Podcasts
Caveat
Ep 39
Caveat 7.29.20
Ep 39 | 7.29.20

Diversity in contact tracing.

Show Notes
Transcript

Elissa Redmiles: There's been a lot of diversity even beyond contact tracing in solutions that people are trying to come up with.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hi, Dave. 

Dave Bittner: On this week's show, I've got the story of the Department of Homeland Security authorizing the collection of information on protesters. Ben covers a European court ruling affecting Facebook. And later in the show, my conversation with Elissa Redmiles. She's a researcher in the security and privacy group at Microsoft Research. We'll be getting her take on the privacy concerns of the coronavirus tracking apps. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, why don't you kick things off for us? What do you have for us this week? 

Ben Yelin: So I have a major judicial decision coming from the European Union Court of Justice regarding data-sharing between nations. So this is a ruling that was handed down in mid-July, so a couple of weeks ago when you all are listening to this, and it can have profound effects in how companies transfer European users' data to the United States and other countries. 

Ben Yelin: Just to give a little bit of background, this case goes back a number of years. There is a pro-privacy advocate in Austria by the name of Schrems, and he was concerned about the surveillance state of the United States after the Edward Snowden disclosures in 2013. He's actually an Austrian citizen, so a citizen of a nation that is a member of the European Union. And he brought a lawsuit in Ireland, actually, which is where Facebook's European headquarters are - I believe Microsoft's are there as well... 

Dave Bittner: Yeah. 

Ben Yelin: ...Arguing that the data-sharing between the European Union and the United States will not adequately protect his data, according to European data protection and privacy regulations. And this was, of course, before GDPR. 

Ben Yelin: Prior to this decision, there was a program in place called the Safe Harbor Agreement that allowed European users' data to be moved to the United States, and it did have some provisions for the protection of that data. In 2015, this European Union Court of Justice held that the Safe Harbor Agreement did not adequately protect user data privacy. Transferring data to a third country outside of the European Union was a risk because, frankly, the surveillance practices in the United States would allow the possible collection of private information from European users. 

Ben Yelin: So the European Union and the United States went back to the drawing board, came up with a revised agreements called the Privacy Shield, which I'm sure most of our listeners have heard of. It had provided more enhanced protection for data. And the essence of the Privacy Shield is an agreement between the United States and the European Union that any data transferred to the United States will abide by standards that have been set up in this agreement. These standards were slightly lesser than the stringent privacy standards in the GDPR regulation, which was enacted in 2018. 

Ben Yelin: So here we are in 2020. Mr. Schrems initiated the lawsuits trying to invalidate the Privacy Shield, and he was successful. The court said that the Privacy Shield does not adequately protect European Union user data - that any data being transferred to countries outside the European Union has to be transferred to a country that protects data privacy to a substantial degree the way the European Union does. And in the view of this court, the United States does not do that. And in making that decision, they cite some of our surveillance practices. Yes, we've made some reforms since the Edward Snowden disclosures with the USA Freedom Act, which curbed some of our most egregious surveillance practices as it related to call detail records. There've been some other reforms, but we have not gone far enough. And so, therefore, the Privacy Shield has been invalidated in the European Union. 

Ben Yelin: Now, there's another way that companies can transfer this data, and that's just part of standard contractual agreements. So, you know, when you agree to the terms of service, a company itself can set terms saying, any data that we transfer will abide by these stringent GDPR protections. For the time being, those types of contractual agreements are sufficient. But Privacy Shield, which was about data transfers for companies, middle and smaller companies that can't afford, like the Microsoft people do, to hire the best lawyers and come up with these contractual agreements - these companies are no longer going to be able to take advantage of that Privacy Shield, and they're opening themselves up as a result of this decision to legal liability in the European Union. So it's a pretty profound decision and something that was maybe not shocking but certainly went further than many experts predicted. 

Dave Bittner: Can you give us some insights on how do things like this - on the international stage, how do things like this get enforced? 

Ben Yelin: So that's a great question. The biggest, I think, dilemma going forward is how is the European Union and its regulating bodies going to actually enforce this? We saw what happened with the end of Safe Harbor in 2015 is that companies didn't really change their practices, and it took a few years for regulators in the European Union to actually bring legal action against these companies in European courts. And in many cases, these companies kind of thought, well, you know, it's probably in our best interest to continue our current data practices. We can always try to supplement what we're doing with contractual language which would make these data transfers legal. 

Ben Yelin: The European Union, under the GDPR, can bring enforcement actions against companies that aren't protecting user data. And so if these companies are adhering to GDPR as it relates to European data but are doing international transfers of data to companies that are not abiding by these regulations, they will be subject to potential fines, sanctions, et cetera in the European courts. 

Ben Yelin: I should also mention, you know, we talk about the United States because we're selfish and we're talking about our own country... 

Dave Bittner: (Laughter) Right, right. 

Ben Yelin: ...And we're talking about companies that are largely based in the United States, but this decision is pretty broad. I mean, it also applies to countries with even worse data protection practices than ours, particularly some of the more authoritarian countries like China. And so that can have, you know, particularly in the long term, effects on how data is routed around the world. And it can - you know, it can potentially increase costs for some of these tech companies and force them to localize their data in the European Union, which may not be ideal from their perspective. So it could, you know, I think eventually have a pretty big impact. 

Ben Yelin: Because these standard contractual agreements are still acceptable, I don't think we're going to see many changes in the short term. And, you know, there's been some confusion as some of the relevant agencies in Europe have tried to interpret this decision. I know this decision is in its infancy, so we're still kind of seeing which way the winds are going to blow there. But I think in the long run, this is a decision that really could have profound effects. 

Ben Yelin: What I wonder is if we start to see enforcement actions against these companies, are these companies going to go to the United States Congress and say, look; the European Union has now invalidated Safe Harbor and has now invalidated Privacy Shield; you need to come up with surveillance reforms to make sure that any future, you know, multilateral agreement we form with the European Union is going to allow for uniform transfers of these data without us running into the same problem? And maybe that could be an impetus for Congress to pass stricter regulations on particularly national security surveillance, which is a, you know, a major concern of this European court and privacy activists there. 

Dave Bittner: Could we find ourselves in a situation where if I'm, for example, on Facebook and I have a friend who lives in the EU that I wouldn't be able to go look at their photos or see what they're up to - that that data would be restricted from me? 

Ben Yelin: That's the risk in the long term. I don't think we're going to see that data localization now. Certainly, Facebook's the type of company that will have that standard contract clause. And Facebook has said, for the time being, nothing changes. But if we start to get some startups who are coming up with applications who want to, you know, get into the social media game, they don't have these standard contractual clauses or, you know, in future lawsuits, the European Union Court of Justice is more amenable to putting an eagle eye on some of these contractual clauses, then, yeah, we could see more localization of data. But for now, you can still stalk your European friends. 

Dave Bittner: (Laughter) Phew. 

Ben Yelin: Your secret - yeah, your secret European girlfriend that you made up in high school. You can - yeah. 

Dave Bittner: Right. No, she's Canadian, Ben. She's Canadian. 

Ben Yelin: Oh, that's right. Yeah. 

Dave Bittner: Yeah (laughter). 

Ben Yelin: Lives right across the river at Niagara Falls. That's right. 

Dave Bittner: That's right. Exactly. Yeah, I only see her in the summertime. Wow, all right. Well, interesting story, for sure. My story this week comes from The Washington Post, written by Shane Harris. This is actually based on reporting that was first done over on the "Lawfare" blog. And the title of this article is "DHS Authorizes Personnel to Collect Information on Protesters It Says Threaten Monuments." Now, Ben, as you and I are recording this, we are in the midst of witnessing federal enforcers - (laughter) I don't know what the proper term for them is. 

Ben Yelin: Sure, yeah. 

Dave Bittner: They are federal employees who are dressed in military-style outfits. They're wearing desert camo. They have... 

Ben Yelin: Yeah, not identified. They are not wearing name badges that show which agency they're from. I think that's important to note, yeah. 

Dave Bittner: Right. They have emblems that say police on them. They have lot of I guess what I would describe probably imprecisely as tactical gear. They have some weapons. They were using tear gas and so on and so forth. And these folks are federal agents under the umbrella of the Department of Homeland Security. And they are there under the orders of the president to protect monuments. 

Ben Yelin: Yes. 

Dave Bittner: Yeah, they're there to protect monuments, memorials and statues. In the particular case of what's going on in Portland, Ore., they're protecting a federal courthouse there. That is what they say they are doing. But what's troubling to many people, I think present company included, is that they have been using techniques such as grabbing people off the street - protesters - putting them into unmarked minivans and driving away with them (laughter)... 

Ben Yelin: A pretty fun thing to do in a democratic society, don't you think? 

Dave Bittner: ...Only to evidently later be told when the lawyers show up that this was an unlawful arrest and you need to let this person go. So that sort of sets the stage for where we are here with this. And with this... 

Ben Yelin: Not in a good place, yeah. 

Dave Bittner: Not in a good place, no. Certainly troubling to many, many good-thinking people all over. What this article outlines is that in addition to that, the Department of Homeland Security has authorized these folks to collect information on these protesters who threaten to damage or destroy public memorials and statues regardless of whether they are on federal property. And evidently, this is an expansion of what - the authority that they've typically been given to protect landmarks. And worth noting here - the original intent of these protections is to protect against terrorist attacks. 

Ben Yelin: Yeah, yeah. 

Dave Bittner: Shall we go down the path of discussing the Patriot Act and the ability to label protesters as domestic terrorists? Do we want to go there? 

Ben Yelin: I don't think we do want to go there. Yeah, I mean, basically... 

Dave Bittner: (Laughter) I think maybe we just did (laughter).

Ben Yelin: We set up a pretty robust national security apparatus after the 9/11 terrorist attacks, culminating with the formation of the Department of Homeland Security in 2003. That agency and its powers were never intended to be used in this manner for domestic surveillance of domestic threats. And this new guidance that was issued that you're talking about applies to threats against federal property, which is understandable. But it also applies to threats and vandalism against monuments. And that's supposedly in reaction to the president's executive order towards the end of June essentially seeking to protect these monuments, whether they are Confederate memorials or, you know, Abraham Lincoln statues. There's this sort of concerted effort to protect these monuments. 

Ben Yelin: Now, it's not just you and I saying that this is not the intended purpose of the Department of Homeland Security. It is its first agency head, Secretary Tom Ridge, who is seeing what's happening in Portland and saying this is certainly an overreach in extent of our powers that we never anticipated. So yeah, it's certainly concerning. And then, you know, I don't know if you want to get into this, but some of the surveillance methods they're using here are pretty invasive. 

Dave Bittner: So what they're outlining here - they're saying that they have to use the least intrusive means to collect information about U.S. citizens, specifically physical surveillance, the use of mail covers, which is basically collecting the information that's on the outside of... 

Ben Yelin: Right. 

Dave Bittner: ...Mailed packages - that sort of thing. 

Ben Yelin: If you're getting a letter from, you know, the Antifa headquarters in... 

Dave Bittner: Right (laughter). 

Ben Yelin: That might be suspicious. 

Dave Bittner: Right. They're not allowed to open the letter, but they can record everything that is on the outside of the letter. 

Ben Yelin: Exactly. 

Dave Bittner: But they also use monitoring devices. What's interesting is - OK, so there are some limitations here. It says they're limited to U.S. citizens believed to be engaged in or preparing for espionage, other intelligence activities, sabotage or assassination on behalf of a foreign power, organization or person. But this recent document prohibits any intelligence service activities, quote, "for the sole purpose of monitoring activities protected by the First Amendment." OK. So here's the moment where we are at tension because these are protesters. And that's a protected First Amendment right, yes? 

Ben Yelin: Yes. Now, here's what the Trump administration and DHS would say. They would say that protesting itself is a First Amendment activity, but when you engage in vandalism or looting or things like that, that's not protected First Amendment activity. So this surveillance would be acceptable. And a strict reading of the law would say as long as you're not conducting the surveillance for the sole purpose of observing First Amendment-protected activity then it's acceptable. Let's say you want to monitor people to protect against vandalism, and you just incidentally happen to be surveilling their protests. 

Ben Yelin: To be honest, I'm not sure that that's exactly what's happening here. Yes, there has been vandalism of statues in Portland, Ore., and in other places. Largely, these are isolated in the context of larger protests. And frankly, a lot of the vandalism is just fueled by the fact that a bunch of federal agents in camo and scary-looking Storm Trooper helmets are coming in and really frightening citizens and kind of riling things up a little bit. So, you know, I think true to the letter of the law, it might be true that they can engage in these practices because they're not solely targeted at First Amendment activities. But, you know, for practical purposes, I really do think they kind of are conducting this surveillance broadly against a movement. And it's against a protest movement. It's not a movement of people who are vandalizing statues just for the purposes of vandalizing statues. It's a social movement. And so, you know, I think that's where I get a little bit - or maybe a lot of bit - fearful about overreach on the part of these agencies. And again, all of these powers were created for the surveillance of foreign threats, for terrorists and were not supposed to be geared towards these types of domestic movements. So I think that's what the major change is here. 

Dave Bittner: It is chilling, I think, for many of us, for sure. How do folks push back against this? What are the available avenues for people who have trouble with this? Can lawsuits be filed. Is this something where the state can say, hey, feds, you know, get out of my state? Knock it off. What can happen here? 

Ben Yelin: So, in fact, all of those things are happening. So on behalf of some of the protesters, groups like the ACLU have initiated lawsuits. You have local officials not only saying, you know, get the H-E-double-hockey-sticks out of my community... 

Dave Bittner: (Laughter). 

Ben Yelin: ...But we will arrest federal agents who are unlawfully patrolling our streets and detaining our citizens. I think the mayor of Chicago actually said that when the president threatened to put federal troops in that city. So that's happening. Then there are efforts, probably futile, from members of Congress saying this type of deputizing of federal agencies, sending them into cities to lock people up in vans and conduct surveillance operations is unconstitutional and morally objectionable. And so the senators from Oregon Ron Wyden and Jeff Merkley have been particularly vocal about this, as you would expect. 

Ben Yelin: Coincidentally, Congress right now is debating a National Defense Authorization bill, which kind of sets our country's defense and homeland security policies. And there have been amendments considered related to sort of removing any power from the Department of Homeland Security to either send federal troops to cities in circumstances like the ones we're seeing now or to conduct these surveillance operations. 

Ben Yelin: So, you know, for the average citizen out there, it's about calling your member of Congress, figuring out when they're going to be voting on amendments, when they're going to be voting on the National Defense Authorization Act, lobbying them to support restrictions on this activity. That's crucially important. And if this happens to you personally, you potentially could have a cause of action, a number of different causes of action. It's going to be a harrowing process to go through a lawsuit. And, you know, groups like the ACLU are only going to bring cases where they think they actually have a chance of winning. 

Dave Bittner: Right. 

Ben Yelin: But those are really the avenues you have. I mean, I think what's particularly concerning is the federal government feels emboldened right now. The president is running largely on a platform of law and order, so it's in his political interests to have a show of force in these cities to quell these protests. And for the most part, particularly United States Senate is kind of willing to lay down when they see this action on the part of the president, and they're certainly, you know, not willing to tank a piece of defense policy legislation to enforce new rules on this. So it's certainly something to be concerned about. 

Dave Bittner: Yeah. And I just want to - you know, a personal note here that, you know, you and I kind of approach this - try to be as light as we can and sort of, you know, joke our way through it. And I don't mean for that to come across as being flippant or not taking it as seriously as it deserves. It is serious. I think, you know, for me personally to kind of approach this with humor is as much a defense mechanism as anything. So I just want to be clear there that - you know, I think I speak for both of us... 

Ben Yelin: Absolutely. 

Dave Bittner: ...That we recognize the seriousness of this, and we don't mean to make light of it. 

Ben Yelin: No, it is gallows humor to an extent, and it totally is a defense mechanism. I mean... 

Dave Bittner: Yeah. 

Ben Yelin: ...It's sometimes all we can do from - you know, we can only laugh, otherwise we'd be crying or we'd be overcome by anger. So it is very serious. And for any listeners who care about these types of civil liberties violations, contact your member of Congress. 

Dave Bittner: Yeah. 

Ben Yelin: Sometimes that doesn't seem like it's effective. But, you know, only when they hear sufficiently from the public will they be forced to change policy. 

Dave Bittner: Yeah. All right. Well, those are our stories. It is time for us to move on to our Listener on the Line. 

(SOUNDBITE OF DIALING PHONE) 

Dave Bittner: Our Listener on the Line this week is a good friend of the show. His name is Peter. And he wrote in, and he said, (reading) Hi, Ben and Dave. One of the peculiarities of the story about TikTok pulling out of Hong Kong is that it's a Chinese company that's been in hot water over its own surveillance practices, not to mention potential obligations to the Chinese state. It seems odd to me that TikTok would be able to make this move in the first place, unless it was a kind of PR move. Perhaps it's a move they could make to publicly shake the Chinese reputation, but it having really no practical impact because TikTok has to play along with China anyway. Just wondering if that odd contradiction came up while you were looking into the story. Have a great day. Great show, as always - Peter. 

Dave Bittner: Yeah. Ben, this is something I've been wondering about, too. What is your take on TikTok kind of trying to distance itself from, you know, China proper? 

Ben Yelin: It's a good question. I mean, I think you could largely see it as a PR move on behalf of its Western users, especially as it gains a sphere of influence in the United States and other Western countries. But, ultimately, they're going to have to make a decision. You can either - you know, certainly these symbolic gestures can be helpful, but you either are going to play ball with the Chinese or you're not. And for any company's bottom line, it's going to be advantageous to play ball with the Chinese. It's just a huge market. We're talking about - what? - 1.5 billion people, something like that. You know, it's - it would be hard to disentangle yourself entirely and still be able to compete globally. And so, you know, I think, ultimately, Peter's right that a decision to withdraw might not have much of a practical impact if, behind the scenes, TikTok is still playing ball with Chinese authorities. 

Dave Bittner: Right. And obligated to share data, as Chinese companies are. 

Ben Yelin: Absolutely. Yeah. You know, so I think that contradiction is definitely worth noting. And it should - you know, and I think it's important context to any story you see - not just about TikTok but other companies who take symbolic actions against the Chinese government or very, you know, publicly withdraw from Hong Kong in protest of these - or in protest of what the Chinese government is doing in relation to these pro-democracy protests in Hong Kong. So I think it's always good to keep a skeptical eye on that. 

Dave Bittner: Yeah. All right. Well, that is our Listener on the Line. We want to thank Peter for sending that into us. We would love to hear from you. We have a call-in number. It's 410-618-3720. You can call in, leave us a message, and perhaps we will use it on the air. You can also send us an email to caveat@thecyberwire.com. Send us your question, and we will consider it for our show. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Elissa Redmiles. She is a researcher in the security and privacy group at Microsoft Research. And the focus of our conversation was some of these privacy concerns with some of the coronavirus apps and the things surrounding that. Here's my conversation with Elissa Redmiles. 

Elissa Redmiles: When we think about contact tracing from a technical perspective, you'll hear a lot of conversation about architecture, right? Is it centralized? Is it decentralized? And this is something not unique to contact tracing. We talk about it in a lot of technological spaces. But for the user, those architecture considerations translate into questions about privacy. You know, what might people be able to learn about me in an app with some architecture acts (ph)? It also raises questions of data agency. Do I have control of when my data is deleted and where it goes? Or does some, you know, trusted third party have that control? And if there is a trusted third party, then, you know, we have a lot of research that shows, OK, I start to care about institutional trust. Who is providing this to me? So those are kind of the three things that center around the architecture. 

Elissa Redmiles: And then, of course, these are, you know, apps. And so like many other apps, they have particular features or benefits that users may or may not care about. They have certain mobile costs. And especially because a lot of the apps are Bluetooth-based, they may have some battery life costs, as well as, you know, mobile data plan costs, which for some folks, particularly those who are lower socioeconomic status - if you have limited mobile data, that's a consideration. 

Elissa Redmiles: You, of course, have the accuracy of the app. So the way these contact-tracing apps work is they're designed to notify you if you've been exposed to someone who tested positive. And they use either proximity or location data to do that. So they can have errors in figuring out whether you were exposed - could be false positives, could be false negatives. There's also the issue of COVID tests not being perfect. So the tests that input into the system may cause errors, as well. So overall, you know, people may have some accuracy considerations. And then the final thing is, just like any app, you know, there's social influence. What is the most popular app in my area? What's the most popular app my friends are using? Are there reviews, so on and so forth, that might influence users and aren't necessarily part of, like, the technical design - right? We can't control that - but are something that they might look for. 

Dave Bittner: As we've been experiencing this COVID situation globally, different nations, different areas have been coming at this from different approaches. I mean what has been your view? As you look at it through the lens of your research here, how have different organizations been coming at this around the world? 

Elissa Redmiles: So I've been having a number of conversations with different groups building apps. One is the DP-3T team, who's is in Switzerland. And Switzerland had a COVID - COVID app come out this week. And I've been in dialogue with them for a while. They actually use this framework in some of their materials. And so I think they're kind of a great example of one of the groups that really took like a holistic view on app design, which influenced a lot of European policy. And I think there was a lot of concern about, you know, what are users going to want? One thing I've been seeing in the U.S. more so than Europe is sort of some different views on what these apps could look like. So we have what we can now call traditional contact-tracing apps. 

Elissa Redmiles: But you can also have things like the Narrowcast app, which is proposed in the packed contact-tracing protocol. And the idea of that is you eliminate a lot of the privacy concerns by not collecting user data. But you are able to broadcast to the user locations where a number of people are known to have tested positive have recently visited. And so you get sort of a hotspot map near you without having to give up any of your data. We've also seen people looking at data donation. Would you be willing to donate your location information and your test status? As well as sort of news aggregation apps. So there's been a lot of diversity even beyond contact tracing in solutions that people are trying to come up with. 

Dave Bittner: You know, one of the things that I'm seeing reported is this notion that in order for these apps to be effective, you have to reach a certain percentage of your population being active and using the apps. It was interesting - in your research, this is something that you address here and that it's not necessarily a linear sort of thing when you reach certain thresholds. Can you explain some of that to us? 

Elissa Redmiles: Commonly, people kind of say, OK, you know, for contact tracing, it's going to scale quadratically with the number of people using 'cause you're helping the people you're connected to, right? And in order to try to figure out, like, how good is good enough for these apps, we started to take a look at, you know, if we gave users some interpretable but quantitative estimates of accuracy or privacy risk, you know, at what point, can we see, like, the majority adopting? And while we see, like, a approximately linear relationship where, like, more accuracy leads to more adoption - more privacy leads to more adoption - we've seen some boundary effects. 

Elissa Redmiles: And this looks similar to, like, prospect theory in economics, where, basically, improvements in the bottom 10 percent and the top 10 percent - so let's say, like, an app that reduces infection rate of those around you by 89% vs. 99%. We see really big jumps in those boundary areas and less so in the middle. So people appear to care less about jumps between, say, 50 and 80% in accuracy or infection rate prevention. And this is pretty typical to human decision making and is just something, you know, that's maybe a little counterintuitive if you're an app designer because you're like, OK, you know, I have two more percentage points of accuracy. That's great. But it may turn out that a user doesn't view it the same way. 

Dave Bittner: Yeah. That's fascinating. I'm wondering - you know, here in the U.S., it's my sense that there really hasn't been a big push for this so far. We've heard of various organizations who have been working on this. Probably the best known was the collaboration between Apple and Google. But I haven't really heard anything from, for example, you know, my state governor saying, hey, everybody, we're going to be using this. You know, this is going to be a way that we're going to try to make everyone safer. How much of this is sort of a PR thing from the top of leadership, people in leadership positions being able to get people on board with this sort of thing? 

Elissa Redmiles: Yeah, I think that's a really interesting question. And the landscape is continuing to change. So I'd say in Europe, it seems there's been more push toward adoption. And like I said, Switzerland had an app roll out this week. So I think in Europe, we may see more adoption. In the U.S., you're right - it has been kind of - there has been a lack of, like, common push. And I think part of that is that we haven't quite figured out how are we going to have these apps collaborate with manual contact tracers, right? Because they're not intended to be a replacement, and certainly there's a ton of expertise that public health workers have that apps just really can't bring. But the hope is that these types of things can help scale that work. And I think that's something that's still being negotiated and figured out, and that may be part of why we haven't seen kind of a big public push. 

Elissa Redmiles: The other thing I'm seeing people talk about is, you know, whether these types of apps or some type of COVID-19 app is going to be used by employers, for example, to do contact tracing, like, within a company and keep track of employee health. And that's an interesting sort of different perspective, where you have not a governmental authority, but entity that people certainly are very beholden to who might be releasing these apps. 

Dave Bittner: In your mind, what would be the ideal process for rolling something like this out? As you turn the various dials to get people to buy in, what would be the best approach? 

Elissa Redmiles: My concise answer is that we should do efficacy testing, trial testing, A-B testing - whatever you want to call it - in sort of a small, localized area, right? So this is something that, in medicine, there are, you know, particularly categorized stages of medical trials - right? - to make sure that something is working well enough and that we aren't misadvertising it and so forth. And I think for technological products, we don't always push the same burden of proof, right? Like, we tell people to do security behavior, but we don't necessarily measure how much that security behavior is going to reduce their risk and whether it's worth the cost. 

Elissa Redmiles: Here I think the consequences are pretty critical, right? Does this help reduce infection rate? Does it help people stay safer? And, also, critically, are people going to act when the app tells them something, or are we just sort of tricking ourself into thinking we're helping, like a placebo effect? So I think a - you know, a small, localized, city-level trial - probably for two weeks, is what we're seeing - would really help us understand, you know, does this help manual contact tracing scale? Does it actually improve things, or does it give people a false sense of security and make things worse? Without a real pilot test, it's pretty hard to know. 

Dave Bittner: Yeah, and I suppose - I mean, there's also that element that - being that we're in the midst of this pandemic, it's kind of like - you know, it's that old saying about building the airplane, you know, while you're in the air. 

Elissa Redmiles: (Laughter) Yes, exactly. 

Dave Bittner: So, I mean, here in the U.S., are there any examples where these apps have been released, where people are actually using them? 

Elissa Redmiles: Yeah, absolutely. So the Care19 app has been released for a few weeks in North Dakota, and we're starting to see, you know, reviews on the Google Play Store and other interesting sort of performance and feedback metrics. So that'll be a great potential test, as we look toward trying to release more of these apps. 

Dave Bittner: All right. Ben, what do you think? 

Ben Yelin: So my reaction to this is sort of twofold. It's a very interesting conversation that's sort of been rendered entirely hypothetical because our country, as you mentioned in the interview, has just not shown any organized interest in mass contact tracing, the way European countries have or, you know, countries in East Asia, for example. So it just seems - not silly, but it just seems premature... 

Dave Bittner: A little academic? (Laughter). 

Ben Yelin: Yes, academic is the word to use. It seems a little academic to be talking about the intricacies of the difference in contact tracing applications, whether they are Bluetooth, whether it's, you know, some of the more advanced forms that she's talking about just because we as a country have not made a commitment to contact tracing, either through applications or, frankly, through what, you know, she talked about in the interview as the most important aspect of contact tracing, and that's actually having human contact tracers... 

Dave Bittner: Right. 

Ben Yelin: ...Who are analysts and know how to work with a large body of data. And it's not just the federal government. I mean, there's been no effort at the federal government to organize contact tracing in this country, but it's also state governments. I mean, we've seen - she talked about the effort in North Dakota, where they chose a state-specific application. You've seen a little bit in states like Massachusetts. But besides that, it's just - has not been something we've seen implemented on a large scale in most other states. And first of all, we need to get better control of cases before contact tracing is even effective 'cause it's just - when you're, you know, seeing 80,000 cases a day, 70,000, 60,000, it's just not going to be practical to do contact tracing. 

Dave Bittner: Right. 

Ben Yelin: You know, if we are able to suppress those cases, then we're really going to have to commit, both monetarily and culturally, to engaging in contact tracing and, you know, weighing the privacy implications of applications, but taking into consideration that that might be the best way to tamp down this pandemic. So yeah, it was an interesting conversation. To me, it seems academic right now, but I'll keep my hopes up that maybe our country will be more interested in contact tracing going forward. 

Dave Bittner: Yeah, really interesting work that Elissa and her team at Microsoft are doing there. And nice to know that - you know, that that is something that Microsoft sees fit to invest in, you know, that kind of work. I think it's a good reminder that they're out there supporting those kinds of efforts for the greater good. 

Ben Yelin: Absolutely. 

Dave Bittner: All right. Well, that is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Hewlett Foundation Cyber Initiative
Hewlett Foundation Cyber Initiative

While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Hewlett Foundation Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges, for the benefit of societies around the world. Learn more.