Caveat 9.9.20
Ep 45 | 9.9.20

Privacy: once you give it away, it’s very hard to get back.

Transcript

Jennifer Fernick: The thing about privacy is that once you give it away, it's a very, very difficult thing to get back.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's law and policy podcast. This episode is for September 9, 2020. I'm Dave Bittner from the CyberWire, and joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, I look at one state's plan to provide internet to rural students. Ben describes a controversial move by California lawmakers to implement immunity passports. And, later in the show, my conversation with Matt Lewis and Jennifer Fernick - they're researchers from NCC Group, and they recently published a report titled "Smart Cities," weighing the benefits against the dangers. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right. Let's kick things off with some stories here. Ben, why don't you start it off for us? 

Ben Yelin: Sure. So my article is actually a position paper/op-ed from the Electronic Frontier Foundation. It's about a piece of legislation under consideration at the California General Assembly, the California state legislature. And this would be a proposal to have a pilot program for so-called immunity passports, which would be a verified health credential that shows the results of somebody's negative COVID-19 test, which would allow that person to get into certain public places, be they employment, airports, etc. It could also potentially show that that person would be immune from COVID-19. So if you've had, like, an antibody test, you could prove that person, at least theoretically, would not be subject to infection. And they would do this pilot program using blockchain technology, which is one of the more controversial facets of this potential idea because, obviously, you'd be creating some sort of permanent record for a result that's not necessarily permanent, given our current understanding of how the virus works. 

Ben Yelin: So this bill would empower the California Department of Consumer Affairs to authorize health care providers to issue verifiable health credentials. It would set up a sort of oversight committee on these activities, which would feature groups like the Electronic Frontier Foundation, ACLU to make sure that people's civil liberties weren't being violated. And then it would gradually start a process where this type of program would become more ubiquitous. You'd try it out in very limited circumstances at first, and if the program were successful, it's something that you could expand. So you can certainly understand the rationale behind these type of immunity passports. You know, we're getting to the point in some jurisdictions where up to 20% of people, according to the best estimates, have had COVID-19, meaning, at least theoretically, they've developed antibodies and are immune to the virus. And perhaps those people, the theory goes, should be able to go back to work, get on a plane, etc. 

Ben Yelin: But there are several problems here, as there always are with bills like this. 

Dave Bittner: (Laughter). 

Ben Yelin: I'm no doctor, but on the medical side, I think the evidence that somebody who has developed antibodies definitively cannot transmit that virus is mixed at best. I just don't think we have enough information about that. And because we're so unsure about it, it doesn't make sense to use this type of blockchain technology. That's one of the key arguments of the Electronic Frontier Foundation. The other thing is, do we really want to be getting into a situation where you have to unlock your smartphones and present credentials to get into public buildings and public spaces? 

Dave Bittner: Your papers, please (laughter). 

Ben Yelin: Yeah. Exactly. Exactly. It may seem completely innocuous when we're talking about an immunity passport. That might seem to make sense to us, but there is always a slippery slope. You know, this harkens back, as you say, to a Arizona bill, Senate Bill 1070, probably 10 years ago now, which was the show-us-your-immigration-papers bill. So you could see, you know, another state, maybe not as progressive as California, saying, well, as long as we're asking people questions so that they can enter a facility, how about we expand that to your immigration status or other, you know, personal information that might prevent you from getting some sort of public services? 

Ben Yelin: And, again, this is something that would potentially apply to government buildings. So if you needed to go and apply for disability benefits, Social Security, you could potentially be forced to unlock your device and at least be at risk of transmitting pretty crucial information. So this bill has not been passed. It's stuck at the California General Assembly, and the Electronic Frontier Foundation has teamed up with a bunch of other civil liberties groups and private industry, like Mozilla, to oppose this piece of legislation. And they're encouraging people who disagree with this idea to contact their state legislators if you live in California. 

Dave Bittner: You know, a couple of things come to mind with this. One is, you know, for example, here in Maryland, where you and I live - and, of course, California is your home state, but I try not to hold that against you. 

Ben Yelin: I know. 

Dave Bittner: Here in Maryland, where we both live, to send our kids to school, we have to provide proof of certain immunizations. How is this different from that? 

Ben Yelin: So a couple of things. One, the data on immunizations is more robust than it is on COVID just because COVID is such a new disease. If you've had an immunization for measles, mumps and rubella, we know with some level of scientific certainty that that person is going to be immune. The other crucial piece of information is you're not unlocking your device. So, you know, either you submit those as electronic records - you know, you just send a PDF via email to your institution or drop it into a database - or, you know, you're printing out paper records and bringing them in. A couple problems that are introduced by requiring a device - the first, as we talked about, are some of the privacy concerns. Forcing somebody in real time to unlock their device to enter a public facility, the show me - or I'll show you my iPhone if you show me your iPhone type of thing. 

Dave Bittner: Yeah. 

Ben Yelin: And there are major accessibility problems. Not everybody has a smartphone. You could develop work-arounds where people who potentially are older or from different socioeconomic groups could present these immunity credentials in a different way, you know, say, by printing out records. But that creates... 

Dave Bittner: Yeah, like a driver's license. 

Ben Yelin: ...Yeah. That, you know, could create its own security concerns. It would be more - because, you know, a type of immunity passport - the system is so new, it could potentially allow people to game the system and print out false records, especially when we're talking about a pilot program, something that just has not yet been established. So that would potentially present some security concerns. So I think what the EFF is saying is you have to kind of go back to the drawing board here. We're not ready to do this because we're not ready to relinquish our privacy on our own devices, something that's been guaranteed to us. And we just don't have enough information on the disease itself where such an invasion of privacy would be justified. Perhaps if we were 100% sure that antibodies could allow somebody to claim absolute immunity from COVID, maybe it would be worth it, you know? Maybe we would accept that invasion of privacy. But we are not there yet. The World Health Organization says we are not there yet. So until we are there, at least in the view of these groups, it's just not appropriate to test out this kind of program and take on those privacy risks. 

Dave Bittner: Yeah. All right - interesting development, for sure. Well, my story this week - this comes from the Baltimore Sun. It's an article written by Lillian Reed, and it's titled "Maryland Has a Plan to Beam Internet to Rural Students. But Officials Say It Won't Be Ready Until Next Year." This caught my eye for a couple of reasons. I think it's an interesting policy discussion about providing internet to people and how much of that should be private and how much of that should be public and what the options are for providing internet to those who are underserved. And I think, certainly, the pandemic has shone a bright light on the fact that high-speed internet is really necessary for students right now who are trying to learn from home. It's much harder for them to do that if they can't have access to high-speed internet. And the fact of the matter is that many students don't have high-speed internet. This article points out that here in Maryland, they estimate that 324,000 rural Marylanders don't have high-speed internet. That's a lot of people. That's a lot of kids. 

Ben Yelin: Yeah. You know, we think of Maryland as America in miniature. There are a lot of rural areas in our state on the Eastern Shore and in western Maryland. And that's - you know, that's a pretty hefty amount of people. I have a couple issues on the way that this is framed. So there are a lot of people who don't live in rural areas who, you know - people who live in, say, Baltimore City who, for various reasons, also don't have access to high-speed internet. 

Dave Bittner: Right. 

Ben Yelin: And we've tried to develop some patches to fix those accessibility problems during the pandemic. Not all of those have been successful - so things like setting up hot spots at the public schools themselves. 

Dave Bittner: Right. Right. This article talks about - some districts have equipped school buses with Wi-Fi hotspots. And so the school buses will go to underserved communities and basically provide internet from the bus. 

Ben Yelin: Yeah. Absolutely. And you can do that in big cities because - and I think this is a point you were getting at - it is profitable for, you know, private companies like AT&T and Verizon to put up a whole bunch of cell towers and create a very robust wireless network within Baltimore City, the major suburbs, the D.C. metropolitan area. Are they really going to invest those resources in Garrett County, which is on the far western part of our state, where the population, frankly, isn't that large? You know, you're going to find a lot of dead zones there because it's just not that profitable to create a robust wireless network out there. 

Ben Yelin: And I think that's why the state feels that it has to step in. It's going to gain access to this wireless spectrum, and it's going to go in where the private sector has not and create potentially wireless internet for a lot of these rural residents. So you're right. I mean, I think this is one of those market failures that needs correcting as it applies to rural residents just because it's not really worth it for these private enterprises to invest in those communities. There just aren't that many people there. 

Dave Bittner: Yeah. Just as an aside, if you're interested in some of the tech stuff here, go on YouTube and search for the word WISP, which stands for wireless ISP. You'll see there's a lot of people who are entrepreneurial who have started up these wireless internet service providers for underserved areas. And it's really not that hard or that expensive to do. So I kind of went down a rabbit hole with that over the weekend (laughter), looking at some of these videos just because it's interesting to me. But... 

Ben Yelin: And you're the one who calls me a nerd all the time. 

Dave Bittner: (Laughter) You're a law nerd. I'm just a nerd nerd. 

Ben Yelin: I know. We're different kinds of nerds. 

Dave Bittner: (Laughter) That's right. What I learned, though, is that this is practical, and it seems like a good way to do this. Doing this thing - these sorts of things wireless is much less expensive than installing cables and installing fiber, that sort of infrastructure, to have to dig ditches and run cables and hook up connections to homes - costs a lot more money, takes a lot more time. 

Ben Yelin: Right. 

Dave Bittner: So if they can do it wirelessly, that's the way to go. This program they're talking about, there's - they're getting some federal money to support them. They have $15 million from COVID-19 relief funds. And they are going to be - it says they have about $5 million set aside for more urban areas like Baltimore City. But I think your point is a good one that - it's interesting to me just kind of knowing how the politics of Maryland works with our current governor and the kind of love-hate relationship he seems to have with Baltimore City that... 

Ben Yelin: Yes. 

Dave Bittner: ...To say the least, that we'd be targeting - not to get too local here, folks, with politics - but that this would be targeting the rural areas first raises, perhaps, some eyebrows. But... 

Ben Yelin: Right. Let's be honest. I mean, our governor - he's somebody who's extremely popular in our state, has been widely praised on the work he's done on COVID. His political base is in a lot of these rural areas, some suburban areas. But, you know, if you look at the vote percentage he got in Garrett County, you know, we're probably exceeding 80% of the vote there. 

Dave Bittner: Right, right. 

Ben Yelin: So, you know, I think it is reasonable to acknowledge that this is his political base. 

Dave Bittner: Yeah. The other component of this that I think is worth discussing is this notion of high-speed internet as critical infrastructure and the ability for folks to access it. For example, even in areas where you and I live where there is ready access to these sorts of things, you know, we basically have two main providers here. We have - in my neighborhood, we have Comcast and Verizon. So you can get Fios or you can get - what do they call it? - Xfinity. So... 

Ben Yelin: Capitalism at its finest. We have two choices. 

Dave Bittner: ...(Laughter) Yeah. I know, right? Exactly. And, boy, it's amazing how similar their pricing structures are, isn't it, Ben? 

Ben Yelin: Sure is. It sure is. 

Dave Bittner: (Laughter) So - but at least you have some choices. And one of the things that they offer are inexpensive connections for people who have financial difficulties. If you can demonstrate that you're below a certain income level, you can get internet for - I want to say around $10 a month for something that I would not consider high speed, but it's something. What I wonder is, should communities be providing a basic level of connectivity for free? And what I'm thinking is, you know, for example, if you were a student and you qualify for free and reduced lunch, maybe that should also qualify you for this kind of internet. Maybe, at that point, either the government kicks in and pays those service providers the $10 a month, or perhaps there's a wireless solution like this. 

Dave Bittner: We've got innovative things like, you know, Elon Musk is installing this array of satellites that could be a disruptive force for people to have access. 5G is going to make high-speed internet more accessible because, again, it doesn't require the wiring installation. So I think there are possibilities here. But I'm curious, Ben, what you think about, just from a policy point of view, of where we stand, what we should be thinking in terms of access to the internet as being a basic fundamental, dare I say, human right. 

Ben Yelin: Yeah. I mean, I'm always careful about using that human rights language because once you declare something a human right, you know, it really does create an obligation that you have to provide for it. And the way our system works - we have a lot of negative rights in our country. You know, the government cannot do X to us... 

Dave Bittner: I see. 

Ben Yelin: ...But very few affirmative, positive rights. I happen to agree that one of the positive rights we do have in the state of Maryland is the right to a public education. You can go to school for free here. I don't know if you're aware of that, Dave. You can enroll your child. It does not cost anything to go to one of Maryland's public schools, which are, you know, while they have equity issues, are among some of the best in the country. If, you know, we're in a situation like we are now where people cannot physically go to their schools and cannot learn in person, the only way they're going to, you know, not get very far behind in educational attainment is to have this internet access. So you can't have that right to a public education right now without some sort of guaranteed access to high-speed internet technology. I mean, I just think that's the practical reality here. 

Ben Yelin: What's unfortunate is this technology for rural students in Maryland isn't going to be ready until fall 2021. Who knows whether the pandemic will be over by then? I sure hope it is. But there are no guarantees. But, you know, as sad as it is, there are going to be situations like this in the future. There are going to be other pandemics. You know, I know in the - I hate to keep talking about my home state of California. But there are a lot of other reasons people can't go to school for long periods of time. You know, we've seen devastating wildfires there. 

Dave Bittner: Right. Right. 

Ben Yelin: So, you know, if it's part of your state's policy to provide free public education, that sort of right is going to be useless during these trying times if people don't have access to internet technology. Otherwise, that right is really meaningless because we're engaged in virtual learning. 

Dave Bittner: Yeah. I think it's also worth pointing out that I think there is good-faith effort all around to try to provide for kids throughout this. 

Ben Yelin: Absolutely. 

Dave Bittner: You know, there are - school districts are handing out MiFi devices for connectivity. They're handing out, you know, laptops, Chromebooks, you know, those kinds of things. So there is a rallying of the troops, if you will, to try to do their best. But, you know, there's (laughter) - money doesn't grow on trees. And this points out, particularly in those rural areas, you might not be within an area where it's easy to have access. And that's an issue. 

Ben Yelin: It sure is. Yes. You know, I will say money does not grow on trees. That is true in the state of Maryland and in all other states, which are required to have balanced budgets. The federal government does not, meaning they could really step in. And if they decided that this was a priority, to guarantee high-speed rural internet access, that's something that they could really invest in in a major way just, you know, to an extent that the state of Maryland cannot do by itself without this allocation of federal dollars. 

Dave Bittner: Yeah. All right. Well, that is my story. Of course, we'll have links to all of our stories in the show notes. We would love to hear from you. If you have a question for us, you can call us. It's 410-618-3720. You can leave a message there. And maybe we'll use it on the air. Also, you can send us a message at "Caveat" at thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Matt Lewis and Jennifer Fernick. They are researchers for an organization called NCC Group. And they recently published a report titled "Smart Cities: Weighing the Benefits Against the Dangers." Here's my conversation with Matt Lewis and Jennifer Fernick. 

Matt Lewis: From various conversations with our clients in recent years, we've seen that the topic of smart cities arise also in connection with a number of hardware device manufacturers, IoT device manufacturers. We've seen them talk about the number of application areas around smart cities if they - they plan on rolling their technologies out to. And so we started to engage with a few municipalities, local authorities as they were starting to plan out their visions for their smart cities. 

Matt Lewis: And it became quickly apparent from our conversations that there was little to no thought around security, around privacy aspects of what the intended smart city applications and visions were. And so that was the genesis for the white paper that we wrote, where we then set out to provide some guidance from the very early stages of what you're looking at, specking out what you're looking - trying to achieve right through to the development, the architecture, the design, the rollout and the maintenance of smart cities, and how you can maximize the security assurance throughout that lifecycle. 

Dave Bittner: Jennifer, can you give us some insights? These days, when we're talking about smart cities, what's the spectrum of technologies that are typically at play here? 

Jennifer Fernick: So Matt could go into this in further depth. But we're looking at things like LoRaWAN. We're looking at a variety of IoT devices usually on unregistered spectrums, a number of things that will exist perhaps on 5G infrastructure. But it really does vary somewhat deployment to deployment. 

Dave Bittner: Matt, do you want to add to that? 

Matt Lewis: Yeah. Sure. So I guess there's two main angles. There's the directly affecting privacy aspects around, typically, surveillance applications. So the big ones being things like facial recognition, automatic number plate recognition for vehicle tracking - that sort of thing. And that's been around for many years and is not necessarily smart, per se. But then, the other side is the mass rollout of sensor-based networks that use technologies like Jennifer mentioned such as LoRaWAN. 

Matt Lewis: And the sensor's going to be capturing anything from humidity, temperature, the conditions of the moisture in the soil around certain parks in the city. And the whole concept around smart cities, then, is aggregating all of this information somewhere to generate some insights and some intelligence about that data to then be able to do some actions around that, whether it's optimizing services or minimizing some level of environmental impact - that sort of thing. So the rollout of sensing devices around the city, I guess, is the overarching aspect of smart cities. 

Dave Bittner: And how do cities measure their return on investment with these sorts of things? How do they justify the expenses to the folks who live there? 

Matt Lewis: It'll depend on what the application is. So some applications might be explicitly set out to derive a return on investment. So for example, by gathering some intelligence about some service, they're able to then understand how they can optimize that service and, therefore, save money for the taxpayers and for citizens. So that might have been the intended goal from the outset. Other ones might be less so about, I guess, financial ROI. But it could be some other level of success around reduction in crime rates, for example. 

Matt Lewis: So there are applications such as gunshot detection that get rolled out from street lamps that claim to be able to detect if there's a gunshot in the area. And then it can automatically dial out for the police services. And then that can tie into the whole predictive policing aspect. And so if a city can then roll out those technologies and then track, over time, possible reduction in crime rates, that would be their measure of their return on investment. So it's a very specific per application thing. 

Jennifer Fernick: And, perhaps, to extend further, we see a lot of kind of hybrid investment models, right? So we have to consider these different smart city experiments around the world, where large private companies are buying up swaths of real estate or taking quasi-ownership of parts of a city and seeking to experiment in a real-life environment. So there become a lot of questions, especially from the privacy perspective, around who owns this data, who is responsible for the governance, to whom do they answer, who made this technology, where is the data going to live, what would happen in a mergers and acquisitions context, is this data being monetized. So there's a lot of questions around not just the financial costs from the outset within a municipality, but also the more indirect costs that occur in the monetization, potentially, of some of that data. 

Dave Bittner: Yeah. You know, we've been tracking here on this show - there've been stories coming out of San Diego about how some of their smart city efforts, which were rolled out and sold to the public for many of the reasons you've described here, it didn't take long for the police to start using the system because some of the hardware mounted on streetlights, for example, had video and audio capture and recording capabilities, and so the police were able to use it for law enforcement. And this, of course, raised all sorts of privacy concerns. 

Jennifer Fernick: Yeah, I would expect that the privacy concerns are perhaps more vast than a lot of local citizens expect, given the data that is presented to them around smart cities. And to me, it's like, the concern that we ultimately have is that of ubiquitous surveillance and that of realizing kind of the Panopticon vision of these intelligent environments that have every type of sensor deployed ubiquitously around you, often undetectable, often unavoidable. And I think that, as a society, we need to make the decisions as to what we will and will not accept with respect to privacy, and that we really need to consider as well the element of time. 

Jennifer Fernick: So there might be things that seem like a great idea and a very salient solution to a problem right now, but we also have to consider that, in the public sector, governments change and their policies change, and in the private sector, mergers and acquisitions happen. And I think that what we really need to introspect before deploying these things widely is, like, am I OK with this level of surveillance with our current leadership in this given region? What about if this region were led by someone of a very opposing political view in the future? Would we still be OK with this data being collected? You might want to also ask yourself, am I OK with a private company having this data? How much data do they have? What are the expectations on that? And what if they were bought out by a large insurance company or a large tech company, perhaps a large global tech company that's not from the region that they're deploying it? And I guess the thing about privacy is that once you give it away, it's a very, very difficult thing to get back. 

Matt Lewis: Yeah. And I guess just - just to mention briefly on that point, we labored on this quite heavily early on in the report that we wrote around transparency and the need for local authorities to establish some working groups and engage with citizens from the outset. I don't think many, if any, cities are doing this, but if you can establish those working groups, where you get a nice cross-section of your population involved and engaged around, OK, this is what we're looking to achieve, and this - these are the benefits to society and the citizens. These are the potential trade-offs around privacy. But we're at least - we're having the open discussion, rather than it being opaque, and then we end up seeing the types of function creep, like the example in San Diego that you just mentioned. 

Dave Bittner: What about the financial issues for cities? Have any of them found that, you know, perhaps these systems didn't end up being as good a deal as they thought? Maybe some of these partnerships with private organizations, as they roll out, as they go over time - you know, I'm thinking of the long-term impact of this, and many of these deals last for many years. 

Matt Lewis: Yeah, that's a good question. I suppose that there's a split camp on this in terms of who or what is driving the smart city allocation. So in that first instance, you might have the authority themselves having gone through a procurement stage and then outsourced to a provider. Or they could be just some digital disruptor who's come into a city and rolled out whatever it is their application is without any governance or oversight by the city authorities themselves. So you could have both of those, I guess, quite different models. 

Matt Lewis: So back on the local authority aspect, particularly where there is public money being spent, yeah, it is something that they do need to be cautious of. There have been some examples of, for example, some cities rolling out things like smart parking infrastructure, where they have sensors that connect up to an application infrastructure, so you can read on your app in real time where there are free parking spots around the city. But where that has gone wrong in terms of the rollout, it's then become a very costly exercise to actually go and dig up those sensors and fix whatever the underlying issue was and then put them back in, and it's caused massive disruption. So there's a big element of, I guess, planning and ensuring you get the most assurance you can possible from the supply chain before you commit to some of these large infrastructure projects, particularly where they are maybe retrofitting or having some sort of physical embedding into a city and the city's, I guess, street furniture, as it were. 

Dave Bittner: What sort of advice do you have? What's the message that you hope people get? I'm thinking of that involved citizen, that active citizen, who keeps an eye on their local city or county council, in terms of the messaging that they should be taking to their representatives as these sorts of smart city proposals come through. What sort of things should they be on the lookout for? 

Matt Lewis: There's the potential use - particularly I guess in the European region, where we have the General Data Protection Regulation, GDPR. There are specific provisions that allow citizens to do things like subject access requests, and things like that can help, I guess, hold municipalities or organizations to account. So you might request a copy of whatever data they might have on you, or you might do a Freedom of Information request about what technologies are being rolled out by which vendors and for what purposes. And so these are very good tools to use, particularly when it is about public bodies and public spending. Those are two key recommendations that I would have, and they certainly help hold to account because if there is no information back or the answers are a bit vague, that might then be a probe to citizens to then maybe seek some further assurances about what's actually being rolled out and for what reason. 

Jennifer Fernick: And I feel like bringing the community forward to talk about the types of data issues that they have from different populations' perspectives is really important here. If we think about the linkability of data and just the sheer volume of data points that become available, these are tremendously valuable things. They can become tremendously political things. If we think even right now, the world in which we live, perhaps there's been not a great deal of smart city adoption at scale and that the primary, like, mechanism of surveillance for everyday people tends to be social media. Even without a social media account across a variety of platforms, many social media companies have begun to profile people based on ambient data. We can only imagine what this would look like if your environment was always trying to sense something about you as you move through space. 

Jennifer Fernick: So I think that citizens need to think about what consent and opting out of consent looks like. I think they need to think about their specific-use cases and where these data privacy issues may matter the most. We see this a lot with targeted populations. So what about survivors of domestic violence? What about members of public office? What about folks within various parts of the intelligence community or victims of doxxing and harassment or journalists and their sources or witnesses to crimes? There's a great deal of people that have very specific interests that do need to be represented for this to be an equitable and positive thing for all. And, really, we can't start making those privacy assurances without also being able to make security assurances because in the absence of controlling the system that you have and having a high degree of assurance over that data, it's very difficult to make any kind of confident guarantee around how that data will be protected. 

Jennifer Fernick: So then, like, to build upon this idea of linkability of data, I think that we need to think a lot about not just the confidentiality and the integrity of the data, but also the availability and what a stress test would look like if a smart city deployment were to lose network connectivity or lose access to the power grid or similar and what might be the unintended consequences of that. We also need to think about the vendors that we're working with. So while working with new and exciting startups can be a great way to bring innovation into this space, we also have to consider that a 12-person startup probably doesn't have a security team, and maybe giving them all of your municipality's data to host within their own kind of cloud instance that they have not necessarily tested deeply or have robust assurances around could be a fair bit of risk. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: Smart cities sound so good in theory. 

Dave Bittner: (Laughter) Who wouldn't want a smarter city, right? 

Ben Yelin: I know. And I was actually surprised that - I think you pretty - asked them pretty directly about a cost-benefit analysis and a return on investment, you know? And they couldn't quite, I guess, put the benefits directly in those terms, which is something that I think puzzles me a little bit. But, yeah, you know, I think there's certainly a lot of promise. You can improve public services. You can improve public safety. But you have to weigh that against significant dangers. 

Ben Yelin: As you said in the interview - and I think, you know, as we've talked about - we already have examples in cities like San Diego, where you've set up aerial surveillance, license plate readers, all different types of rather invasive technology, and it threatens people's rights, even if it does provide them benefits. I think this paper is a good start because I think we have to kind of develop some universal standards here. At what point is it worth it to deploy this technology, given the risks and the benefits? And at what point is it not? I certainly support the promise of smart cities, but anytime I hear smart anything, I just kind of cringe a little bit... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Because it just sounds kind of Orwellian. I don't know if you feel the same way. 

Dave Bittner: (Laughter) OK. I see where you're coming from. All right, well, our thanks to Matt Lewis and Jennifer Fernick for joining us. We do appreciate them taking the time. 

Dave Bittner: That is our show. Of course, we want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.