Podcasts
Caveat
Ep 76
Caveat 5.5.21
Ep 76 | 5.5.21

Privacy as a competitive advantage.

Show Notes
Transcript

Erez Yalon: We are now at the point in data privacy awareness where a huge player like Apple is setting a very rigid but necessary standard.

Dave Bittner: Hello, everyone. And welcome to "Caveat," the CyberWire's privacy, surveillance law and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin from the University of Maryland's Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben describes how the FBI has been found violating some privacy laws. I've got the story of Apple being sued over access to movies you buy online. And later in the show, my conversation with Erez Yalon. He's a senior director of security research at Checkmarx. We're going to be discussing Apple's app tracking transparency. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right. Ben, let's dig into some stories here this week. Why don't you start things off for us? 

Ben Yelin: So it's been a long time since we've checked in with our friends at the Foreign Intelligence Surveillance Court. 

Dave Bittner: (Laughter) The FISA folks, yeah. 

Ben Yelin: The FISA folks. 

Dave Bittner: Right. 

Ben Yelin: However, an article did come by in The Washington Post by Ellen Nakashima, "Federal court approved FBI's continued use of warrantless surveillance power despite repeated violations of privacy rules." I'm going to try and start a little metaphor here based on being a parent. 

Dave Bittner: (Laughter). 

Ben Yelin: Let's say your kid is constantly asking for ice cream. 

Dave Bittner: Yeah. 

Ben Yelin: And you say, you can only have ice cream if you do your chores. And the kids routinely mess up the chores. They're, you know, pouring crumbs on the ground. 

Dave Bittner: (Laughter) Right. Right. 

Ben Yelin: They're putting things in the wrong cabinet. They're not - you know, they said that they were going to clean the shower. But instead of pouring bleach, they poured in maple syrup. 

Dave Bittner: Leaving Lego all over the floor for you to step on. 

Ben Yelin: Exactly. 

Dave Bittner: Yep. Yep. 

Ben Yelin: Imagine, after all of that, you still decided to give them ice cream. 

Dave Bittner: (Laughter). 

Ben Yelin: That is what routinely happens with the Foreign Intelligence Surveillance Court. So over the past several years, the Foreign Intelligence Surveillance Court has done these annual reviews over Section 702 of the FISA Amendments Act of 2008. 

Dave Bittner: OK. 

Ben Yelin: That piece of legislation, which we've talked about, allows for our government to obtain the online communications of non U.S. persons reasonably believed to be outside of the United States. And that information is collected. It's collected warrantlessly and put into a large database that is searchable by the FBI. Now, there are all these restrictions on this data and how it can be used. One of the main restrictions that was instituted in 2018 is that in order to search this database for garden variety criminal matters, you need to obtain a warrant. The FISA court is supposed to review the program annually, check these so-called minimization procedures, and then decide whether or not the program can proceed. 

Ben Yelin: And several years in a row now, we've gotten these FISA court opinions once they've been declassified - and it's usually a few months after they've been released - saying there are serious deficiencies in how this program is being implemented, but we're going to allow the program to continue regardless. I think this has happened in 2018, 2019 and now 2020. So what they discovered in their 2020 survey is that the FBI and its personnel conducted queries of data troves containing Americans' emails and other communications seeking information without proper justification, which goes against not only Section 702 itself, but the Fourth Amendment of the United States Constitution, which applies to U.S. persons. 

Dave Bittner: Well, there's that. 

Ben Yelin: Right. There's that, yeah. 

Dave Bittner: (Laughter). 

Ben Yelin: Even though they are required to seek a warrant if they're searching this database for criminal prosecution purposes, apparently hundreds, if not thousands of times, there were searches into this database which were done without obtaining a warrant. They describe an instance where an FBI specialist conducting background investigations made 124 queries of raw Section 702 data using the names of individuals who had asked to take part in an FBI Citizen's Academy program to foster greater understanding of the bureau's role in the community. But obviously, he did this without any sort of legal authorization from an Article 3 judge. 

Ben Yelin: So this has become a very large problem. Congress has tried to address it by instituting greater requirements on Section 702 surveillance. One of those is, of course, this warrant requirement under these limited circumstances. But all of these minimization measures are going to be useless if the FISA court allows this program to continue despite these violations. And so I think we're just kind of in this non-stop cycle where there's a scolding - there's a slap on the wrist, but the program is allowed to continue rather - in a way that's pretty much unabated. 

Dave Bittner: Is there any indication that the FBI are making good-faith attempts to improve how they approach this? Are they putting any additional things in place? 

Ben Yelin: Let's see if this quote makes you feel better. And this is an exact quote. 

Dave Bittner: (Laughter) OK. 

Ben Yelin: "We are continuing to keep an eye on it," the FBI official said, "to see if we need to have some system changes or not." So that's... 

Dave Bittner: That's it. 

Ben Yelin: That's sort of where they are. 

Dave Bittner: (Laughter) OK. 

Ben Yelin: I mean... 

Dave Bittner: Wow. 

Ben Yelin: To the FBI's credit, they are following proper procedures in that they are routinely applying to the FISA court for annual recertification of Section 702 surveillance. To me, the blame here lies with the FISA court itself, which has the authority to put a stop to these programs until they come into compliance with the statute. They've done that many times in the past with various surveillance programs saying, you are not allowed to conduct the surveillance program unless there's some kind of emergency, unless you fix these documented problems. 

Ben Yelin: The fact that they're not doing it here says a couple of things to me. One, you know, law enforcement still maintains a lot of credibility in front of FISA court judges. These are not adversarial proceedings. You're just hearing from the advocate on behalf of the FBI. You're not hearing from, in these types of cases at least, civil liberties advocates arguing why this is - this type of collection is wrong or unconstitutional. So there's that. 

Ben Yelin: And you always have to keep in mind that law enforcement and the intelligence community refer to Section 702 as the crown jewel of electronic surveillance. It is extremely effective. It helps us catch terrorists. And so, of course, the FISA Court knows that. They have to weigh these invasions of privacy on the fact that - you know, against the fact that this is a very successful national security surveillance program. And they seem to want to weigh in on the side of allowing the program to continue. 

Ben Yelin: My worry is FISA is going to start to lose its credibility as a mediating institution not only with the public, but with the FBI itself. And they just might stop, you know, taking it seriously if despite these deficiencies in the program, despite the inconsistency in applying minimization procedures, they leave with a slap on the wrist. And that's my concern here. 

Dave Bittner: Is there anything that Congress can do to help clamp down on this? 

Ben Yelin: They can, and they have, as I said, in that 2018 law. One thing they could do would be to require warrants for every search of the Section 702 database. That would obviously help a lot, but it wouldn't solve these problems because even when warrants are required, we now see that the FBI is not obtaining them in all circumstances. 

Ben Yelin: One of the reasons it's hard for Congress to act here is that these FISA Court opinions are classified and redacted until they're released to the public usually sometime in the future. So we're very frequently reacting to something that's happened six or seven months in the past, and Congress has a relatively short attention span. And, you know, many times, the FBI will go to Congress or other intelligence agencies will go to Congress and say, this was the opinion FISA issued in November. We've already taken these remedial measures. There's no need to restrict us further. And for the most part, you know, Congress is going to be pretty trusting of these institutions. 

Ben Yelin: But, you know, I think long-term, you might have to reform some of the institutions themselves. Currently, the only adversarial proceedings that are allowed at the FISA Court are when the court is considering a novel issue of law, something it has not considered in the past. That, as far as I'm concerned, does not apply to Section 702. It's not a novel law. There are no novel interpretations here. 

Ben Yelin: What Congress could do is require adversarial proceedings every single time one of these programs is up for annual renewal. And you would have to grant these advocates, and they'd generally be civil liberties attorneys, access to some of the classified information so that they can make an informed argument. That, to me, seems like a way you could correct for this problem. 

Ben Yelin: But again, you can do that. You can convince the FISA Court, as the FISA Court has already been convinced, that there are problems here. But the FISA Court still has discretion as a court to continue to allow these programs to exist. 

Ben Yelin: I mean, there is not really any easy solution here. The chief justice of the United States Supreme Court is the one who appoints FISA Court judges for seven-year terms. So maybe you could try and get into his ear and have some judges who are a little bit more discerning. But good luck with that, right? 

Dave Bittner: (Laughter) Well, you know, I wonder, too, is there something that could be done at the agent level? I mean, I know just anecdotally, when I've spoken to folks at the NSA, they've said that, you know, when - if they inadvertently stray into some information that they shouldn't be looking at and they know they shouldn't be looking at, that it kind of triggers a paperwork avalanche. So there's an incentive to not do that... 

Ben Yelin: Right. 

Dave Bittner: ...Because nobody wants to be hit with a paperwork avalanche, you know? So I wonder, is there something like that that - who knows? It may exist. But for the folks who are doing this, if an FBI agent does this without permission, can you dissuade them from doing it, you know, by triggering some sort of paperwork avalanche or other method to make it, you know, not worth the effort? 

Ben Yelin: I've sort of heard the same thing when speaking to folks at the NSA. And I think it's less of a problem with individual compliance 'cause I think they do have a lot of really good institutional checks. Generally, it's not the case that one person can search this database and, you know, recommend criminal prosecution based on what they've seen without oversight from their superiors, from other government agencies, et cetera. And, you know, when we have had compliance issues at the agent level, the people who are actually conducting the raw surveillance, I think the agencies have handled those appropriately. 

Ben Yelin: I think what we're dealing with here is more of a programmatic failure, which is that the entire culture of the agency has failed to stop some of these abuses, and that starts with leadership. And the FISA Court, while criticizing the agencies for failing to comply with the provisions of the law, has not stepped in and said - you know, used the powers that they have to actually stop the program in its tracks. 

Dave Bittner: Right. 

Ben Yelin: So until that culture changes at the top of the agency and in the FISA Court itself, I think it is less of a problem of individual agents. 

Dave Bittner: Right. There are no mandatory minimums at the FISA Court level - right? - (laughter) for punishments. 

Ben Yelin: Unfortunately not, yeah. That could be a reform proposal, yeah. 

Dave Bittner: There you go. 

Ben Yelin: Mandatory minimums - FISA Court edition. 

Dave Bittner: (Laughter) Right, right. All right, well, it's an interesting story and certainly one worth keeping an eye on - a little frustrating, too, I must admit. 

Ben Yelin: Yeah. It's one of those things where I feel like we're going to see this story again... 

Dave Bittner: Yeah. 

Ben Yelin: ...A year from now. And, you know... 

Dave Bittner: Right. It's like "Groundhog Day." 

Ben Yelin: Yeah, it'll be an annual tradition of ours to talk about... 

Dave Bittner: (Laughter). 

Ben Yelin: ...The public scolding that the FBI has taken from FISA... 

Dave Bittner: Right. 

Ben Yelin: ...Where they didn't actually do anything. 

Dave Bittner: Yeah. All right. Well, we will have a link to that Washington Post story in the show notes, of course. 

Dave Bittner: My story this week - I have to say that I have a bit of an ulterior motive for including this story - and we'll get to that in a second - because I have a personal bugaboo about something that is related to this. But (laughter) in the meantime, this is a story from Ars Technica, and it is about Apple being sued for terminating an account of someone who is a user on their platform that had $25,000 worth of apps and videos. Now Ben, you and I - well, mostly me - I'm old enough to remember (laughter) going back to the video store and, you know, renting videos. And sometimes if there was a movie that you really liked, you could buy that movie. You'd buy DVDs. People had large collections of DVDs. And of course, the thing about that is if that DVD's sitting on your shelf, that DVD is sitting on your shelf forever. It's yours. You own it, right? 

Ben Yelin: Theoretically, yes. 

Dave Bittner: I'm sure you could tell me all the reasons why I don't actually own the movie that's sitting on my shelf (laughter). 

Ben Yelin: We'll get to that. But - yeah. 

Dave Bittner: (Laughter) We'll put that aside for a moment. God, lawyers are so much fun. 

Ben Yelin: Oh, we're the worst. We're awful. 

Dave Bittner: (Laughter) So these days, of course, in the era of streaming movies, most of the time we rent or buy from a streaming service. And Apple, of course, is one of the more popular providers of that. And in this particular case, there was someone who had over $25,000 worth of apps and movies and so on and so forth that this person had purchased - a gentleman named Matthew Price. And for some reason, Apple terminated the account. And the reasoning is not listed here. But he's suing Apple and saying that you can't just cut off my access to these things I bought. I bought these movies. I bought these - this music. I bought these apps. And you can't just terminate my account and cut me off from the things that I purchased. 

Dave Bittner: And part of what's at issue here - and this is what we're going to get to with the other thing that really bothers me - is the definition of the word buy. If you buy something, what does that mean? (Laughter) Does it really belong to you or not? So what do you make of all this, Ben? Unpack it for me. 

Ben Yelin: So, yeah. What's actually happening here is Mr. Price is suing Apple on a false advertising claim because they are using that word buy. They're saying, press this button and you will buy this movie. But really, you're not actually buying it if Apple can come in at some point and say, you know, you're really only renting it. You're no longer a subscriber to Apple, therefore you don't actually own it, and we're going to take it back. 

Ben Yelin: I think this is a - you know, on first blush, a pretty compelling claim. Apple is responding by saying that no person would take that term literally. That, of course, in every circumstance... 

Dave Bittner: (Laughter). 

Ben Yelin: Right. And they always say that. But in every... 

Dave Bittner: Right (laughter). 

Ben Yelin: ...Circumstance, you know, there are going to be some exceptions where even though somebody bought something, Apple can still take it back. I'm trying to come up with an analogue from the non-digital world, as I'm want to do. And I actually can sort of see what Apple is saying here. 

Dave Bittner: Yeah? 

Ben Yelin: So let's say I buy a bunch of movies from a movie store, a bunch of VHS. This is the 1980s. And I for some reason have gotten these movies on credit or something with the movie store, and I default on my payments either to the credit card or to the movie store. And I have defaulted for long enough that I've gotten a million different warnings. I still haven't paid. Ultimately, the government does have a right to come and seize my assets... 

Dave Bittner: Yeah. 

Ben Yelin: ...Even though I own them, you know? And whether that's your tangible property, like movies, or even your real property, they can do that in certain circumstances even though it's yours and at some point you bought it. I mean, granted, the circumstances are different because with an iTunes movie, you have paid for it. They've received the money. 

Dave Bittner: Right. 

Ben Yelin: And I guess what I'm trying to say is in some circumstances, even when you've technically bought something, I can at least imagine a scenario in which the company that sold it to you still retains some right to it under... 

Dave Bittner: Yeah. 

Ben Yelin: ...Some very limited circumstances. 

Dave Bittner: See, I... 

Ben Yelin: It's admittedly not a great metaphor. 

Dave Bittner: I just hear - I think it's this whole thing with digital rights and also encryption and access to content. The content providers sort of want to have their cake and eat it, too, where if I buy a record album - right? - a CD, whatever, I suppose you could claim that what I am buying is a license to use that content. 

Ben Yelin: Right. 

Dave Bittner: That I don't actually own the content because I'm not allowed to duplicate and resell it, right? 

Ben Yelin: Right. 

Dave Bittner: It doesn't belong to me that way. And I think most people understand that and think that's reasonable. But in this case, it seems to me like basically what they're doing is they're cutting you off from the authorization that you bought this product. And it is the - it's not having access to that authorization that makes the product useless. It's worthless if I can't hit the Apple servers, get the authorization key that tells my laptop, oh, yeah, you're authorized to play this movie, enjoy. 

Ben Yelin: Right. 

Dave Bittner: Right? And so why can't I have some kind of permanent key that I can download that is transferable? I don't need to hit Apple's servers in order to play the device. it - just like it would be in the old days of buying a DVD or a record album or a CD or, you know, whatever, a gramophone. You know, who knows, right? 

Ben Yelin: Right, right. Yeah. I mean, frankly, your reasoning seem to be compelling enough to the U.S. district court judge who's hearing this case. So Apple moved... 

Dave Bittner: Yeah. 

Ben Yelin: ...To have this case dismissed. And the district court judge said no, that they're at least going to move ahead and hear the merits of this case. So they are going to hear a claim of false advertising and unfair competition. Now obviously, Apple might not want this bad publicity. They might settle this lawsuit and maybe put, you know, a tiny, little, teensy tiny warning at the end of the terms and conditions that says... 

Dave Bittner: (Laughter) Right. 

Ben Yelin: ...Under very limited circumstances, we reserve the right to cut off your access to this thing that you have bought. Or maybe they put buy in quotation marks from now on. 

Dave Bittner: Right. Mr. Price finds a brand-new MacBook Pro on his front porch (laughter). 

Ben Yelin: Yeah, yeah. At least that would be the - using the carrots approach and not the sticks approach... 

Dave Bittner: (Laughter) Right, right. 

Ben Yelin: ...Which is good. So, I mean, I'm sort of glad that this case has moved forward 'cause it might force Apple to at least include - you know, not represent that when you're buying something, you're actually buying it so that you can own it forever. 

Dave Bittner: Yeah. 

Ben Yelin: And I think that could be kind of a groundbreaking concept, as you say, in the digital world. So I'm very curious to see how this case is adjudicated. 

Dave Bittner: Well, quickly, let me just give you the backstory here of why I was attracted to this story like a moth to a flame. And that is my own personal pet peeve about how mobile service providers have completely devalued the word unlimited, right? 

Ben Yelin: Right. 

Dave Bittner: Unlimited is a word that is not ambiguous. 

Ben Yelin: Right. 

Dave Bittner: We all know (laughter) what the word unlimited means. 

Ben Yelin: Yup. 

Dave Bittner: And so it seems to me that if a mobile carrier offers an unlimited data plan, we all know what that means. It means it's a data plan with no limits. And yet - and yet, Ben... 

Ben Yelin: Yup. 

Dave Bittner: ...(Laughter) If you buy an unlimited data plan, there are all sorts of limits on it. 

Ben Yelin: Yup, yup. 

Dave Bittner: And what what drives me nuts is that - why has the Federal Trade Commission not tamped down on this? Why have they not gone to the mobile carriers and said, knock it off? Come on. Find a different word. This is bad-faith advertising here. It's not unlimited. This - again, this is not an ambiguous word. All right. I'm getting off my soapbox. 

Ben Yelin: No, it's a good soapbox. I mean, I think what the companies would say is unlimited has, in the digital world become a term of art, you know... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Where it doesn't literally mean what it says. 

Dave Bittner: Right. 

Ben Yelin: Unlimited means something slightly less than unlimited. I mean, I guess we get to the point where... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Words start to lose all meaning, and, you know... 

Dave Bittner: Yeah. 

Ben Yelin: ...We're kind of back to square one. But I think that's what they would argue, that people, reasonable people, would have an understanding that unlimited doesn't actually literally mean unlimited. 

Dave Bittner: Yeah, I don't - All right. Well, this is a hill I'm prepared to die on, so... 

Ben Yelin: Die on that hill. Yep. 

Dave Bittner: (Laughter) All right. Let's move on (laughter). So it's time to move on to our Listener on the Line. 

(SOUNDBITE OF PHONE DIALING, RINGING) 

Dave Bittner: We got a kind note from one of our listeners, whose name is Jonathan. He writes in, and he says, greetings, Dave and Ben. I have a story and a question for the podcast. Several days ago, the giant parking payment company sent emails alerting users of a breach that compromised basic customer information. This breach apparently occurred in March. ParkMobile, which is the company downplays the compromise, says only basic user information was accessed. This includes license plate numbers, as well as email addresses, phone numbers and vehicle nicknames if provided by the user. In a small percentage of cases, mailing addresses were also affected. This seems misleading at best. The loss of names, phone, license plates, etc., is arguably more serious than losing credit card information, which is easily replaced and covered by various protections for users. In contrast, the compromised data cannot be easily changed and puts customers at risk of being targets by criminals. Furthermore, the notice misleads customers as to the severity of the compromise when they should instead be warned of the potential danger of their personal information to be misused. How can companies be held to account for the loss of basic data when the harms that result can't be directly linked to the loss? Is there any hope on the horizon? What do you think, Ben? 

Ben Yelin: I'm never one to say that there is hope on the horizon, unfortunately... 

Dave Bittner: (Laughter). 

Ben Yelin: ...As I've been burned too many times. 

Dave Bittner: (Laughter). 

Ben Yelin: But Jonathan asks a really good question here. So the short answer is that I think it's all going to come down to damages if there ever were a successful data breach lawsuit filed against this company. The actual standard for a data breach doesn't really change based on which data has been compromised. So whether it's credit card information or some of the so-called basic data we're talking about here - name, license plate, phone number - that doesn't, per se, change the cause of action. You know, it's still going to be the same lawsuit. If you can prove in court that - you know, and this hopefully will answer Jonathan's inquiry here. If you can prove in court that the damages of losing this basic information has been significant, has caused significant financial hardship, then perhaps you'd be entitled to more damages than if you had lost your credit card. That credit card had been canceled within 10 minutes. And that credit card was, as he says, easily replaced. 

Dave Bittner: Right. 

Ben Yelin: So I think the relief here comes during the damages phase in any given trial. 

Dave Bittner: But you can't go after them for potential, theoretical, hypothetical damages, right? It has to be real damages. 

Ben Yelin: Absolutely. Yeah, it has to be an actual case and controversy. Somebody has to have suffered some sort of actual injury, financial or otherwise. I see. You know, the problem is that most people don't go about suing the parking app on their phone for... 

Dave Bittner: Right. 

Ben Yelin: ...A data breach. It's just not worth it for most individuals, which is a big problem. You generally have to go the class-action route, which - you know, there are a lot of barriers to having class-action suits be heard. All data breach liability cases are still relatively new. And it's an area of the law that has yet to be fully developed. And this is an issue where state laws are very distinct. You have 50 different state regimes on how data breach liability works. 

Dave Bittner: Right. 

Ben Yelin: So in that sense, it is a difficult question for an individual consumer. So is there hope on the horizon? Maybe. Maybe that's the best answer I can give... 

Dave Bittner: Right. 

Ben Yelin: ...In that if you were to somehow be successful with a lawsuit, no matter what data had been breached, if that data was valuable and the loss of it caused you to suffer significant damages, then that would increase the liability on behalf of the business that had been breached. 

Dave Bittner: Right. One of the take homes here is we're not at the point where anyone assigns value to a particular type of data. In other words, you can't say, oh, my email was compromised. That'll be 50 bucks, please. You know... 

Ben Yelin: Right. 

Dave Bittner: ...It doesn't work that way. 

Ben Yelin: We are not at that point, no. 

Dave Bittner: Yeah. All right. 

Ben Yelin: It has to be individualized and dependent on the circumstances. 

Dave Bittner: I see. All right. Well, our thanks to our listener for sending in that good question. We would love to hear from you. We have a call-in number. It's 410-618-3720. Or you can email us. It's caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Erez Yalon. He's a senior director of research at Checkmarx. And our conversation focused on Apple's app tracking transparency. Here's my conversation with Erez Yalon. 

Erez Yalon: It all started with Apple, like a lot of good fairy tales. Apple's iOS 14 update promised to be one of the most comprehensive software updates to date. And the reason was a big change to its privacy policy, which actually required developers to ask for permission before collecting anything regarding phone or tablet identification, which they call IDFA. This sounds something that is maybe small to some of the listeners, but actually this is one of the biggest steps or leaps towards privacy that we've seen lately. And the reason is because the feature will display notification on launch of new apps that will explain what the tracker will be used for and ask you to opt in to it instead of the usual opt out of it. 

Dave Bittner: Now, for a lot of apps - and certainly Facebook, I would put at the top of that list - I mean, this is a huge part of their business. And so Facebook has been pushing back on this. Yes? 

Erez Yalon: Yeah. Facebook - not only Facebook. I think Facebook was the most vocal, but others as well. We all know the cliche, right? If you don't pay for something, then you are the merchandise. So it's the same here. We definitely see that the information of individuals, information of groups, the data that is aggregated and in general the the correlation that can be done between different pieces of information and analyzed to get us to specific understanding of human behavior in general and specific, it's worth a lot these days. And if you take it away from the big players, they're not going to be happy about that. 

Dave Bittner: And what puts Apple in the unique position to take this sort of stand? 

Erez Yalon: So that's a good question, and I guess you can see it as a naive move towards better world and better privacy. I don't think we need to be so naive. Basically, there is some sort of business reasoning behind it. It's not all about the securing and the - let's call it the consumer's needs. So I think it may be part of the story of maybe improving the privacy stance of the users of Apple in general, but also, it allows Apple to use their own mechanism instead of the general one, which they allow and also they allow to opt out of. But it's a very similar mechanism that gives competition to the others like Facebook and other big names. 

Dave Bittner: Do you suppose this could be a competitive advantage for Apple to kind of position themselves as the privacy platform, if you will? 

Erez Yalon: I think it will be. But I'm thinking that this is not the story from my side anyway. So I do believe that they look like very progressive at the moment. And - but privacy enthusiasts such as myself would very much welcome this transparency. We don't really look at the reasoning too much. Be it enforced or optional, transparency should be a core value of every organization, I think and individual. We are now at the point in data privacy awareness where a huge player like Apple is setting a very rigid but necessary standard. And I think this is - as I said, this is by far the most effective way to increase transparency around data privacy and use. And any organization that wants to remain - or use Apple's far-reaching application consortium will automatically comply. And the others will make do. I mean, some people say that there will be no more place to people - to companies that are using these mechanisms. Some say that they will develop some other way of getting paid, either by freemium models or other mechanisms. I'm pretty sure that they will manage. They will find a way, either by having a less specialized way of putting advertising or something else. And Apple's new policy makes transparency and privacy a mainstream issue. We would not talk here if they would not do that. And I really hope that if other tech giants follow their lead, we will quickly see it become a standard practice in general. 

Dave Bittner: I saw a response from Facebook, and I'm paraphrasing here. But they said something along the lines of saying that in response to this, they were going to have to extract some pain from Apple. And that made me wonder what sort of leverage Facebook has against Apple. I mean, I suppose the - you know, the nuclear option would be to pull their app, but I can't imagine that happening. 

Erez Yalon: No, I can't imagine that happening as well. I think that Facebook will probably shoot their own foot by doing that. Eventually, everyone will have to get along because this is not something that is going to change, as it seems. It seems like Apple is very, very dedicated to this move. And I think that at the moment, Facebook is trying to change things. But in general, the consumers are already talking about privacy, and they're already talking about the entire idea of being followed so closely in their apps and things that they did not know before. And suddenly they have the knowledge, so I don't really think you can roll it back. You just need to adjust, as we do all the time with technology. 

Dave Bittner: Yeah, I wonder if this awareness, you know, as people are loading, you know, the new version of iOS and they see these warnings pop up or these information screens pop up that say, you know, this is what this app is doing, are you OK with that? - having that put in front of them, will that help with a push towards more regulation? Will people start calling out to their lawmakers and saying, you know, I really wasn't aware of the degree to which my data was being pulled, and, you know, it's time to claw some of this back? 

Erez Yalon: So this is something that I personally hope so. I think that under the category of knowledge is power, specifically here, knowledge is what gives you the power to make an informed decision. Knowing exactly what data is being shared is a much more transparent process than having, you know, convoluted understanding that some of your personal information is something that's sometimes being shared for some sort of vague purpose. Now, it's really front and center. And many consumers claim that privacy is not a major concern because they feel they have nothing to hide. Did you hear people say that before? I don't care; I have nothing to hide. My experience shows that when these same people see exactly what information about them is being kept and the conclusions the big software companies make out of these snippets of data, they often change their stance. And I think that Apple's policy change could have an interesting awareness effect on consumers. 

Dave Bittner: How do you see this playing out? As Apple rolls this out, do you think they'll be successful with this, and Facebook will merely have to - and other companies will just have to go along with it? 

Erez Yalon: Yeah, I think they will be successful. I think that we already see many companies adopting it before the actual deadline of this update. We see a lot of applications that pop an explanation before they pop up the question of Apple so they can kind of explain what they want to do and explain why they keep your information. And I think this is, again, around awareness. I think that suddenly people know what to ask - for example, what kind of information are you collecting? How much time are you going to keep it? Why? Because maybe I don't care now, but maybe I'm going to run for office in 20 years. Are you still going to hold this information? 

Dave Bittner: (Laughter) Right. 

Erez Yalon: So there are so many questions about that. And, yeah, I think that the discussion is rolling at the moment. I think that companies understand that, and I think we're moving forward. And, again, this is a clear sign that the value of data is continuing to grow. And as operating systems like Apple and governments are beginning to pay more attention to how data is used, the companies like Facebook - I think they are prepared to protect their most valuable assets, but they will move forward with the trend because this is definitely a trend, and I hope it's going to continue. 

Dave Bittner: You know, when I think about those sort of preemptory messages that some of these app developers are popping up, I think of, you know, the teenager who had a party in the house when the parents were away... 

Erez Yalon: (Laughter). 

Dave Bittner: ...And meets the parents at the front door when they come home, and says, you know, there's a perfectly good explanation for what you're about to see (laughter). I just can't help thinking of it that way. 

Erez Yalon: Yeah, definitely. Yeah. Yeah, it's going to require some change, you know, from software vendors and legislators and consumers. But, yeah, it's a new trend. It's a new era maybe of understanding the worth of the data, and I think that we're going to a better place regarding that specifically. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: Really interesting interview. It seems like what Apple is going for here might seem altruistic, saying they're trying to protect the privacy of its users. And, you know, I sort of think what they're doing is a good thing, despite the protestations of companies like Facebook saying that they're not able to make as much in advertising... 

Dave Bittner: Right. 

Ben Yelin: ...If the users are getting these types of warnings about app tracking. But obviously, as Erez said, there's a lot in it for Apple, as well - that they're not really doing this for for altruistic reasons. They are trying to gain a competitive advantage. So I thought it was just a very interesting conversation. 

Dave Bittner: Yeah, I think it's interesting, the whole notion of privacy as a competitive advantage. I think that's something we're going to see more of. 

Ben Yelin: Yeah, I do, too. And frankly, it's a good thing because if the government is slow to act, then the market steps in. And... 

Dave Bittner: Right. 

Ben Yelin: ...You know, if people - if companies are competing over individuals using privacy as a selling point, that theoretically is going to be very useful for individuals because companies will try and outdo one another in terms of privacy protections. 

Dave Bittner: Right. 

Ben Yelin: That could be more beneficial than government regulation, potentially. I sound like a libertarian now, don't I, Dave? 

Dave Bittner: (Laughter) Right. Right, exactly. I'm going to say the new Apple iPhone 15 with built-in cloaking device, right? 

Ben Yelin: There you go. 

Dave Bittner: (Laughter) Right. All right. Well, our thanks to Erez Yalon from Checkmarx for joining us. We want to thank him for taking the time. 

Dave Bittner: That is our show, we want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.