Caveat 2.24.21
Ep 66 | 2.24.21

Internet of Bodies (IoB) devices: technology is advancing much quicker than regulations can.


Mary Lee: I think consumers should be wary and just proceed under the assumption that once the data is collected by that device, they probably won't have complete control over how that data is stored and used, and they should maybe prepare for that data to be breached or shared.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben looks at estate tax on social media advertising. I've got the story of members of Congress working with the Biden administration on Section 230 reforms. And later in the show, my interview with Mary Lee from the RAND Corporation. We're going to be discussing a concept called the Internet of Bodies, opportunities, risks and governance. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's jump in with some stories here. What do you got for us this week? 

Ben Yelin: So I don't want to be too Maryland-centric. I know the two of us live in that state. 

Dave Bittner: The great state of Maryland (laughter). 

Ben Yelin: The great free state of Maryland. But we have a very relevant and interesting story coming out of that state this week. 

Dave Bittner: Yeah. 

Ben Yelin: So last year, the Maryland General Assembly - they voted on a bill and approved a bill to institute the country's first tax on Big Tech's ad revenues. This would be taxing the ad revenue on sites like Google, Facebook, Twitter, et cetera. The bill was vetoed by Governor Hogan. But just this past week, both houses of the Maryland General Assembly voted to overturn that veto, so the bill will be enacted into law. And it is, as I said, the first of its kind in the country. It's expected to generate as much as $250 million in revenue for the state, which, obviously, the state needs, given that tax revenue has declined over the past year due to the COVID-19 pandemic. 

Dave Bittner: Right. 

Ben Yelin: And that money is going to be mostly for public schools... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Obviously something all of us need. 

Dave Bittner: Yeah. I only laugh because isn't that what they always say? 

Ben Yelin: Right, yeah. 

Dave Bittner: (Laughter). 

Ben Yelin: This money will definitely not go into a slush fund. 

Dave Bittner: Right, exactly. The money will go to schools right up until the moment when we need it for something else (laughter). 

Ben Yelin: Exactly. 

Dave Bittner: I hate to be cynical, but I think it's justified. 

Ben Yelin: It's totally justified. There's always the proverbial lockbox where it's supposed to go to transportation, you know. 

Dave Bittner: Right. 

Ben Yelin: And then there's a rainy day, and - eh, let's crack open that lockbox. But at least that's the intention for the money, and it would raise a lot of revenue. The way the tax works is, it is progressive. So on smaller companies - companies with lower annual profits or revenue - the tax is something like 2.5%. But for the really big guys, the ones that make over a certain threshold in profits per year - Google, Twitter, et cetera - that's going to be a 10% tax. So it's pretty hefty. 

Ben Yelin: As you can imagine, the lobbyists in Silicon Valley hired by these companies were not happy with this legislation. They certainly made their voices heard at the Legislature and among the general public. I know you and I have probably heard ads on podcasts or on the radio or targeted at us online... 

Dave Bittner: Yep. 

Ben Yelin: ...Saying, you know, this is a tax that's going to be passed on to the consumer. They'll talk to a small-business owner who says, woe is me, you know, I advertise on Google, and they're going to pass this cost on to me. 

Dave Bittner: Yeah. What struck me about the pushback here is that, as these things often are, the ads are quite vague. 

Ben Yelin: Yes. 

Dave Bittner: And they've just been saying, you know, a new tax during a pandemic - you know, like, how could anyone consider such a thing? But they don't really say what it is or how it works or it's just... 

Ben Yelin: Right. 

Dave Bittner: It's just bad (laughter). 

Ben Yelin: At least be honest and say, this is a tax on billion-dollar companies. Now, it is possible that because of this tax, these companies are going to raise the cost of advertising that they put on Maryland businesses, on small businesses, and as a result, you know, maybe that cost will be passed down. I think there is some truth to that. But that effect, at least in my experience, is always exaggerated. Any sort of tax on large corporations, there's always the argument - or really, any policy that benefits working people, there's always an argument that, well, the tax is going to trickle down to the consumer. 

Dave Bittner: Right. 

Ben Yelin: And sometimes it does, but sometimes it doesn't... 

Dave Bittner: Right. 

Ben Yelin: ...Especially when this tax probably is a drop in the bucket for some of these big companies. 

Dave Bittner: And these big companies have been doing very well throughout the pandemic. I mean, as, you know, people have been living more of their lives online, they've been raking in the profits. 

Ben Yelin: Absolutely. We've all spent more time on Amazon, on Google, as we've been home and as things have all shifted to being digital, as we're spending our hours on Zoom calls and not in in-person meetings. I will say, this tax is going to face some significant legal issues, which I found interesting. 

Ben Yelin: For one, these companies aren't based in Maryland. So you have a law, a Maryland law, that's going to tax activity that originated outside of the state. They're putting up the advertisements where they're headquartered or domiciled, so California most likely. And that could run afoul of the U.S. Constitution. I won't get into the weeds of civil procedure, but generally, a state doesn't have jurisdiction to levy taxes or fees against businesses that don't have any activity in that state. I think you can make an argument that - again, I have to say this without recalling my civil procedure class... 

Dave Bittner: (Laughter). 

Ben Yelin: ...That these companies are choosing to do business in Maryland and, therefore, are perhaps willingly subjecting themselves to Maryland tax law. There's also a federal law that says taxes on digital goods or services have to apply to their equivalent physical products. And so since this law doesn't impose a tax on nondigital advertising, like a billboard or a TV commercial, it would run afoul of that law. That potentially could be compelling. What the state has said is, it's not - the activity that is subject to the tax is the contract between the business buying the advertisement and the tech company and that the tax applies to that contract whether that contract is in electronic or written form. It's a stretch of an argument, but, you know, that might be enough to put the law on solid ground. 

Ben Yelin: So we're definitely going to see those lawsuits because there's a lot of widespread opposition among the business community to this piece of legislation. But I will say, you know, as states start to look for sources of revenue, we're going to see more laws like this being proposed not just in bluer states, but in red states like Indiana as a source of revenue. And it has been done successfully in Europe. So it's just a new revenue model for states to take advantage of the massive profits of these online behemoths doing business within a state. 

Dave Bittner: So what happens next? I mean, they override the veto here. This becomes a law. The lawsuits come. Does that put everything on hold while those lawsuits make their way through? 

Ben Yelin: Not necessarily. So the tax could still come into existence unless there is a preliminary injunction. So if a court decides that this tax going into being would cause irreparable harm, then the court could issue a preliminary injunction, which means the law is put on hold until they can have a more formal process. That's always a possibility. I'm not sure that this tax would rise to that standard of an irreparable harm. I'm sure that's what Google and Amazon will argue in their briefs, that it would cause an irreparable harm to them. I think that would be a difficult case to make. 

Ben Yelin: It's possible that we don't see that preliminary injunction, you know, the case goes through, and it still loses - or the law still loses on the merits, that it is declared unconstitutional. And that would have potentially a ripple effect. So if it's a Maryland state law, that would be persuasive authority to other states, but not mandatory authority. As I expect, there are going to be a lot of federal cases on this because it implicates federal laws and the U.S. Constitution. And so, you know, if this makes it through the federal court system, that potentially could be binding precedent on other states that are trying to enact these types of laws. 

Dave Bittner: So this will be one to watch. Lots of people will be keeping their eyes on how things go in Maryland. 

Ben Yelin: Absolutely. And if you're in Maryland and you are reading an article and see some digital advertising, you can take some comfort in the fact that these companies that are producing this advertising might be subject to a new tax, if that's the type of thing that gives you comfort. 

Dave Bittner: (Laughter) Right. Or it may get your dander up if it's the kind of thing that makes you mad. 

Ben Yelin: Yeah, exactly. Or if you're a small business owner... 

Dave Bittner: Right (laughter). 

Ben Yelin: ...And you're like, I got bought X amount in Google ads, and I want to buy more, and now they're going to raise their prices by 10%. 

Dave Bittner: Right. Right. 

Ben Yelin: Yeah, that might not be so great. 

Dave Bittner: So there's an emotional - yeah, there's an emotional reaction here for everyone. 

Ben Yelin: Exactly. Exactly. 

Dave Bittner: (Laughter) All right. All right. Well, it's an interesting story, and we'll have a link to that story in our show notes. 

Dave Bittner: My story this week - this comes from the folks over at Reuters, written by Nandita Bose and Jarrett Renshaw. It's titled "Big Tech's Democratic Critics Discuss Ways to Strike Back with White House." So what they're getting at here is that primarily Democrats in Congress have been getting together with the White House on ways to come after Big Tech, including making social media companies accountable for disinformation, looking at reform or more with Section 230. Different people have different amounts of change they want to have come out here. But it's interesting to me that these conversations have started - you know, new White House, new administration. Some of these people are going - not hesitating to push forward with their policy desires here, right, Ben? 

Ben Yelin: Yeah. So it's always a good time when you have a new administration, if you have a policy interest, to try and feel them out, see if your policy interests align with theirs and see if, you know, you can get it to the top of the White House's priority list. And that seems to be what's happening here. You have a lot of Democrats who are concerned about Section 230, the Communications Decency Act, I think, particularly because all of them lived through the riots on January 6 at the Capitol. And a lot of those tech companies allowed some of the conversations surrounding those riots to continue unchecked on their platforms. 

Ben Yelin: And this is not just the Parlers of the world. You know, some of these activities were planned on Facebook and Twitter or Reddit and were out in the open. And so if you're a Democratic lawmaker who was at the Capitol that day, I think this is something that's going to be very visceral. And they want some sort of mechanism to hold companies accountable if they don't police this type of content. And I think there's a lot of concern about the role that social media played in allowing this attack to happen in the first place. 

Ben Yelin: It's interesting to me - one of the Democratic lawmakers who they mention in this article is a gentleman by the name of Tom Malinowski. He's a member of the House Homeland Security Committee. He has experience - I think previous to being in Congress, he was in the intelligence community or worked in foreign policy in the Obama White House. And he was the target of some really vicious online advertising that implied a connection to pedophilia and QAnon. And so it's become kind of a pet cause of his to root this out, to root out the rot on the internet. And so as part of his proposal, his idea, he wants to hold companies legally liable if they are promoting this type of false content and if they're using algorithms to highlight posts containing false information. So it's just interesting to see his name out there. 

Dave Bittner: Yeah. It's interesting to me - this article points out that Democratic Senator Ron Wyden, who is the co-author of Section 230 - they're pushing for reform. One of his aides said that they're looking for a deliberate approach to reforming the law rather than repealing it, which I suppose is not surprising coming from one of the co-authors of it (laughter). They wouldn't want to just throw it out the window. 

Ben Yelin: Yes, although you'd be surprised - the author of the Patriot Act 15 years later said, we - this needs to be essentially thrown out the window. 

Dave Bittner: Oh, interesting. 

Ben Yelin: Sometimes opinions change over the course of 20 years. 

Dave Bittner: Yeah. 

Ben Yelin: And I honestly think that's fine. 

Dave Bittner: Yeah. They also mention Republican lawmaker Josh Hawley, who's been pushing to repeal Section 230, so get rid of it. And they're coming - a lot of Republicans - Mr. Hawley's inclinations have been accusing the tech companies of censoring the views of conservatives, which is - it's interesting to me because I suspect that if you got rid of Section 230, that's going to lead to a lot more clamping down on what people say on these platforms. They'd get the opposite of what they're after here, I suspect. 

Ben Yelin: I have the same thought. I mean, they - certainly, more would be censored because these companies would be terrified about being held liable for actions that emanate from content being posted on their platform. So if you think back to the riots on January 6, there was a lot of violence that was fomented on these platforms. If Section 230 had not been in place, I think we'd have both criminal and civil action against some of these big tech companies for not policing that content. And they might be sued out of existence because there was a lot of damage. There were a lot of damages - not only the lives that we lost, the physical damages, but certainly, the emotional distress felt by lawmakers and everybody who was at the Capitol. So, yeah, it always sort of confuses me that Section 230 is their target when we're talking about content that they think should not be policed as much. 

Dave Bittner: (Laughter) Right, right. 

Ben Yelin: Yeah, it is confusing to me. I mean, I do think the fact that you have opposition to 230 from both sides of the political aisle means maybe there's a sweet spot in there where you can find some compromise. 

Dave Bittner: Yeah. 

Ben Yelin: And maybe - you know, and I think we talked about this on last week's show. Maybe there are some amendments you can make that limit its application. But because the reasoning behind each side's opposition to Section 230 - because the reasoning's so different on the Republican side than on the Democratic side, I'm not really sure there is common ground to be found here. But maybe I'll be proven wrong. 

Dave Bittner: Right. No, it reminds me of, you know, the old days with - old days, but the not-too-distant past, I suppose, when people were talking about Obamacare. And you would often hear these people, you know, throw around statements like, you know, 70% of people don't like Obamacare - and I'm making up that number - but when you dig into it, you'd find that, like, you know, 30% thought it went too far and, you know, 45% thought it didn't go far enough. So people were dissatisfied with it for completely opposite reasons. 

Ben Yelin: Yes. 

Dave Bittner: But when you combine those two together, you get this big number that sounds like it's not popular. 

Ben Yelin: It's a very common misperception people have about polling. I mean, I notice this with polls of - the best example to me is Mitch McConnell because he is always, like, the most unpopular national politician. 

Dave Bittner: Yeah. 

Ben Yelin: But that's because all Democrats hate him for being, you know, a prominent Republican, but a lot of Republicans dislike him for not being conservative enough - not being loyal enough to President Trump, for example. So I think that's kind of the same issue here. The McConnell haters are probably not going to find a lot of common ground because they hate him for different reasons. 

Dave Bittner: Right (laughter). 

Ben Yelin: And I think that's an analogy for Section 230 here. 

Dave Bittner: (Laughter) Right, right. The enemy of my enemy is my friend might not apply here, yeah. 

Ben Yelin: Yeah, not actually true in a lot of cases, yeah. 

Dave Bittner: Yeah, yeah. All right. Well, this article is from Reuters. It's titled "Big Tech's Democratic Critics Discuss Ways to Strike Back with the White House." We will have a link to that in the show notes. 

Dave Bittner: We would love to hear from you. If you have a question for us, you can call us and leave a message. It's 410-618-3720. You can also send us email to 

Dave Bittner: Ben, I recently had the pleasure of speaking with Mary Lee. She is a mathematician from the RAND Corporation. We discuss an interesting concept - the Internet of Bodies, the IoB. We talked about some of the opportunities and risks that could come with that. Here's my conversation with Mary Lee. 

Mary Lee: We define the Internet of Bodies as an ecosystem of a network of certain internet-connected devices along with the data and the software that they contain. So the devices we define as containing software or computing capabilities can communicate with an internet-connected device or network and satisfies one or both of the following. They either collect person-generated health or biometric data and can alter the human body's function. So basically, it's kind of a progression of the Internet of Things, which I think we're all aware of at this point. By now, you know, everything's connecting to the internet, whether it's your car or your toaster - whatever it might be. And so now a lot of those kinds of devices are moving into or onto the body. And even if they're not always directly connected to the body, they might be evaluating or measuring something about your health or your biometric information. 

Dave Bittner: I see. No, I think a lot of us are probably familiar with things like, you know, the Apple Watch. And I have one of those, and it keeps an eye on my - you know, my heart rate. And I can have it do various tests. It also keeps a track if I've fallen down, you know, and can do alerts - those sorts of things. I mean, it seems to me like that sort of falls in the center of what we're talking about here. 

Mary Lee: Yes, exactly. So things like Apple Watches, Fitbits - all of those are considered part of the Internet of Bodies. And so that's a testament to sort of how popular these sort of devices have become at this point. 

Dave Bittner: And so what are the issues that you're all concerned with here? What are some of the things we need to be wary of? 

Mary Lee: In our report, we go over what the risks are. We also go over the benefits, which I don't want to gloss over either because I think there are a lot of benefits that we can take away from these kinds of devices. 

Dave Bittner: Right. 

Mary Lee: But the risks are things like cyber risks, national security risks potentially, ethical and data privacy risks - you know, a lot of similar risks that you might see with Internet of Things. But I think these devices are, arguably, much more intimate than ever before and gathering much more intimate data than ever before. And so while some of the risks are the same as with IoT, the risks might be broadened a little bit because these are so close to you. 

Dave Bittner: Yeah. Now, I think there's a lot of sort of common misunderstanding out there as to what exactly falls under HIPAA and what does not when it comes to these sorts of devices, but I think also in general. How much of what happens with these devices is under the jurisdiction of HIPAA? 

Mary Lee: That's a really good question. So HIPAA only applies for what are called covered entities. So that's - like doctors and insurance companies, they can't talk about a person's personal medical issues. A lot of IoB devices, because they're actually consumer devices and not medical devices and not under the umbrella of these covered entities, there's no HIPAA regulation for a lot of IoB devices. 

Dave Bittner: Now, are a lot of these devices - you said consumer devices and not medical devices, and that strikes me as being, you know, not unlike what we experience with supplements versus prescription medicines, you know, or even over-the-counter medications, where it seems to me, like, you know, a lot of supplement-makers, if they put the words on their package that says, this is not intended to treat any disease, that gets them away from a lot of restrictions that they would otherwise have. Are we in a similar situation here with IoB devices, that if the manufacturers say, you know, this is just a consumer device, it's for your own entertainment (laughter) - you know, we're not actually trying to track a disease or something - does that give them a lot more leeway with regulators? 

Mary Lee: Yes, I think so. The difference is that with medical devices, those are regulated by the FDA. And, you know, there's a very specific definition of what a medical device is and whether the FDA has jurisdiction over it. And so if the FDA doesn't regulate an IoB device, it's really just kind of a patchwork of other regulations that would cover the device. 

Dave Bittner: What is the regulatory environment right now when it comes to these sorts of devices? I mean, do we have adequate rules in place? Or is this an area where the government is playing catch-up with the rapid development and evolution of these sorts of things? 

Mary Lee: So we think it's like a lot of other emerging technology, where the tech is just advancing so much faster than the regulations can. In the U.S. across all 50 states, it can be very different according to what state you're in. There's no federal regulation that covers all of these devices. 

Dave Bittner: And is there any movement for something like that? Are we seeing any desire from the federal level for Congress to - are they taking a look at these sorts of things? 

Mary Lee: I believe some people in Congress have introduced bills, but they haven't really gotten anywhere. 

Dave Bittner: Well, let's go through some of the recommendations that you all have made here. What are some of the things that you would like to see put into place? 

Mary Lee: This is a really complex policy area. And the range of IoB devices and data is really vast. So there's not going to be a single policy that is going to be able to address all of the risks. But to address the risks to privacy, for example, Congress might consider establishing a federal data transparency and protection standard for the data that's collected by these devices because, as it stands, consumers have limited ability to sort of identify what is happening with this intimate data. So that would be a start. They could potentially model it after the European Union's General Data Protection Regulation or the California Consumer Privacy Act, looking at the lessons learned from both of those regulations and the consequences from those regulations, the successes and the failures, to think about the best way for IoB users to retain the rights over their personal information. 

Dave Bittner: Right. You know, we've seen some stuff from Apple, for example, lately, where they've started putting some really, you know, overt labels on software in the App Store that really lays out for you, you know, this is what this app does, this is what it gathers, this is who it gets sent to. Is that sort of labeling a useful thing for consumers as well to just, you know, make sure that people know what they're getting into when they're using these devices? 

Mary Lee: Yes, absolutely. I think so. And in a lot of ways, because the regulation isn't there yet, it's up to the consumer to make sure that they read and understand that information. 

Dave Bittner: What sort of advice do you have for folks who are out there shopping for these sorts of things, who see the - you know, the broad range of benefits - but what sort of things should also be on their mind to make sure that they're going to be properly protecting themselves? 

Mary Lee: I think consumers should be wary and just proceed under the assumption that once the data is collected by that device, they probably won't have complete control over how that data is stored and used, and they should maybe prepare for that data to be breached or shared because, ultimately, the consumer needs to be aware that their data is being collected by these entities, and the developers might not have the user's best interests in mind. 

Dave Bittner: Yeah, so it's not the intimate relationship, for example, that you have with your doctor, where there's an assumption that that information is going to be, you know, held close. Just because it's something, I don't know, medical adjacent, you shouldn't have a false sense of security, I suppose. 

Mary Lee: Yes, exactly. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: I think it's really interesting. I've had students who've written papers about the IoB, and it's just an area that's been kind of unexplored because the technology is still relatively new. I mean, how long has Apple Watch been in existence now? 

Dave Bittner: Yeah, just a few years. 

Ben Yelin: Even compared to the life of an iPhone, you know, it's just something that we're not quite used to. And we've had a few legal cases that have turned on things like Apple Watches, Fitbits, where it can be used as evidence, for example, that somebody's heartbeat had increased at a significant rate at the time of a murder, for example, and that can be valuable evidence for law enforcement. So I think it is interesting that it presents all of these promising developments. I mean, you talked in the interview about how, you know, if you've fallen, it can be kind of your life alert. 

Dave Bittner: Right, right. 

Ben Yelin: Like those old commercials, where it lets somebody know that you've been hurt. But, you know, just like lots of forms of technology, while it can be our friend, it could also potentially be our enemy. 

Dave Bittner: Yeah. 

Ben Yelin: So I think we're just - we're in the very early stages of trying to figure out how to police this technology, how to take advantage of its benefits, without having it invade our privacy. 

Dave Bittner: Yeah, absolutely. All right. Well, our thanks to Mary Lee for joining us. We do appreciate her taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.