Caveat 2.3.21
Ep 63 | 2.3.21

The new US Administration should focus on these data privacy points.

Transcript

Sophie Chase-Borthwick: If CISOs and counsel can't understand what on earth has happened to their data, why on earth do we expect my mother to be able to?

Dave Bittner: Hello, everyone. And welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben examines the ongoing hunt for Capital rioters. I look at the challenge of upholding free speech in the age of online digital platforms. And later in the show, my conversation with Sophie Chase-Borthwick of Calligo. We're going to be talking about the top data privacy points the new U.S. administration must focus on. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben. Lots going on this week. What do you have for us? 

Ben Yelin: So we're now a few weeks removed from the attack on the U.S. Capitol, but the stories just keep coming out. And to me, they get more and more fascinating. I came across a report from the Brookings Institution, which is a think tank located in Washington, D.C. And they have a center for technology innovation. So this gentleman Darrell West wrote a piece on the digital footprint of the Capitol rioters and just how much information law enforcement has to work with in the digital age. And he goes through sort of all of the elements of the digital footprint. And it makes you realize that it's going to be relatively easier for federal law enforcement to track down a lot of these individuals because they left behind so many digital breadcrumbs. So he talked about a number of the things. The first thing was social media posts. And a lot of these people who were part of this attack kind of acted with impunity, thinking that nothing was going to happen to them. They were part of a revolution... 

Dave Bittner: Right. 

Ben Yelin: ...And that they were going to evade responsibility. So a lot of people, you know, posted Instagram updates, Facebook updates, live video where they showed themselves barging into the Capitol. They show themselves trespassing in various members of Congress's offices. 

Dave Bittner: (Laughter). So nice of them to document their crimes publicly. 

Ben Yelin: Yeah, exactly. They documented themselves committing vandalism. So that's really easy. 

Dave Bittner: Yeah. 

Ben Yelin: Those are going to be the easiest people to target. That's been sort of the first wave of targets from federal law enforcement. It seems like... 

Dave Bittner: Sure. 

Ben Yelin: ...The first wave of people arrested were the people dumb enough to take pictures of themselves committing acts of violence and vandalism. 

Dave Bittner: The low-hanging fruit, as it were. 

Ben Yelin: Yes, the extremely low-hanging fruit. 

Dave Bittner: (Laughter) 

Ben Yelin: Yeah, they made it a little too easy. So then there is the emails and text messages, which the government can subpoena through the Stored Communications Act. So individuals have been indicted for emails they sent to others or text messages, usually, you know, unencrypted, threatening the lives of leaders like Speaker Pelosi, Vice President Pence. They caught somebody who said he was ready to remove several craniums from shoulders. So they have these text messages and emails. You know, if they have a reasonable suspicion that somebody was planning to commit a crime, they can get access to these communications, as long as they're not encrypted, without getting a warrant. They can go through this easier subpoena process. Then there's facial recognition. So a lot of people have been identified through crowdsourcing of video images. 

Dave Bittner: Right. 

Ben Yelin: So there's good old-fashioned facial recognition, where there's a picture of a guy doing something bad. Somebody posts on social media, hey, does anybody know who this is? And somebody else says, oh, yeah, that was the a-hole who lived next door to me in high school. 

(LAUGHTER) 

Dave Bittner: Right. Right. 

Ben Yelin: His name is X. And then there's, you know, the more modern form of facial recognition, where law enforcement is using Clearview AI, which we've talked about a million times on this podcast. They have 3 billion photos that they've scraped from social media sites. And they're matching those against photos taken at the scene of the crime. So that's another tool they have. 

Dave Bittner: I noticed there was - somebody put up a website, I think it's called, like, Faces of the Riot or something like that. And it's... 

Ben Yelin: (Laughter) I saw that, yeah. 

Dave Bittner: And it's about - what is it? Like, 6,000 - I forget. It's a big number of photos. And they've used facial recognition to differentiate all of the different faces at the riot. So it's basically just a mug shot book of cropped photos of everybody's faces. 

Ben Yelin: Yeah. 

Dave Bittner: If you're one of those folks who wants to, you know, rat out your neighbor, or you have a funny feeling or something like that, you can just scroll through this and see if you recognize anybody. I will say I had one funny thought while I was checking that out - was that, you know, you and I often talk about the troubling aspect of facial recognition that it does very poorly with people of color, right? 

Ben Yelin: Yes, absolutely. 

Dave Bittner: Not a problem with this list. 

Ben Yelin: Not a problem with this. 

(LAUGHTER) 

Dave Bittner: Not a problem here (laughter). So... 

Ben Yelin: That is absolutely true. Yes. Let's just say... 

Dave Bittner: The AI is going to be a maximum possible accuracy because of, I suppose, the self-selection with this crowd. So I don't know if that's... 

Ben Yelin: Yes, the demographics are favorable here. Let's put it that way. 

Dave Bittner: I don't know how funny that is, if it's funny, tragic or just peculiar. But it did cross my mind while I was looking at that. So... 

Ben Yelin: I was about to say gallows humor, but that... 

Dave Bittner: Yeah. 

Ben Yelin: ...Probably would be inappropriate in these circumstances. 

Dave Bittner: Yeah. Right. 

Ben Yelin: So a few other digital footprints are just fascinating to me - timeline and location. This is the use of metadata. There was one person who had been arrested on a previous crime, was wearing a GPS monitor. And they were able to identify (laughter) that he was in the Capitol... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Because he was wearing this GPS monitor. So not exactly the smartest criminals in the world. 

Dave Bittner: (Laughter) Put him at low-hanging fruit category, right? (Laughter). 

Ben Yelin: Absolutely. But the metadata can be useful even when the criminals aren't as idiotic as that individual. So the fact that, you know, every social media post has a timestamp and, unless you opt to turn off location services, captures your location, that actually gives law enforcement a reasonable timeline of when crimes may have been committed. Let's say somebody is being accused of a specific act of vandalism, that, you know, they barged through one window. If you had a social media post two minutes before that was a picture of you, you know, with a with a pitchfork... 

Dave Bittner: (Laughter). 

Ben Yelin: ...And they were able to - and you hadn't turned off your location services and identified, you know, on the west front of the U.S. Capitol... 

Dave Bittner: Right. 

Ben Yelin: ...That's also going to be an extremely effective tool for law enforcement. 

Dave Bittner: Right. And, well, the metadata the photo might have a GPS tag. That's pretty common these days, as well. 

Ben Yelin: Very common. Absolutely. Then there are a couple that are a little less obvious that I just think are worth mentioning. One is hotel and Airbnb accommodations. So hotels keep track of people who make reservations. I think that's pretty obvious. But things like Airbnb, you know, you think that they're slightly more off the grid, but they've cooperated with law enforcement. And when law enforcement has asked for records, you know, we have this person. We're not sure whether they were actually in the district during the time of this riot. They are alleged to have been. Airbnb will say, yeah, they - without a warrant, they're perfectly willing to tell law enforcement this person stayed at one of our rental properties on X date. Then there's dating websites, which to me is both the most hilarious but also perhaps one of the most illuminating. And this is the last one I'll mention because I know this has gone on for a while. But there was a bunch of dating websites where people who were politically liberal would mark their political affiliation as conservative and try and match up with other conservatives who were in the area in and around the January 6 riot. 

Dave Bittner: (Laughter). 

Ben Yelin: So maybe it was later on January 6 or January 7. And the idea was to try and get them to confess, you know, because they'd want to brag about being part of the supposed insurrection. 

Dave Bittner: (Laughter). 

Ben Yelin: So they'd say, oh, you're a conservative? I'm a conservative, too. I was part of the, you know, mob on the Capitol And then they would turn... 

Dave Bittner: Right, right. 

Ben Yelin: ...That information over to law enforcement. And as a result, a couple of dating websites have removed the feature where you can identify your political affiliation. 

Dave Bittner: I just imagine somebody changing their listing, you know, turn-ons - - I love insurrection and... 

Ben Yelin: Exactly. Storming the Capitol with weapons. 

Dave Bittner: People aren't afraid to break glass windows. It just gets my motor running. 

Ben Yelin: This is totally not a setup in any way. 

Dave Bittner: (Laughter). 

Ben Yelin: So yeah, I just thought this article is just fascinating. It gives you a window into exactly how much information law enforcement is working with, especially when you have an event where there were perhaps hundreds of thousands of people on the Capitol mall. Everybody who entered the Capitol, which is probably in the thousands, is at least guilty of a trespassing crime. 

Dave Bittner: Right. 

Ben Yelin: And law enforcement has all of these tools to identify them, you know, even though they didn't make very many arrests as people were on the premises themselves. 

Dave Bittner: Yeah. 

Ben Yelin: So I just thought that it was particularly illuminating - and the fact that almost all of these things can be done without obtaining warrants... 

Dave Bittner: Right, right. 

Ben Yelin: ...Because the subpoena process through the Electronic Communications Act, Stored Communications Act - it just makes life a little bit easier for law enforcement. So I just - I highly recommend reading the whole piece here. And we'll put it in the show notes. 

Dave Bittner: Yeah. Well, we all just leave behind this trail of digital breadcrumbs behind us, don't we? 

Ben Yelin: Yes. And given that, you'd think people would be smarter at trying to conceal themselves... 

Dave Bittner: (Laughter). 

Ben Yelin: ...If you intend on committing crimes. I mean, I think there - part of it is that people were acting with impunity, thinking either one of two things. One, this is the revolution, and when we take control of the Capitol you know, we're the good guys, so we're not going to be prosecuted. 

Dave Bittner: Right. 

Ben Yelin: I think some people legitimately thought that. 

Dave Bittner: Yeah. 

Ben Yelin: And other people might have subconsciously thought that, well, the law enforcement only catches those guys - those, you know, the Black Lives Matter rioters, the Antifa people. I'm just a good, old, you know, country boy from Wichita, Kan. They're not going to attack me. 

Dave Bittner: Well, and they had evidence to support that notion. I mean, there - we had prior incidents of folks taking state capitols or entering state capitols fully armed and putting everyone on edge and then having no consequences. So there was a pattern here that's a possibility. It had happened. 

Ben Yelin: Absolutely. Absolutely. So there are just so many interesting elements to this. 

Dave Bittner: Yeah. 

Ben Yelin: Yeah. All of the publications that come out of the Center for Technology Innovation at the Brookings Institution are well worth your time. 

Dave Bittner: Yeah. 

Ben Yelin: So recommend it. 

Dave Bittner: All right. We will have a link to it in the show notes. Boy, it's just so hard to get away with crimes these days, isn't it? (Laughter). 

Ben Yelin: I know. You feel sorry for these poor criminals. I just want to start a riot, you know, without getting caught. How hard is it? 

Dave Bittner: I mean, in the old days, you could have a good, old-fashioned caper. But these days, it's just - just the way of the world. 

Ben Yelin: A little more difficult, yeah. 

Dave Bittner: Yeah. All right. Well, my story this week is a fascinating story from The New York Times. And this is written by Emily Bazelon. It's titled, "Why Is Big Tech Policing Speech? Because The Government Isn't." I found this to be a fascinating article here, and it really covers a lot of the things you and I have been talking about and certainly plenty of people about free speech, this whole notion of online censorship, deplatforming. And what place do these large social media companies play in terms of being the - kind of the virtual public square? And what does that mean if someone gets kicked off of those platforms? Have they lost their access to that virtual public square? It's a long article, but I think well worth the read. It really tracks through some of the history of how we treat the First Amendment here in the United States, how we're unique versus many other nations... 

Ben Yelin: Absolutely. 

Dave Bittner: ...When it comes to that, the direction that we come to it from. And it really lays out some of the issues, you know, pro and con, for some of these activities here. Ben, you want to give us your take on what they're describing here? 

Ben Yelin: Yeah, I mean, these are just really difficult issues to wrestle with, and I don't think there are easy answers. So the status quo in our country right now is our free speech laws are pretty absolutist, especially in relative terms to our companion countries in, you know, Europe, etc. It's very hard in this country to be punished for your speech and only your speech. You know, there are certain things that fall outside of First Amendment protection entirely - obscenities, pornography - certain types of pornography, I should say - a couple - false advertising, a couple of those types of categories. And there are some restrictions you can put on speech - such as, you know, restrictions on the time, place and manner of speech. 

Ben Yelin: But besides that, we are pretty absolutist. I mean, as far as the government is concerned, even if you are expressing something that's profoundly offensive, the government is generally going to allow it. So what that means, you know, is if society has any desire to tamp down on speech, particularly speech that has the tendency to cause violence, the onus is going to be on private companies. And that's what this article is getting at. And we've seen that over the last month. A lot of these companies hit a breaking point. Facebook temporarily suspended the president - former president of the United States. Twitter did so as well, and then made that suspension permanent. I think we talked in last week's episode about deplatforming Parler. They were kicked off Amazon's web hosting services. 

Dave Bittner: Right. 

Ben Yelin: So private companies have really taken on that role as regulators. There are a couple major problems with this. One, do we want these small group of big-tech billionaires making decisions about which speech is going to get a megaphone, is going to get a place in the public square? I think, generally, we don't want that. I mean, do you trust Mark Zuckerberg to be the dictator of, you know, what speech can go online and can be spread widely? I think that makes us uncomfortable. Ideally, the decisions as to what speech is and is not acceptable would be made democratically. We'd all decide. But because of the strength of our First Amendment, that can't really happen in this country. 

Ben Yelin: So it can happen in other countries, and we see it in other countries. This article mentions it. You know, in most of Europe, you can be prosecuted for expressing support for the Nazi Party, for example. And that's an instance of democratic governments getting together, based on the will of their constituents, saying it's more important that we suppress this dangerous speech than it is that we let these ideas flourish. And we've, for a number of different historical reasons, have just expressed different values on the First Amendment in this country. So there are pluses and minuses. I fashion myself to be a free speech absolutist in terms of what the government can restrict, but their - you know, when the government is not restricting speech but segments of society want speech to be suppressed, the fact that it falls on these private companies is in and of itself problematic. 

Dave Bittner: You know, part of - when I think about these sorts of things, I always try to compare them to the real world. 

Ben Yelin: Yes. 

Dave Bittner: And I think about, you know, for example, that we all establish norms among our friends and family and colleagues and co-workers and so forth, even within our communities. I was thinking, you know, if I went into my kid's day care and just started spewing obscenities or racist things or, you know, whatever, I would be asked to leave. 

Ben Yelin: (Laughter) Yeah, maybe not asked. You might be shoved out if the day care has a good bouncer. 

Dave Bittner: I would be shown the door. 

Ben Yelin: Yeah. 

Dave Bittner: Right, right. And I don't know that people would have a problem with that. I don't think there'd be much of a free speech argument there, that you should be able to go into a private company and, you know, say whatever you want, as long as you want, as loud as you want, you know. This article compares these big platforms to shopping malls. 

Ben Yelin: Right. 

Dave Bittner: I think that's an interesting comparison because, yeah, you know, a shopping mall is a publicly accessible place that is privately owned and operated. It is private property. So the shopping mall - you know, my local mall has a list of rules of conduct. 

Ben Yelin: Right. 

Dave Bittner: As you walk in, they have a list there. And parts of it is things like no obscenities. Part of it is no handing out fliers or, you know, things like that. And, you know, my take on that is - all right, their mall, their rules. 

Ben Yelin: Right. 

Dave Bittner: That makes total sense to me. That said, with these large platforms, as it so often is, it seems a matter of scale. When you are truly global and a large percentage of the world is on your platform and there are not easily accessible alternatives... 

Ben Yelin: Right. 

Dave Bittner: ...Right? There really isn't an effective Facebook alternative. 

Ben Yelin: There isn't, no. 

Dave Bittner: There just isn't. I would say the same thing with Twitter, although I think that's what Parler was trying to be - had a certain degree of success, I would say, until they got shut down for - wait for it - (laughter). 

Ben Yelin: Right, right. 

Dave Bittner: ...Too much free speech, right? (Laughter) So I... 

Ben Yelin: Not enough content moderation. 

Dave Bittner: Right. I agree with you. This is hard. But do we agree that community standards are a worthwhile goal in our discourse? 

Ben Yelin: I think we do. And, you know, I think the tech companies operate on that basis as well, is - you know, if somebody is going to say something hateful or if somebody is going to say something that incites violence, we don't want it to be on our platform, the platform that we built and that we operate... 

Dave Bittner: Right. 

Ben Yelin: ...Just like, you know, the proprietor of a mall would say, you know, I don't want these types of things spewed on my property. 

Dave Bittner: Right, right. 

Ben Yelin: As you said, you know, the big difference is, yes, Parler is an alternative, but there's really only one Twitter. There's really only one Facebook. And this has become the venue where we express our political views. I'd say, you know, especially during the pandemic, where many of us aren't really going out and seeing other people very much, our political conversation is largely happening online. It's not as simple to me as just saying, well, they are private companies, like a shopping mall... 

Dave Bittner: Yeah. 

Ben Yelin: ...And therefore, they can sort of do whatever they want. I mean, I think from a legal perspective, that's true. But I think we have to acknowledge that - and this is something that Angela Merkel acknowledged, which is - this is mentioned in the article - is it just feels uncomfortable when these sites have become the public square where we air our political ideas, and the fact that a few tech billionaires have that power to deplatform people and ideas - it should at least make us wary, even - you know, even if you don't agree with the particulars, even if you want a certain former president to be banned from these platforms because it makes, you know, your morning a little bit more relaxing, I think we can all recognize that there is potential danger there. 

Ben Yelin: I wish I could come to you and say, I have the obvious solution here, which is to do X. I don't think there's an obvious solution. I think countries in Europe, based on their political history that have less stringent free speech protections, are in some ways in a much easier position because the government can be the bad guy, can go in and ban speech. And if people don't agree with the government's action, you can vote for a new government. We - because of our First Amendment, as I said, we just can't really do that here. So there aren't... 

Dave Bittner: Yeah. 

Ben Yelin: There aren't easy solutions. 

Dave Bittner: You know, I heard someone talking about the Parler situation, and they were saying it's - one of the difficulties is that if Parler wants to go and set up shop somewhere else, they're having trouble getting people to supply them with the things they need. 

Ben Yelin: Right. 

Dave Bittner: You know, the server space, the - whatever, the various things that you need to run a website. And they compared this to, you know, what if I were running some sort of brick-and-mortar shop, you know, a sandwich shop or something, and somebody said, well, we're not going to provide you with bread or lunch meat or ketchup and mustard because of the types of - you know, things that - if you - if it's, I don't know, Bob's Nazi House of Hot Dogs or something, you know, people are going to say... 

Ben Yelin: (Laughter) Worst hot dog ever, yeah. 

Dave Bittner: ...I'm not supplying you with things. Right. I'm not supplying you with things because I don't agree with how you're setting up your shop there. OK, I mean, that's the marketplace of ideas, right? 

Ben Yelin: Yeah, it seems reasonable. Yeah. 

Dave Bittner: Yeah, yeah. A mall doesn't have to rent to anybody. Again, if I want to set up that same hot dog shop, the mall can say, oh, no (laughter). 

Ben Yelin: No, yes. 

Dave Bittner: No, we're not going to do that. But I wonder, you know, what happens if I want to set up my little hot dog cart, you know, at the National Mall on federal property and have to get a license for my little hot dog cart, are we in a different situation there because now it's the government telling me whether or not I can have my little hot dog cart? 

Ben Yelin: Yeah, I would say don't try that. 

(LAUGHTER) 

Dave Bittner: I wasn't - I'm not trying to fundraise here, Ben. 

Ben Yelin: Yes, we don't need to... 

Dave Bittner: (Laughter) I agree. It's a horribly bad idea. 

Ben Yelin: We don't need to GoFundMe. 

Dave Bittner: But I just tried to take the - I'm trying to take the thought experiment to its ridiculous end (laughter). 

Ben Yelin: It's an interesting thought, but I think the government as a property owner, you know, is different than the government as a regulator. 

Dave Bittner: Ah, I see. Right, right. 

Ben Yelin: So, yeah, I think the government - you know, there are certain things you can't do in the Museum of Natural History. 

Dave Bittner: Right. Believe me - we've tried. 

(LAUGHTER) 

Ben Yelin: Yeah, believe me - we tried, yes. Not sharing any personal stories here. 

Dave Bittner: (Laughter) Let's just say... 

Ben Yelin: Yeah, there are certain things you can't do in those museums, even though it's government property. 

Dave Bittner: Right, right. 

Ben Yelin: There are certain things you can't do in the U.S. Capitol, as we've seen recently, even though it's government property. So... 

Dave Bittner: Who knew? (Laughter) Right. 

Ben Yelin: Yeah, I think they can set their own rules there. 

Dave Bittner: Yeah. All right. Well, highly recommend this article. It's "Why is Big Tech Policing Speech? Because the Government Isn't." This is, again, over on The New York Times, written by Emily Bazelon. We'll have a link to that in the show notes. Definitely worth your time. 

Dave Bittner: We would love to hear from you. We have a call-in number. It's 410-618-3720. You can also send us email to caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Sophie Chase-Borthwick. She is from an organization called Calligo. And we were talking about the top data privacy points that she believes that the new Biden administration needs to focus on. Here's my conversation with Sophie Chase-Borthwick. 

Sophie Chase-Borthwick: I've not seen before such a split between what government wants - and I'm not making comments necessarily about each individual state, about - that comes later - versus government as a whole versus the public. Privacy has never mattered more to the general public. And the U.S. is frankly behind on it compared to how much people care. And I don't just mean Europeans here. There are concerns and complaints about privacy. And people are becoming more and more aware of where their data is. And it's everywhere, and it's creating a greater, greater split. 

Sophie Chase-Borthwick: And against that backdrop, you find a previous administration that was considered not to worry about people's privacy in that regard - quite a traditional government in some ways - and while making use of technology, not really considering what's behind it. And with a new administration, hopefully there's a chance to redress some of that balance and come closer to the concerns we're seeing about - from people. Freedom in the States has always been freedom from the government. People are starting to realize they actually need freedom from businesses, too. 

Dave Bittner: Yeah, that's a really interesting point. I mean, how much of this do you suppose is, with the Trump administration, a desire to not regulate things, to stay hands-off, to go along with, I think, what's the values of their party - to say, we want to unleash business and let them do the things that they want to do? And yet here we find ourselves - as you say, you know, more and more people are finding themselves faced with the reality of what many of these social media companies, for example, are collecting. 

Sophie Chase-Borthwick: In fact, that's the thing. People weren't aware. There's a standing joke - what do you see if you finally read somebody's privacy policy online? It's totally different to what you think it is. In fact, some of these companies' privacy policies only makes sense when you remember you are the product, not the customer. If you read them thinking you're the customer, they genuinely make no sense. But people don't think in those terms. They don't read them in those terms. And yes, there is a tendency to think the market will sort it out; the market will sort it out. But that implies people know. That implies people understand. And technology is in such a place at the moment that most people in the business don't understand, let alone people who aren't. So if CISOs and council can't understand what on Earth is happening to their data, why on Earth do we expect my mother to be able to? 

Dave Bittner: Do you suppose there's a fundamental misunderstanding here of the difference between security and privacy? 

Sophie Chase-Borthwick: Very much so. Very much so. My usual analogy is that privacy is a bag of money in a safe. Yes, the safe has to be suitable and protecting and all the rest of it. Now, that's your security. But you also need to make sure that the bag of money was legally acquired and is legally spent. That's privacy, making sure that otherwise you're just protecting stolen goods. And it can be the best safe in the world, but that doesn't matter. 

Dave Bittner: Yeah. So looking forward, what are some of the things that you'd like to see the new administration focus on? 

Sophie Chase-Borthwick: The first one I'd like to see is actually very simply, please can they - there's been a federal law on privacy bumped around a few times. It comes up. It goes down. It comes up. It goes down. The problem with it is when it's absent, we're getting 50 different privacy laws. And the states are passing their own, and they're all different, and they all contradict each other slightly in nuanced ways, which just doesn't work. We don't run the world in state by state - we don't even run it by country by country anymore. And yet somehow you've got to do different technology in California to Nevada. You genuinely run the risk of having a whole it's-OK-we-crossed-the-state-lines attitude in technology, which really doesn't work. It's - half of the data subjects, why should their rights change depending on which side of the line they work? And it's an inhibitor to development if they suddenly have to think about 50 different U.S. laws, let alone the worldwide ones. Yeah, that's the first one for me, very much. 

Dave Bittner: Are there lessons to be learned here from the experience that the EU has had with GDPR? 

Sophie Chase-Borthwick: In fact, that's why GDPR came in. Everyone thinks that it was brought in to make - like, it's an enhance privacy. And it does a little bit. But what it mostly does is tell the whole of Europe they have to have the same law. Europe had data protection laws beforehand, but it was a directive, not a regulation, which meant each individual country passed their own laws, which meant, genuinely, Spain would say that Italy didn't have enough protection. Doesn't work. Can't work. So the GDPR was actually brought in to unify European data protection law - very much a sort of federal law - so that data can transfer across Europe fairly, cleanly, without causing those sorts of problems that we are now seeing start to happen in the States. 

Dave Bittner: What are some of the other things that you think a Biden administration should spend their time on? 

Sophie Chase-Borthwick: The next one, the obvious one to people in the privacy industry, is Privacy Shield. An interesting thing when Privacy Shield got struck down was that nowhere in it did it say anything about the businesses that are accredited. Nowhere did it complain about those. It was all about the administration and the surveillance state, along with the fact that if a European did complain, they basically had nowhere to go. If a company did not comply with their requirements under Privacy Shield, there was nowhere to go with it. These aren't insurmountable things. To have a form of redress for non-U.S. citizens, that's not a tricky thing to do, or at least it shouldn't be. So Privacy Shield was great for a lot of companies. It allowed them to act with the rest of the world and when - it wasn't their fault that it got struck down. So it's very much in the administration's hands to get it sorted. And it would be a great boon to a lot of American companies. It's not the companies in the rest of the world that needed it. 

Dave Bittner: And what's the third thing that you have on your radar? 

Sophie Chase-Borthwick: Actually, this kind of ties to the federal law a bit. But the state, it's more - also with the States, what we're noticing is that all the privacy laws that are coming into the U.S. are all lumping all personal data together. It's personal data if you can identify a person. Now, that's good in a lot of ways, but it treats everything the same way. It treats cookies, it treats data from your cellphone the same as your email address. And it doesn't work that way. They are so different for such different requirements that to try and lump it all together - again, very difficult to develop, very difficult to work with, which means the U.S. is at risk of losing its edge. It's been at the forefront of technological development for such a long time that to now make that difficult would be a shame. And by lumping it all together - now, don't get me wrong. Obviously, I absolutely think cookies and cell phone data need protecting, but they do need protecting in a slightly different way. 

Dave Bittner: And what way do you think would be appropriate? 

Sophie Chase-Borthwick: Well, some of it's simple things like respecting browser settings, respecting the settings on your phone rather than everything having to go into every single app, every single website and turning off your cookies, turning off your tracking. If you've already got it set on your device, why don't people - aren't people forced to respect that? Location data - the new CPRA has made location data the same as health data because it's that sensitive, except it's not. It is in some ways. We don't need everybody knowing exactly where you go when you walk around with your phone. On the other hand, that means that you've just made somebody's smart vacuum cleaner the same as their medical records. Doesn't work. It doesn't gel. And unfortunately, a lot of it has come in because there has been bad behavior. I say bad in inverted commas. Nontransparent behavior is more accurate. And to be honest, I think that's the main issue. It's the lack of transparency and understanding. And so everything gets lumped in together because they want to stop everything rather than helping people understand what happens and making their own choice and then having the technology respect it. I shouldn't have to go into four different places on my phone to turn off being tracked when I walk around the street - not that I can walk down the street right now. But you get my point. 

Dave Bittner: (Laughter). You know, there's that that old saying that a camel is a horse designed by committee. And I wonder, you know, how do we strike this balance between, at a federal level, providing the protections that people want and what they desire with having so many different constituents having their own needs? Businesses want one thing. Consumers want another thing. How do we, you know, prevent sanding off all the edges and also not having unintended consequences? 

Sophie Chase-Borthwick: Well, ironically, for a company that is very pro-business, this is one of the things you can learn from business. So many businesses are truly global, and they already have to operate under all of these different laws. So many of them have an overarching which allows some detail in the different areas. So you have, you know, the minimum requirement. You must at least have this. So you know what your starting point is. You don't even have that currently. So yes, as - I totally agree with the camel. And you run the risk of some very strange bits coming into law. I'm a European. Some of the European laws - you can definitely tell the hand of the different countries. But what tends to happen is you get something that works for most people in the end. It doesn't work entirely, but it works better than having two states, three states apart from each other having completely conflicting laws. 

Dave Bittner: Do you suppose there's political will to see something like this go through at a federal level? 

Sophie Chase-Borthwick: I hope that the current administration more so than previously. I think that businesses are starting to want a federal law because of the issues that I've raised. There is occasionally a desire for it. Ironically, I think that the states passing more and more complicated laws is what will trigger it. I don't think it'll be preemptive to stop the states passing lots of laws. I think it'll be retroactive because they've passed, and they'll contradict each other. 

Dave Bittner: All right, Ben. What do you think? 

Ben Yelin: Very interesting interview. I mean, the point she brought up on the importance of uniformity I think can't be understated. And I know we've talked about this in the past, but having a federal data privacy law isn't just about expressing federal priorities, just as GDPR wasn't just about, you know, the laying out the specific rules of the road for the European Union. It's also about standardization. So, you know, we want to avoid the situation where companies have to comply with 50 separate state standards or alternatively, where, you know, California sets extremely high standards that are difficult to meet, but, you know, because companies want to do business in California, they have to massage their own practices to meet those standards. So that's where the federal government can and should step in. You know, I think that's one of those things that might not be as much up to the Biden administration as it is to the U.S. Congress. And you can never rely on anything getting through the United States Congress. 

Dave Bittner: Yeah. 

Ben Yelin: But I thought that was a really fascinating point, particularly about GDPR, because I think what she was saying is Europe also had that patchwork of privacy laws until GDPR came along and introduced that level of standardization. 

Dave Bittner: Right. It's nice for us to be able to look at that as a test case, to see what's working, what's not working. And, how could we possibly apply that to our own unique situation here? 

Ben Yelin: Absolutely, yeah. 

Dave Bittner: So, you know, nice to have somebody go out there and be the international guinea pig, right? 

Ben Yelin: Absolutely. 

Dave Bittner: (Laughter) Take the arrows in the back. Yeah. All right. Well, again, thanks to Sophie Chase-Borthwick for joining us. We do appreciate her taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.