Caveat 5.12.21
Ep 77 | 5.12.21

Privacy sector shift under the Biden administration.


Caitlin Fennessy: That piece around expectations and protecting and using and sharing data in line with expectations is at the heart of privacy and data protection.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance law and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin, from the University of Maryland's Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben has been following the trial between Apple and Epic Games. I've got the story of a ruling that says Snapchat can be sued for their role in a fatal car crash. And later in the show, my conversation with Caitlin Fennessy from the International Association of Privacy Professionals on the shift in the privacy sector under the Biden administration. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's dive into some stories this week. Why don't you start things off for us? 

Ben Yelin: So my story is a summary of a case that is actually starting this week between Apple and Epic Games in a federal district court in California. And the article comes from The Washington Post technology section. Dave - I don't know - are you a gamer at all? Do you dabble? 

Dave Bittner: I have been - not so much lately. I dabble with games on my iOS device, but I'm not a console gamer. I have two boys, and both of them are console gamers. So we have had a parade of Xboxes in our house. So I'm familiar with them (laughter). 

Ben Yelin: Yes, I can imagine. Yeah, I'm not much of a gamer either, and I'm sure I'm going to say things that mess up the details of the games here. And... 

Dave Bittner: Right. 

Ben Yelin: ...All of our gamer listeners are going to be, you know, putting their heads on the desk. So I apologize... 

Dave Bittner: (Yeah (laughter). 

Ben Yelin: ...In advance. But this lawsuit concerns Epic Games, which produces the extremely popular game Fortnite, which I understand is some sort of fighting game where the best man wins. 

Dave Bittner: Yep, yep. 

Ben Yelin: That's how it was explained to me in the article here. I have not... 

Dave Bittner: I've watched my boys play it many times. It looks like it's a lot of fun. It's a little too twitchy for me. I think I suffer a bit from motion sickness when playing this sort of game (laughter). 

Ben Yelin: Yeah. I do remember Fortnite. There was a funny "SNL" skit about an older guy played by Adam Driver playing Fortnite with the young kids. So I remember it... 

Dave Bittner: Yeah. 

Ben Yelin: ...From that. Anyway, I digress. Epic, last summer, tried to sell the game and some of the things that you can - some of those in-game purchases directly to the consumers, bypassing the Apple store. As you know, on iOS devices, you can only download items that are purchased from the Apple store, and Apple takes a 30% cut on profits from anything that's sold within the Apple store. 

Dave Bittner: Right. 

Ben Yelin: So Epic tried to go around that, tried to sell these items to consumers directly, going around the Apple store. And as a punishment, Apple decided to remove the Fortnite app from the Apple store. 

Dave Bittner: Yeah (laughter). 

Ben Yelin: So if you want to play a Fortnite on your device, you have to go to Google Play on your Android phone, or you can play, you know, via console. But since last August, it has been unavailable in the Apple store. So Epic has brought suit on a claim of an antitrust violation, basically that Apple is forcing you, in order to purchase the benefits of Fortnite - so whatever people are purchasing on their in-app purchases - they have to go through this Apple system, and it's preventing them from being able to engage in a competitive marketplace. And this case is actually set to start this week in a federal district court in California. 

Ben Yelin: There are a lot of really important issues here that get into antitrust and how it's going to work in the technical world. So it kind of comes down to how the judge is going to interpret our antitrust laws. The first question is, does Apple have a monopoly? That's a difficult question to answer. I mean, technically, it's a duopoly because there's the Apple store, and there's also Google Play. That's pretty much it as it applies to smartphone applications. But Epic is arguing here that the market in this case should be defined simply as the mobile operating system. And in that sense, you can't download anything on iOS without going through the Apple store, so that's the monopoly. That's what they're alleging. 

Dave Bittner: Right. 

Ben Yelin: What Apple is saying is that the market is broader than just smartphones. You can play Fortnite without going through iOS. And that's true. It's sold on PCs, gaming consoles, phones running Androids, et cetera, et cetera, et cetera. I should note that on the Android phone, you can actually download Fortnite without going through the Play store. So this is not an issue on Android devices. 

Dave Bittner: Right. Android doesn't have the degree of walled garden that Apple has with their App Store. 

Ben Yelin: Exactly, exactly. So for Epic to succeed, it has to show that Apple is abusing its monopoly power in violation of antitrust laws - basically, that Apple is forcing all developers to use the App Store to distribute software and to use Apple's payment processing system, which makes them forfeit 30% of their profits. And this goes against a well-known principle in U.S. antitrust law, where you can't tie one product or service to the sale of another. So for example, in this case, it's the App Store and the payment system. Apple says that its - you know, the app store and its payment processing system are part of a single product. But what Epic is trying to say is that it's not a single product. You're forcing people to use their payment processing system in order to have something listed on the app store. So this is going to be an extremely high-profile case that's worth following, and it's high-profile enough that Tim Cook himself is supposed to testify. 

Dave Bittner: Wow. 

Ben Yelin: I think the reason Tim Cook and Apple are so invested in this is it could break the hegemony that Apple has on people using its app store. If people are able to download applications through a separate avenue outside of the Apple store, outside of the iOS system, then that's going to completely gut Apple's products. I mean, they make a living through this 30% commission that they take on any applications or in-app purchases. So this could be a major threat to Apple's business model. 

Dave Bittner: Yeah. 

Ben Yelin: So I think it's something that's just definitely worth following. 

Dave Bittner: It's interesting to me from a number of points of view. I mean, on the one hand, it seems to me like what Epic is coming after Apple about is the restriction on payment, that they have to pay this 30% to Apple. And Apple has made some adjustments, some would say, in reaction to this. There are some situations where you'll find yourself paying 15% instead of 30. But does it change anything if Apple were to say you still must go through the app store? In other words, we still have to run all of our tests on your app to make sure that it is safe and that it meets our standards. But if you want to do a side payment kind of thing, that's OK. 

Ben Yelin: Yeah, I think it would make a huge difference. I mean, I think the payment portion is the largest element of this case. And you can see that because there aren't causes of action as it relates to traditional computers. So this article notes that on any personal computer - Windows, Mac, et cetera - there are lots of ways you can download software. And the makers of the software can sell it to you through a bunch of different payment systems. They can use PayPal. They can use, you know, Bitcoin - whatever. 

Ben Yelin: So it is really the payment system here that is the main restriction. It creates this unnecessary, in the views of Epic, gating mechanism preventing the app market from properly flourishing, which is the the point of having antitrust laws - is, you know, you potentially are going to stifle innovation in the sphere because people might realize it's not worth developing our own product if we have to give 30% of what we earn to Apple and can't keep the fruits of our own labor and ingenuity. And that's really at the root of this case. 

Dave Bittner: What about the consoles themselves, the game consoles? I mean, I'm thinking about if you look at the history of Nintendo, for example. You know, to put a game on the Nintendo platform, you had to give a cut to Nintendo. But also, you know, Nintendo had some exclusivity with - like, you can't play a Mario game on an Xbox. You know, it's only on Nintendo devices. And Nintendo also excluded certain types of games if they didn't feel like it met their sort of family-friendly type of environment that they wanted to establish with their platforms. 

Ben Yelin: Right. 

Dave Bittner: Is that a similar type of restriction? 

Ben Yelin: I think there are certainly some similarities, but I think the analogy falls apart because there's no equivalent to the iOS store. I mean, I'm trying to think of how that would have worked in a pre-digital world. 

Dave Bittner: Right, with cartridges and - yeah. 

Ben Yelin: Yeah. But I don't know if you remember FuncoLand, which was a precursor to GameStop, which was the brick and mortar store where you... 

Dave Bittner: Yep. 

Ben Yelin: ...Bought video games back in the day. 

Dave Bittner: Sure, sure. 

Ben Yelin: I mean, imagine if, you know, in order to purchase Super Mario Bros., you had to go into that store, and it was sold exclusively at this store. And the only way it would be sold would be giving a 30% cut to FuncoLand. And if you wanted to make, you know, any additional purchases, you also could only go through this store, and selling it through any other mechanism would be illegal. And if they tried to sell it at a competing store or, you know, they tried to directly market it to consumers, then FuncoLand would remove it from the shelves of their physical store. I think that could have run into some significant antitrust violations. That's not what happened back in the day. 

Dave Bittner: Interesting. 

Ben Yelin: So I do think that that metaphor falls apart a little bit. 

Dave Bittner: Yeah - any guesses on how this might go? What are your thoughts? 

Ben Yelin: It's really tough to say. I mean, this seems to be a per se violation of our antitrust principles. These are two high-profile corporations, and they're going to hire the best attorneys. I don't actually know anything about the dispositions of this district court judge, although she did criticize Epic for some of its pre-case filings, you know, basically claiming that you're this multibillion dollar company that's claiming yourself to be a victim. So I don't know if that's a hint as to how she's going to rule. 

Ben Yelin: If I had to put my thumb on the scale, I think Apple might have a better case that you are able to play a Fortnite on different devices - PCs, Macs, the Google Play store, consoles, et cetera, so it's not the only avenue to access Fortnite - and that there is this separation between the App Store and the iOS processing system. So you wouldn't run afoul of that rule I was referencing earlier where you can't tie the purchase of one thing to the purchase of another without violating our antitrust principles. 

Ben Yelin: So I might put my thumb on the scale. What's notable here is there's not going to be a jury trial. So both of the parties agreed that the case will be heard in front of the judge, so it's really up to the judge's own discretion. And, you know, we don't know if this judge is a fan a Fortnite. Maybe she's a gamer herself and... 

Dave Bittner: (Laughter) Right. Right. 

Ben Yelin: ...Would like to make some in-app purchases without giving a 30% cut to Apple. So... 

Dave Bittner: Yeah. Yeah. I mean, it's interesting because it really doesn't affect the consumer that much, you know. They're paying the same price for the game no matter what. It's how much flows back to the makers of Fortnite really. 

Ben Yelin: Yeah, it does. It's not going to affect the consumer in the short term except to say that if Apple loses this case, then Fortnite could return on iOS and would return on iOS, which would make, you know, a big difference to people who have iPhones. 

Dave Bittner: Yeah, yeah. All right. Yeah. Interesting case to follow for sure, and we will (laughter). 

Dave Bittner: Let's move on to my story this week. This comes from the folks over at NPR, and it's from Bobby Allyn. And it's titled "Snapchat Can Be Sued Over Role in Fatal Car Crash, Court Rules." Boy, this is an interesting story. So three young men who got in a car crash back in 2017, they were driving at high speeds down a long road, but they were sharing their journey on Snapchat. And evidently, Snapchat has a speed filter which is designed to highlight people doing things at high speeds. 

Ben Yelin: Yeah, I have never heard of this filter. Have you heard of this filter? 

Dave Bittner: Ben, I am not on Snapchat, so no (laughter). 

Ben Yelin: I have, yeah, but not a frequent user. But... 

Dave Bittner: Yeah, yeah. I have to claim ignorance here. But evidently, it is a filter, and it is a bit controversial for all the reasons you can imagine. I suppose it encourages people to do things at high speed. And that sort of is the meat of the case here. Turns out that these boys were doing 123 mph on a country road. They lost control of the car, hit a tree and tragically died. The parents sued Snapchat, saying that they had knowingly created a dangerous game through its filter and that they were encouraging people to act recklessly and went to a district court. The district court judge dismissed the case, as you would expect, under Section 230 of the Communications Decency Act. Right? 

Ben Yelin: Right. Don't sue the platform. 

Dave Bittner: No surprise there. 

Ben Yelin: We're the platform. Right. 

Dave Bittner: Right, right. The case went to appeal, and the appeals court reversed the ruling and is saying that they're going to go on with it. Judge Kim McLane said - I quote her here - "Snap indisputably designed Snapchat's reward system and speed filter and made those aspects of Snapchat available to users through the internet. This type of claim rests on the premise that manufacturers have a duty to exercise due care in supplying products that do not present unreasonable risk of injury or harm to the public." 

Dave Bittner: So this is fascinating because of how it comes up against Section 230. What do you think about this, Ben? 

Ben Yelin: So I think it's important for us to separate the actual case here, which in my opinion is pretty meritless and is still likely to fail, versus what this narrow decision about Section 230 could mean for tech platforms. So, as we know, Section 230, the Communications Decency Act, shields platforms from lawsuits based on any content that's posted on their platform, whether that's libel, defamation, any other civil suit for what people post on these sites. What the judge here is saying is that this is an improper invocation of that shield because this is actually a products liability case. It's not a lawsuit based on the content that was posted on this platform; it's about the platform itself and how that platform creates a substantial danger for the people using it. 

Ben Yelin: So the argument of these parents is that the app developer knowingly created a product that was likely to lead to dangerous behavior. You're encouraging children, by the use of the speed filter, to drive your car at inordinate speeds. Products liability is an area of the law where there is strict liability for manufacturers. They are held strictly liable even if they haven't been negligent in any way for the foreseeable consequences of the defects in their product. And that applies to online platforms. There's no shield the way there is in Section 230. 

Ben Yelin: Now, do I think that these plaintiffs are going to prevail on the merits of this products liability claim? I would be very, very surprised. I mean, it seems like a very specious argument. There are a lot of people who have used the speed filter who are not driving 123 mph. The appeals court here basically said we're not going to weigh in on the question of causality. That's up to the district court. They're only weighing in on this Section 230 question. 

Ben Yelin: It's important to separate the facts of this particular case with what this means for Section 230 generally. I mean, I think the lesson broadly on Section 230 is if it is a potential defect in the product itself - if it is something inherent in the platform that is causing a danger that would give rise to legal liability, then that liability shield in the Communications Decency Act in Section 230 is not applicable and a case can proceed. 

Dave Bittner: Right. 

Ben Yelin: And that can potentially have consequences because that's removing the designation of companies like Snapchat as a simple platform and rather somebody who has created a product that people are using and potentially are using in an unsafe manner. 

Dave Bittner: It's only about Section 230 in that it sort of carves out what Section 230 does and does not cover. 

Ben Yelin: Right. So it covers - you are shielded from liability from what others decide to post on your platform. So if you are simply acting as a platform, a place for people to post potential libel or any other posts that lead to criminal activity or activity that leads to civil liability, then you are shielded from liability under the plain reading of Section 230. But if it is a design in the product itself, if there is something faulty about the application and that's what led to the alleged harm, then Section 230 does not apply. So that, if it's upheld, would be a really interesting new line of reasoning. And we get a lot more cases where people would say, we're not suing Twitter, we're not suing Facebook based on the content of what's been posted on their platform; we're suing them because there's some sort of defect in how the platform works. So I could see it being applied to, say, the use of algorithms that lead to extremist violence, for example. You know, maybe that's inherent to how the product was developed. It doesn't have to do with the specific content posted by the user. And that could have long lasting consequences beyond whether this family in this case gets relief. 

Dave Bittner: Yeah. What are the odds of this heading up to the Supreme Court? 

Ben Yelin: I think it's still too early to say. This is just one appeals court. This reasoning has not - there was a pretty similar case in the 2nd Circuit where this reasoning was not applied and a company was able to keep its Section 230 shield. If we continue to see that as a circuit split, that is something that could reach the Supreme Court. I don't think this case would be the vehicle for it because, you know, you have to have an active case and controversy. And you have to have a well-pleaded complaint, meaning you have to actually allege some sort of legal wrongdoing that was caused by the defendant. And I have a feeling this case might be tossed out at the district court level because their claims are so meritless on that causality question. I could be wrong, but that's just my instinct. So you'd have to find another case where it could actually make its way through the court system because there was a live case and controversy and not kind of a more - I don't want to say frivolous claim, but a - more of a reach of a legal claim, shall we say. 

Dave Bittner: All right. Well, interesting case for sure. We'll see how that plays out. Ben, it is time to move on to our Listener on the Line. 


Dave Bittner: Our Listener on the Line this week, it's from someone named Kevin (ph) who writes in, and he says, Dear Ben and Dave, I was discussing with some friends in the legal cybersecurity field the law around breaches and encrypted data. Specifically, we discussed, how would the definition of a breach, reporting requirements and other actions that may be required following a breach be affected if the data were encrypted? The question - if data which is encrypted at rest is stolen, would that exempt the victim from reporting the breach? Indeed, would it even be considered a breach? This would assume that the keys are still safe. I looked up some information on Florida law as pertains to breaches and found the information below. Your help is greatly appreciated. And Kevin kindly helped us do a little bit of our own homework by sending (laughter) some legal stuff from Florida. 

Dave Bittner: What do you make of this, Ben? Does the data being encrypted matter? 

Ben Yelin: It absolutely does. And this is a great question, Kevin. So I know this is a total lawyer cop-out. There are 50 separate state statutes on this question related to both liability for data breaches and data breach notification. But in the vast majority of states, there's a safe harbor for encrypted data. And you can understand the purpose for that. We don't want to subject companies to lawsuits if they've taken their due care in encrypting their data and keeping their data safe. So if the data was properly encrypted prior to the alleged breach, that, in some cases, does not even count as a breach, as Kevin helpfully notes here. 

Ben Yelin: And in some states, it might count as a breach; it would still shield the company from liability due to this encryption safe harbor. I know, for example, Maryland has a safe harbor for encryption, so you can't be held liable if you've properly encrypted your data. I think it's just a really proper incentive structure to get companies to encrypt their data. That way, you know, if you are one of the hundreds of thousands of companies that suffer some sort of data breach, then you could shield yourself from liability if you are taking proper precautions. So it's not true in every single state, but it is true in most states that there is this safe harbor. But that's a great question. 

Dave Bittner: That is interesting. It also reminds me that we've seen cases of reports of nation-states vacuuming up data that is encrypted, knowing that they can't do anything with it now. But, for example, in the future, say, if we start having quantum computers come online that are able to crack some of this encryption, well, they've already got that stuff in storage, just waiting to be decrypted. 

Ben Yelin: Yeah. I mean, I feel like state laws have not caught up with that possibility. But at this point, that's a possibility that's out there in the future and not something that's a live controversy. 

Dave Bittner: Right. 

Ben Yelin: So I think, you know, we're a long way from the law taking that under consideration. And, you know, if we were to react to that and removed that safe harbor, there would be less of an incentive for companies to encrypt their data. And that's the opposite of what we want. I mean, whether we develop quantum computing that can break encryption in the future or not, it's still advantageous for companies now, for anybody, to properly encrypt their data so that it's protected. It's always better to do that than to not do that. So - and I think the law reflects that wisely. I mean, I think it's wise that we have these these safe harbor provisions. Yeah. 

Dave Bittner: All right. Well, our thanks to Kevin for sending in that question. It was a good one. We'd love to hear from you. You can call in and leave us a message at 410-618-3720, or you can email us to 

Dave Bittner: Ben, I recently had the pleasure of speaking with Caitlin Fennessy. She is from the International Association of Privacy Professionals. And we discussed the shift in the privacy sector under the Biden administration. Here's my conversation with Caitlin Fennessy. 

Dave Bittner: Can we start off with just some definitions in terms of, what exactly is privacy as you define it? And then how does it differ from security? 

Caitlin Fennessy: Oh, what a great question. So privacy, as it has come to be considered, is often looked at in light of data protection requirements around the world. So privacy is in common parlance in the U.S., but in much of the rest of the world, we talk about data protection. And so it's basically how companies approach data management, protect the data not so much from outside security threats, although security is a important and vital component of privacy, but in terms of ensuring that data is used in ways that individuals would expect, given the context of the interaction. So I think that piece around expectations and protecting and using and sharing data in line with expectations is at the heart of privacy and data protection. 

Dave Bittner: Can you give us a little bit of the history, a little of the back story from a policy point of view of how we got to where we find ourselves today? 

Caitlin Fennessy: Privacy and data protection very much grew up alongside the growth of the worldwide web and the internet. So back in the early days when the Fair Information Practice Principles were being developed in the late '70s, certainly, the internet did not exist as we know it today. And yet the core information practice principles around transparency and consent and data minimization and the like have really stood the test of time and integrated kind of expanded and made to work alongside the internet in the way data is much more ubiquitous and really at the core of the commercial structure of the Internet today. But I think a lot of thinking is really going on around these issues today, more and more so every day as a result of the fact that data has become so integral not only to the way the internet functions but the way commercial advertising works on the internet and how data is being used to provide all types of government functions. And, obviously, that comes into play with the pandemic today. So we're seeing countries around the world both adopt and update their privacy and data protection laws to meet these new challenges around data much more broadly than we thought about it in the past. 

Dave Bittner: Yeah, I think a fascinating aspect of this that I know you've done quite a bit of work on is this notion of data going across borders and how different nations may treat privacy in different ways. They have their own cultural norms. Can you give us a little bit of the story there? I mean, how do countries go about, you know, managing the flow of data in and out, you know, beyond their borders in this sort of, you know, global internet? 

Caitlin Fennessy: I think there really has been some cultural divergences around this issue. The focus in some of the challenges around global data flows, I think, go back to the way the issue was first addressed under the EU Data Protection Directive of 1995. And the EU adopted an approach to data flows that was more restrictive than we had seen elsewhere. And they basically said data can't flow unless - and then they proceeded to explain the situations in which it could flow. And the EU basically brought us the concept of the adequacy model and the idea of saying this country and this country and this country are OK. Data can go to these countries or jurisdictions. Or you can put in place these standard contractual clauses, protections basically designed to ensure that the protections from one jurisdiction could and would flow to another. I think some of the challenges around this issue, though, have stemmed from the fact that this model was developed during a period where companies really did send data from point A to point B in discreet transfers using mediums as old-fashioned as floppy disks. 

Caitlin Fennessy: And today, we have a universe on the internet where data is kind of constantly moving and accessible globally in a different way. So this approach to data transfers where we think about it as point-to-point transfers has proven a bit more challenging, including as countries around the world put in place their own data flow regimes. And I think there is a lot of fear that it is moving us closer to a realm of data localization and may need some adaptation to the extraterritorial application of these laws, as well. Since so many of these laws apply globally when data falls within their jurisdiction, a continued focus on these point-to-point transfers, you know, may need some evolution. And I think this is the landscape in particular that negotiators in the U.S. and the EU and the U.K., as well, are really grappling with as they try to put protections around the data so that data can move in support of global commerce and in a way that aligns a little bit better with the way the Internet functions today. 

Dave Bittner: What do nations have at their disposal in terms of enforcement? Are they trying to use, you know, old laws, old treaties and so forth to meet, you know, current realities? 

Caitlin Fennessy: I think that it varies a lot country to country. The major players in this sphere, I'd say, if you consider U.S. Federal Trade Commission, the European Union with its data protection authorities across the 27 member states in the European Data Protection Board, the U.K., they all have very strong and effective regulators, I'd say, that can and have proven their ability to take enforcement actions, including across borders, to have companies pay attention and work to comply with the guidance that they are putting out there, even when those companies don't have, you know, a local nexus on their shores. Companies have accepted that extraterritorial jurisdiction. And I think a lot of these mechanisms where they try to bind companies to a set of protections using something like contracts and the like are perhaps a little less necessary when regulators do have effective means to enforce across borders. Now, regulators that have perhaps less weight on the global playing field may face more challenges in that regard. So that's why I say I do think enforcement is at the heart of this issue. 

Dave Bittner: And in terms of what we're seeing from the Biden administration, you know, still in their early days, what are you seeing in terms of their approach to these issues? 

Caitlin Fennessy: I would say that the Biden administration came in day one and made very clear that these issues writ large would be a priority for the administration. They appointed the lead negotiator for Privacy Shield, Christopher Hoff, as the deputy assistant secretary for services at the Department of Commerce on day one of the administration, making very clear that they cared about the negotiations. They recognized the importance of these issues and are committed to progress. And we saw a couple other key appointments there. Secretary Raimondo in her confirmation hearings in the U.S. Senate was asked several times about the Privacy Shield negotiations and made clear that they were a priority for her. Just three weeks into her tenure at Commerce, they issued a joint press release with the European Commission indicating that they were intensifying negotiations and actually even point in a broader way to another appointment. Quentin Palfrey is currently the acting general counsel at Commerce, and he was involved in some of the work under the Obama-Biden administration to put forward a privacy blueprint for the U.S. And he comes with an extensive privacy background and now is in a position from the Department of Commerce where he is likely to be involved in any broader focus that this administration brings to these issues. So a lot of privacy professionals and seasoned experts at the heart of the administration - obviously not just at Commerce, I'd say - across the administration. 

Dave Bittner: I have just sort of an anecdotal sense from, you know, my friends, my family, my colleagues and co-workers that there's a feeling of exasperation when it comes to our privacy online and, indeed, sometimes even a sense of resignation. Like, there's not a whole lot we can do to control how we're being tracked from site to site and so on and so forth. And yet, you know, we're seeing more and more states are enacting legislation to try to get these things under control. Do you think that's what we're going to continue to see - is the state-by-state approach? What is your take on whether or not we may see something at the federal level? 

Caitlin Fennessy: Yeah. Well, I think we have seen, as you said, a lot of states jump into this game. The IAPP - we have a state comprehensive privacy legislation tracker, and it has just exploded this year. We are having to update it more than weekly as all these different states put forward legislation. And I definitely think that we're going to reach a tipping point here. Industry in the U.S. has made very clear their support of federal privacy legislation. And I think that's driven in no small measure by the action we're seeing at the state level. And I think we have California now. We have Virginia. When we see a couple more state laws get across the finish line, I think you will see industry demands for federal action ramp up to a much greater extent. They do not want a patchwork and divergent requirements across states. So I expect that will spur action. We've already seen a couple federal proposals already in 2021, so Congress is focused on these issues. 

Caitlin Fennessy: I'd actually also point to something that the FTC just recently announced, pointing to federal action here, perhaps, even without legislation. Acting FTC Chair Slaughter announced a new centralized rulemaking group and specifically called out that they plan to use their rulemaking authority to address novel harms of the digital economy. So there may be some action in this realm that the FTC can or even plans to take absent legislation. So it will be interesting to see what comes to pass in that regard. 

Dave Bittner: In your estimation, what does a healthy equilibrium look like? What would - you know, a system that was functioning in balance, what sort of things would we see there? 

Caitlin Fennessy: Can you clarify that question a bit? 

Dave Bittner: Well, I guess what I'm thinking is that, you know, certainly is, as I mentioned earlier, I think a lot of folks on the consumer side certainly feel as though things are a little out of whack. For example, you know, we find these ads following us around the internet, you know, things like that. And day after day, we hear of, you know, data breaches, but also apps that are seemingly benign that are vacuuming up all of our information, our locations and so on. You know, we see companies like Apple who have said that they're going to be pushing back on this with some upcoming releases of just - even just trying to make people more aware of the types of things that these apps are doing. Is that the direction that you feel like things are headed? Are we going to see more buy-in from consumers? Are we going to have more control over what we allow to be tracked? 

Caitlin Fennessy: I think that as consumers, as individuals pay more attention to these issues and raise their hands and wave their hands and say, hey, this this is not what we want, you will see increased policy attention to these issues. And just over this past weekend, we actually saw Secretary Clinton jump in on this and tweet her support for an ongoing campaign to ban surveillance advertising. And so this issue is getting much higher-level attention than in the past. I think it's something the FTC is - called out, will be on their agenda and certainly something policymakers on the Hill are increasingly focused on. 

Caitlin Fennessy: In terms of what an equilibrium looks like, I come back to that issue of context and expectations and how can folks craft a policy proposal ideally, I'd say, at the federal level? So there is a consistency in terms of understanding what the protections are and, ideally, those protections being aligned with the expectations of the individual in the context in which they're engaging with either commercial actors or the public sector as well. You know, will their data be handled in the way they expect it? And when it's not, do they have faith in the guardrails of this system that there will be repercussions, there will be penalties and enforcement to hold folks to the standards that have been set? 

Dave Bittner: Ben, what do you think? 

Ben Yelin: It's a really good interview. You know, you've asked probably 30 or so percent of the guests on our show to differentiate between privacy and security. I'm always interested how our guests are going to answer. I thought her answer was very compelling. It was just a very clear delineation and definition. So I think that got the interview off to a good start. 

Ben Yelin: In terms of what she talked about with the current administration, I think there are a lot of promising signs that they are taking privacy seriously, that they are working closely with our European allies on protecting the privacy shield. It seems like this was an issue brought up in the hearing for the commerce secretary, Gina Raimondo, and that the Biden administration is picking individuals for key positions who have experience in this area. And that's a good early signal that they're taking this problem seriously. Now, we're only three months into the new administration, so - three or four months - so it's hard to really say anything definitively. But I certainly think it's a good sign. 

Dave Bittner: Yeah, absolutely. All right. Well, our thanks to Caitlin Fennessy. Again, she's from the International Association of Privacy Professionals. We do appreciate her taking the time to share her opinions with us. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.