that it's very much so up to the discretion of the app. They can change their privacy policy and just let you know in the side in the privacy policy, "You have -- " where it says, "We're not going to sell your data, but we're still going to collect it to make the app better. We're also going to comply with any legal investigations required," which up until that Biden-era addition to HIPAA meant, "We'll play ball with whomever."
Ben Yelin: Can you talk a little bit about -- you mentioned the Flo case. Can you give us some background on that and what the decision was and what the implications are?
Michele Kellerman: Yeah. So Flo is one of the top period tracking apps in the App Store almost all of use. I used it at one point myself. And in 2021, a class action lawsuit was brought against Flo with the accusation that they were sharing personal information about the users when they said explicitly that they don't. So Flo put in their privacy policy that their sensitive reproductive information and survey questions would not be disclosed, but personal data ended up being shared with Meta, Google, AppsFlyer, and added a Linux company, and a now-defunct company called Flurry. So they claimed that their cycle length and cycle start date were shared with Meta and Google through the ad software development kit. Google reached a settlement out of court, so did Flurry, and the trial -- so it went to trial for -- against Flo and against Meta, and that trial wrapped up at the beginning of this month August 1st. Now, Flo claimed that they still did nothing wrong, they held that they did nothing wrong and they did not violate their user agreement. And they settled the day before the court case came down and then the jury found Meta liable for violating the California Information -- California Invasion of Privacy Act. So Meta lost.
Ben Yelin: Why don't we move on to potential policy solutions? So let's start at both of us live in the state of Maryland. That's generally a state that's friendly, favorable to reproductive rights. What could states like Maryland do to protect the privacy of these applications? Is there a policy lever that these states could pull that would make a big difference?
Michele Kellerman: Yes, banning the sale of personal health information in general. We started seeing some attempts at this, but it hasn't hit -- it hasn't landed anywhere unfortunately. So data brokers can take in all this information and sell it to whomever is interested. And banning the sale of personal health information by data brokers could be a very big solution. And it's not banning data brokers altogether, there's no way that we would be able to get that to happen because there's too much money to be made, too many businesses count on that information. We can create a carveout banning the sale of health informations and making it publicly available for collection and sale, and then that pretty much leaves just you maintaining your own data or your doctor by just banning that practice.
Ben Yelin: And then how do you address like the extraterritorial element of this? So a person from Texas goes to Maryland and Texas tries to use some type of long-armed statute to obtain period tracking information, like what's a way that the state can prevent that from happening? Is it to use that approach that you talked about in -- was it New York, Connecticut?
Michele Kellerman: Massachusetts is actually working -- Massachusetts -- the ACLU of Massachusetts is looking at going in a roundabout way of not trying to touch the health information. They have a law being potentially considered by the state of Massachusetts to ban the sale of location information surrounding health clinics, hospitals, doctors' offices. So this would -- they updated their shield law three weeks ago, but the Location Shield Act from the Massachusetts ACLU would prevent data brokers from buying and selling this data that can be purchased by other states to circumvent courts and state laws. It died in chambers last term, but it is being reintroduced in this term.
Ben Yelin: And given just the political realities at the federal level, am I correct in thinking that like -- obviously you never want to say it's not worth trying, but just the major action here is going to take place in state governments. Is that your take as well?
Michele Kellerman: Unfortunately, yes. The states that want to protect their citizens are going to largely be the driver of this circumstance, unless we can get something done by federal smaller agencies like the FTC stepping in. But I don't think they have the stomach for this. There's not really a desire for it, so unfortunately I think it's going to be up to the states to make it as difficult as possible. Google is making it a little bit harder. So they announced that they are not going to store location information of their users and it's all going to be held on the device. It still puts you at risk of your device being taken, but it prevents broad -- we want to know whoever is at an abortion clinic. So it pretty much renders geofence --
Ben Yelin: Right, so they can't do like a geofence with -- yeah.
Michele Kellerman: Yep, they find those geofence warrants useless by Google changing their business practices for this. So unfortunately, it's going to be states and businesses that are going to be fighting this fight for us, unfortunately. [ Music ]
Dave Bittner: All right, interesting stuff. I mean, Michele really has some knowledge and expertise when it comes to this, huh?
Ben Yelin: Yes, and a lot of it is through her work, but a lot of it isn't. I mean, she just is somebody who is genuinely interested in these topics, and is extremely knowledgeable, and is a fan of the show. And I'm just so glad that we got to have her on.
Dave Bittner: Yeah, absolutely. Once again, that was Michele Kellerman. She is a Cybersecurity Engineer for Air and Missile Defense at Johns Hopkins University Applied Physics Lab. And we do appreciate her taking the time. [ Music ] And that is "Caveat," brought to you by N2K's CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to caveat@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tre Hester. Peter Kilpe is our publisher. I'm Dave Bittner --
Ben Yelin: And I'm Ben Yelin.
Dave Bittner: -- thanks for listening. [ Music ]
