podcast

Crowdsourced private surveillance.

Dave shares a candidate's plan to make personal data private property. Ben describes a system of crowdsourced private surveillance. The listener on the line has a question about expectations of privacy in places like shopping malls. Our guest is Kim Phan from the law firm Ballard Spahr, here to discuss new privacy legislation going into effect in Nevada.

Transcript

Dave Bittner: [00:00:05] Hello, and welcome to Caveat, the CyberWire's Law and Policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin from the University of Maryland's Center for Health and Homeland Security. Hi Ben.

Ben Yelin: [00:00:17] How you doin', Dave?

Dave Bittner: [00:00:18] We've got some good headlines to share. And later in the show, we've got my interview with Kim Phan. She's a data security lawyer who'll be discussing the effects of Nevada's new cybersecurity legislation that recently went into effect. I want to remind you that while this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we covered, please contact your attorney. We've got a lot to share this week. But first, a word from our sponsors, KnowBe4.

Dave Bittner: [00:00:50] And now a few thoughts from our sponsors at KnowBe4. What do you do with risk? We hear that you can basically do three things: you can accept it, you can transfer it, or you can reduce it. And of course, you might wind up doing some mix of the three. But consider – risk comes in many forms and it comes from many places, including places you don't necessarily control. Many an organization has been clobbered by something they wish they'd seen coming. So what can you do to see it coming? Later in the show, we'll hear some of KnowBe4's ideas on seeing in to third-party risk.

Dave Bittner: [00:01:29] And we are back. Ben, I'm going to kick things off for us this week. Interesting story came by – this was on Forbes, written by Marty Swant – and the article is, "Andrew Yang Proposes Digital Data Should be Treated Like a Property Right." Of course, Andrew Yang is a presidential hopeful, one of the many Democratic contestants, and he released a policy proposal outlining how data should be collected, basically saying that our data should be ours. It sounds a lot like GDPR with a right to have things deleted, right for notification. What's your take on this?

Ben Yelin: [00:02:08] Although I'm not a member of the official online Yang Gang...

Dave Bittner: [00:02:12] (Laughs)

Ben Yelin: [00:02:11] ...I think this is a really interesting and potentially promising policy proposal. My first reaction is making data a property right conforms with a lot of constitutional scholars, including, most notably, Justice Neil Gorsuch, who has talked extensively about looking to positive physical property-based law as a framework to consider data privacy. And I think this proposal is an extension of that.

Dave Bittner: [00:02:42] Well, let's back up a little bit, and can you just describe to us – what does it mean when something is considered physical property?

Ben Yelin: [00:02:49] So, physical property comes with a bunch of rights. One of them is somebody can't trespass on your property. 

Dave Bittner: [00:02:54] Hmm.

Ben Yelin: [00:02:54] You know, you have something like bailment where if I give the valet my keys, yes, he holds those keys, but it's not his. He can't go out and give them to somebody else. I'm entrusting him with those keys. They're still technically my property, but I've entrusted them to somebody else.

Dave Bittner: [00:03:13] Oh, interesting.

Ben Yelin: [00:03:13] And then, you know, other things that come with property rights are obviously the monetary value. That's why we own physical property in the first place. We have the right to buy and sell that property. We have the right to gift that property to somebody else if we so choose. And so those are the basic rights that come with owning physical property, and I think they can be reasonably extended to the concept of data privacy. And I think that's what Andrew Yang is trying to do with this proposal.

Dave Bittner: [00:03:44] Mm-hmm. Are there practical implications? What's the other side of this?

Ben Yelin: [00:03:49] I would say, first of all, that the tech companies would probably be more encouraged by a proposal like this, simply because it's coming at the national level. They're very wary about states going in and passing their own data privacy legislation, because from a compliance standpoint, it's very difficult to comply with fifty separate state statutes on data privacy. So, having a national proposal would be, from the tech companies, a good start.

Ben Yelin: [00:04:17] Of course, they derive a lot of value from the personal information that we share online. They frequently sell it to advertisers. The government, in some circumstances, can have access to that information for intelligence or law enforcement purposes. From the tech companies' perspective, this would be a major financial hit on them. The personal information that we voluntarily convey to these websites is one of the ways that these companies make money. So if we were to enact robust privacy rights and these companies no longer had the right or ability, according to Federal law, to sell our data, to collect data on us and give it to advertisers, political campaigns, whomever sees value in that personal data – that's a lot of revenue lost.

Ben Yelin: [00:05:06] And eventually that revenue – the revenue loss is going to filter down to the rest of us who aren't tech companies. You know, why are most websites free for me to look at? Well, there's advertising based on what Google collects about my search history.

Dave Bittner: [00:05:21] Right, right.

Ben Yelin: [00:05:21] And, you know, that's how I'm able to read an article on BuzzFeed, because they pay the bills by having access to my personal data. So that's sort of the other side of this.

Dave Bittner: [00:05:34] Now, how much influence does something like this actually have? We've got – this is a presidential hopeful. He's not a front runner. So, at most, this contributes to a greater conversation from their side of the aisle when it comes to these issues?

Ben Yelin: [00:05:52] Yeah, I think it's the start of a conversation, and it's sort of – you talk about the Overton window, so that's like the range of ideas that are in public consideration. I think the Overton window, to this point, has not really thought of data in the same terms as other tangible property. You know, part of it is that, with our every activity, we are forced to voluntarily share this information with these third parties, these data companies. So, you know, in that sense, it's always sort of been thought of as separate and distinct from your common law property. So, even putting out this proposal gets people to think about what the implications would be of giving people personal privacy in the data that they're submitting to these companies.

Dave Bittner: [00:06:39] Now, how bipartisan are these sorts of movements? Is there momentum from both sides that privacy is something that's going to have to be addressed?

Ben Yelin: [00:06:47] This is one of those horseshoe issues where you sort of see agreement from the polls of each political party. I think some of the stronger libertarian elements in the Republican Party, most notably – and he has since left the Republican Party – but Representative Justin Amash has been a major advocate of data privacy, longtime opponent of surveillance.

Ben Yelin: [00:07:10] Generally, it's a view more traditionally espoused by Democrats, but frankly, it's also a view that's going to be affected by one's own constituency. A representative from somewhere like Silicon Valley, or anywhere else where some of these companies have a large political presence, then you're gonna be reticent to do away with that potential revenue stream. So I think there's the potential for something like this to be bipartisan.

Ben Yelin: [00:07:37] I think there's sort of a – almost like a centrist tendency to be deferential to the tech companies. We want to maintain a good relationship with them, partially because they help us in terms of law enforcement, intelligence gathering. We want to see them as our partners and not our adversaries. So I think that's why you haven't seen a lot of proposals like this. Although I will say something you saw in this article is that Amy Klobuchar, another Democratic candidate for president, proposed something somewhat similar, although not as strong as this Andrew Yang proposal. So it's getting out there, which is I think a step in the right direction.

Dave Bittner: [00:08:16] All right. Well, that's my story this week. What do you have to share with us?

Ben Yelin: [00:08:20] So this was a really interesting one, a couple weeks ago, came through Motherboard by Vice – I know we've talked about a lot of their articles since we've been doing podcast segments – and this is about a company that built a giant private surveillance network that's largely run by repo men. So this is called a "digital recognition network." It's not run by the government, although law enforcement, if they can get some sort of administrative subpoena, could potentially have access to it. 

Ben Yelin: [00:08:50] Hmm.

Ben Yelin: [00:08:49] But really, it's a private surveillance system, and it's crowdsourced. So, all across the country, when people are driving on the street, there is a database of cars that have been tagged to be repossessed. If you work in that industry, it's often sort of a cat-and-mouse game to find these vehicles. If you have a network, which is what this digital recognition network is, all the other repo men in other private agencies across the country are constantly taking pictures of the vehicles that they see and are uploading the license plates into this giant database. You know, if you put in a license plate that you're looking for and it's been tagged, you'll be able to geolocate exactly where that car has been. And it'll help you as a company in your efforts for repossession.

Ben Yelin: [00:09:42] And this is a nationwide surveillance database. It can track cars over long periods. So, for example, if you entered this license plate into the database, you could see its various locations over the past several months. You could map out a person's private interactions, you know...

Dave Bittner: [00:10:02] Probably figure out where I live...

Ben Yelin: [00:10:03] Exactly.

Dave Bittner: [00:10:04] ...Maybe also where I go to the doctor, where I shop, what stores I visit, where I like to stop on the way home from work to have a beer.

Ben Yelin: [00:10:12] Exactly. What I think is even more troubling about this is they're not just taking pictures of license plates if they are suspecting those cars of being under the threat of repossession – they're actually taking a picture of pretty much every license plate they come across. So when a truck's driving across an interstate. It has a camera attached that's constantly reading license plates and uploading them into the database. They've claimed to have more than nine billion license plate scans...

Dave Bittner: [00:10:40] Which is more than there are people on the planet...

Ben Yelin: [00:10:41] More than people, yeah, on the planet. And, while this is only supposed to be available for the agencies that would use it, the company has admitted that people who were not supposed to have access to that database have been able to access it. And once you do access it, you obviously have a wealth of information at your disposal. I have thought about surveillance of spurned lovers that could be used through this database.

Dave Bittner: [00:11:11] Well, I can imagine calling up my local repo man and greasing his palms a little bit and saying, where's my ex-girlfriend or boyfriend been in the past couple weeks?

Ben Yelin: [00:11:20] Absolutely. And go check this database, I know it's in there, they've been taking pictures of all these cars.

Dave Bittner: [00:11:27] Now, I could see there also being a good side to this – sort of the Amber Alert side of the coin, where if someone had kidnapped someone, say, for example, that you could use this to cast a net to try to save someone.

Ben Yelin: [00:11:44] Absolutely. So, there are always beneficial uses to any mass surveillance system, and that's certainly one of them. From the perspective of the companies that do repo work, this is an invaluable tool. I mean, prior to this type of technology existing, it would require massive financial resources, human intelligence, private investigators, to try and find some of these difficult-to-find vehicles. And now it's available at your fingertips for relatively low cost. They only charge – you have to be a member, but they only charge twenty dollars to look up a license plate and seventy dollars for a live alert. The live alert would mean that, you know, so I put my license plate – I put a license plate number in, I would get pinged on my phone or my device very time that license plate was read. So you can imagine somebody trying to hightail it to a different state. I can say, all right, they're in West Virginia now, they're in Pennsylvania, and I get that alert...

Dave Bittner: [00:12:42] Right. Right.

Ben Yelin: [00:12:42] ...Every single time it comes on my phone.

Dave Bittner: [00:12:44] So, let me unpack this a little bit and take it to the absurd example that might help provide a little clarity, hopefully. I can imagine if I were walking around my local shopping mall parking lot with my camera and I was standing behind every car in the parking lot, just going from car to car, taking a picture of every license plate – I take a picture, move on, take a picture, move on – I might attract attention.

Ben Yelin: [00:13:10] Absolutely.

Dave Bittner: [00:13:11] Someone might call the police. 

Ben Yelin: [00:13:12] Yeah, they probably should.

Dave Bittner: [00:13:12] They may come and have a conversation with me about what I'm up to.

Ben Yelin: [00:13:16] That's pretty suspicious. Yeah, I'd go up to you.

Dave Bittner: [00:13:19] (Laughs) But if I were driving around with one of these cameras mounted to the trunk of my car, no problem.

Ben Yelin: [00:13:29] Yeah, it seems relatively innocuous. I would have never known that this system existed until I saw this article. I think that's true for most people. So it's not like everybody's aware generally that, you know, there are trucks going around reading your license plate and putting them into a giant database. 

Dave Bittner: [00:13:47] Mm-hmm.

Ben Yelin: [00:13:46] And it's just so effortless.

Dave Bittner: [00:13:50] And what's to keep me from having one of these cameras at the end of my driveway and logging every car that drives by the street in front of my house? No issue there, right? No legal issue?

Ben Yelin: [00:14:00] There would be no legal issue there. So, of course, you have to pay to be a part of the network.

Ben Yelin: [00:14:03] Right.

Dave Bittner: [00:14:03] If you're willing to pay that cost – I think they put it at something like $15,000, you know, which is relatively large for an individual, but relatively small for a company that does repo work... 

Dave Bittner: [00:14:14] Right.

Ben Yelin: [00:14:14] ...Or, say, an insurance company. I mean, they mention here insurance companies always want to know if cars actually drive the majority of the time in different states. So, sometimes it's cheaper to insure your car in, say, Maryland than it would be to insure it in Virginia.

Dave Bittner: [00:14:31] Oh, right, right.

Ben Yelin: [00:14:31] So you can be living in Virginia permanently, but you'd have your car insured in Maryland. So there's – you could see how this would be useful for those companies so they can buy access to this database and can do queries and targeting.

Dave Bittner: [00:14:44] But the big picture here, the big issue here, I suppose, is that you really aren't entitled to any privacy in terms of your license plate number when you're out and about driving your car publicly, right?

Ben Yelin: [00:14:58] No, and this would concern me from a law enforcement perspective too. My read of the law is that the government would not need a traditional warrant to get access to this information, although I think that is under considerable question after the Carpenter v. United States case. The reason I don't think they would need a warrant is the plain view doctrine. You're going out in public, your license plate is there for the world to see. Anybody passing by could potentially take a picture. And I think this is emblematic of why the plain view doctrine sort of has to be reconsidered in a world where it's not one guy out there taking a picture. It's this massive system that is capable of taking license plate information from nine billion cars. 

Dave Bittner: [00:15:44] Mm-hmm.

Ben Yelin: [00:15:44] When technology has changed to that extent, I think the law has to change as well. Our legal doctrines have to change to ensure the same level of legal protection that existed before this technology was created. And this is sort of what scholars refer to as the equilibrium-adjustment theory of the Fourth Amendment. And I think that's true here. You know, I think we're gonna have to come up with a new theory for going out in public, a new theory for this plain view doctrine that accounts for these types of systems where, relatively effortlessly, people are collecting what could be very personal data about us. You know, most of us would not want the government nor would we want a private company to know everywhere we've been in a given period of time. So, it's personal, it's private, and it's incredibly comprehensive.

Dave Bittner: [00:16:38] All right, well, it's an interesting story for sure. It is time for us to move on to our Listener on the Line.

Dave Bittner: [00:16:48] Our listener this week is named Hannah. She calls in with a question about privacy and what really constitutes a public or a private space. Let's have a listen.

Hannah: [00:16:59] Hi, my name is Hannah from Grosse Pointe, Michigan. What is the expectation of privacy in a quasi-public place, like a stadium or a mall? You're on private property, but it's sort of a public place. Can they take pictures of me and use it without permission? Can you hold a protest at a place like that without permission? Thanks very much.

Dave Bittner: [00:17:24] Ben, what do you think?

Ben Yelin: [00:17:25] So, very good question. Basically, the accepted legal definition for a Fourth Amendment search is if somebody has a subjective expectation of privacy and if that expectation is one that as a society we're willing to recognize as reasonable. Where I think the hypothetical of a stadium and a mall would potentially fail is on that first prong of the test, which is a subjective expectation of privacy. You are not doing anything to conceal yourself, as opposed to the seminal case on this issue, where a person went to a phone booth, closed the phone booth, and presumably had a private conversation, you're not taking any overt action to protect yourself from being seen in public. And as a result, you really do have a diminished expectation of privacy.

Ben Yelin: [00:18:13] And I think in terms of the second prong of the test, it's not reasonable to expect that anything you do in a stadium with sixty thousand people, or at an Orioles game, four thousand people... 

Dave Bittner: [00:18:23] (Laughs)

Ben Yelin: [00:18:23] ...Is going to merit some constitutional protection. You have to take some sort of action to conceal yourself or your information in order for your privacy rights to really be activated. And I think, you know, that's something that people might not get instinctively. This might be private property, but you are forfeiting your expectation of privacy from going into an area in which you can be seen.

Dave Bittner: [00:18:53] What about the other side of it, the notion of these spaces as being kind of public squares of being – these are places where we gather, so I could imagine some people saying, hey, we want to protest something going on in our community. Let's all meet at the local mall and we'll hold our protest there.

Ben Yelin: [00:19:11] Generally, private organizations have the right to restrict even free speech on their property. The Supreme Court over the years has come up with some exceptions to that if it is an accepted public venue. And you've actually seen that transfer into the digital space. There was this case as to whether President Trump actually had the ability to block people on Twitter.

Dave Bittner: [00:19:34] Oh, right.

Ben Yelin: [00:19:34] Twitter is a private company. Theoretically, Trump, as a private user, could block anybody he wants – it wouldn't be a First Amendment violation. But the consideration in that case is that Twitter has become a public space. That's where he announces policy proposals. That's where he makes some of his crucial presidential appointments. 

Dave Bittner: [00:19:57] Right.

Ben Yelin: [00:19:56] So, because it's become a quasi-public space, there's been an increased recognition on the part of courts to grant First Amendment free speech rights in those places. So it's not like you could have a, you know, a protest at your personal enemy's house at three in the morning. I think we'd all agree that we can have time, place, and manner restrictions on that. 

Dave Bittner: [00:20:20] Right, my neighbor's driveway in the middle of the night. That would be out of bounds.

Ben Yelin: [00:20:23] It would be out of bounds. 

Dave Bittner: [00:20:24] Yeah. (Laughs)

Ben Yelin: [00:20:25] You know, sometimes when my neighbor neighbor's dog is barking, I've wanted to do that. 

Dave Bittner: [00:20:28] Right, right.

Ben Yelin: [00:20:28] But when you're talking about a place that is a traditional place of public gathering, courts have recognized the public significance of that space, and we've wanted to maintain free speech, free assembly rights, even though technically it is on private property.

Dave Bittner: [00:20:45] Hmm. So what's the bottom line there? If I want to have a protest at my local shopping mall parking lot, what – odds are they're going to allow me, or are they going to ask me to move on?

Ben Yelin: [00:20:59] They will probably ask you to move on, and they might seek to get you arrested for trespassing. If you are engaging in activity that's prohibited at that central area, you are technically trespassing and they could call the police to get you arrested. 

Dave Bittner: [00:21:15] Okay.

Ben Yelin: [00:21:14] Where you would get your relief is challenging the legal sufficiency of that arrest, which means, you know, if you want to go through that whole process to make a point about how the First Amendment should be recognized in quasi-public spaces, then by all means you should do it.

Dave Bittner: [00:21:31] Right. Chances are that wasn't what you were protesting to begin with (Laughs).

Ben Yelin: [00:21:34] Yeah. In the meantime, you might, you know, spend a night in jail. So, you know, if you're doing it for a larger purpose, more power to you. But, you know, it's a close enough question that I don't think that if police were called for somebody trespassing in public space, they would say, well, we have such significant First Amendment concerns based on antiquated Supreme Court case law that we're not going to remove this person from trespassing. So, you know, probably not a risk you want to take unless you're really willing to suffer the consequences.

Dave Bittner: [00:22:07] Yeah. Well, thanks to our listener, Hannah, for calling in. We would love to hear your question, and we've got a couple of ways you could submit it. We've got a phone number. It's (410) 618-3720. That's (410) 618-3720. Or you can send us an audio file at caveat@thecyberwire.com.

Dave Bittner: [00:22:30] Coming up next, we have my interview with Kim Phan. She is a data security lawyer, and we're gonna be discussing the effects of Nevada's new cybersecurity legislation that recently went into effect. But first, a word from our sponsors, KnowBe4.

Dave Bittner: [00:22:45] So let's return to our sponsor KnowBe4's question. How can you see risk coming, especially when that risk comes from third parties? After all, it's not your risk – until it is. Here's step one: know what those third parties are up to. KnowBe4 has a full GRC platform that helps you do just that. It's called KCM, and its vendor risk management module gives you the insight into your suppliers that you need to be able to assess and manage the risks they might carry with them into your organization. With KnowBe4's KCM, you can vet, manage, and monitor your third-party vendor's security risk requirements. You'll not only be able to pre-qualify the risk, you'll be able to keep track of that risk as your business relationship evolves. KnowBe4's standard templates are easy to use, and they give you a consistent, equitable way of understanding risk across your entire supply chain. And as always, you get this in an effectively automated platform that you'll see in a single pane of glass. You'll manage risk twice as fast at half the cost. Go to kb4.com/kcm and check out their innovative GRC platform. That's kb4.com/kcm. Check it out.

Dave Bittner: [00:24:04] And we are back. Ben, I recently had the pleasure of speaking with Kim Phan. She is a partner at the law firm of Ballard Spahr. Among her specialties are privacy and data security. Our conversation centered on the new privacy legislation that's going into effect in Nevada. Here's my conversation with Kim Phan.

Kim Phan: [00:24:24] You know, as a privacy and data security lawyer who's been working in this space for over a dozen years, it's really interesting that right now is basically a revolution in how privacy is addressed. You know, data security became a big thing a few years ago in the wake of some of those big breaches – you know, Target, Sony, some of the big name ones. But privacy really was kind of a sleeper issue until the GDPR, which went into effect last year. In the wake of GDPR, California rushed to get CCPA passed, and it'll go into effect on January 1st – that's the new California law.

Kim Phan: [00:25:02] There've been a ton of other states who have introduced various versions of a privacy statute in the absence of a comprehensive Federal privacy legislation. None of those have actually made it across the finish line except for Nevada. So, Washington had a bill, New Jersey had a bill, New York had a bill. And none of them were able to get all the way to the governor's desk.

Kim Phan: [00:25:27] And it is a very scaled-down version of what was done in California. So, it captures some of the concepts, but really only focuses on very narrow aspects of it and implemented just the aspect with regard to online sales. It also provides for some pretty broad exclusions for regulated entities like financial institutions, health care providers, that kind of thing.

Kim Phan: [00:25:51] Folks interchangeably consider privacy and data security the same thing, but they're really two sides of the same coin. They have to do with information, but, you know, security's how you protect the information, privacy is what you're doing with the information. And this addresses that aspect of it – the privacy aspect. It is very similar in the same vein as GDPR and CCPA, but I can understand why it's not getting as much press, because it's actually a pretty reasonable law. It's very tailored to a very specific issue, which is the online sale of data. It has some reasonable exemptions for certain types of businesses. And it is also just very limited to Nevada residents. California's sort of getting a bigger splash, because most companies have a pretty big footprint in California, because of the size and nature of that market, and maybe just not as many folks are in Nevada and maybe not worried about this as much.

Dave Bittner: [00:26:44] So, can you take us through some of the details? What exactly are they covering?

Kim Phan: [00:26:48] So, it's very specific to operators of websites. So basically, any dot com, any dot org, any dot whatever else website that you might go to that is run by some sort of company for a commercial purpose, basically, if that company is collecting your data on their website and selling it for some sort of reason, you have the right, under this new Nevada statute, to ask them not to do that. And your request would have to be honored for all information they'd previously collected about you and any information they collect on you going forward.

Dave Bittner: [00:27:27] Now, is there anything in terms of requiring any sort of opt-in or opt-out defaults?

Kim Phan: [00:27:35] No, there's not. I mean, under California's statute, there is an opt-in regime that's set up certainly for minors, for individuals who are know under a certain age bracket, which are considered more vulnerable, and so there is an opt-in requirement from their parent or guardian. Nevada doesn't set anything like that up, so there's no opt-out, opt-in sort of regime set up. Basically, there will be a process by which operators of websites have to give some sort of mechanism for consumers to submit their requests to not sell their information. It can be, you know, an email address. It can be a 1-800 toll-free number, or it can be, you know, a website link. There's a lot of flexibility in the statute for how companies want to set up how to receive these consumer requests, and then once they receive those requests, they just have to honor it going forward.

Dave Bittner: [00:28:29] Is there any sort of notification requirement? In other words, if a website is selling my information, do they have to notify me?

Kim Phan: [00:28:37] So, Nevada had a pre-existing statute with regard to online disclosures. You know, there's a few states that require that websites have to have online privacy policies. You've probably seen at the bottom of each website, there's usually a link to the privacy policy, to the terms of use for the website, other legal disclosures. There's actually a few states that specifically require that you have that privacy policy link down there. California's one, Nevada's one, Delaware is one. So there are some existing requirements already in place in Nevada that are not impacted by this, but are affected – you know, they're related in that the online privacy policy already has to disclose whether or not – what information is being collected, what the operator of the website's doing with that information, who they're sharing that information with. So there's already some pre-existing requirements that would let you know whether or not a particular website is engaged in that type of activity.

Dave Bittner: [00:29:36] Hmm. Now, you mentioned that there are some limitations here in terms of affecting only people in Nevada. Can you outline what's going on there?

Kim Phan: [00:29:45] Sure. I mean, obviously, websites can be visited by anyone all over the world, right? So if you set up a website, you could be based in Virginia, you could be based in Texas, you could be based in Michigan. And even though your website is for your company, that's based in some localized region, you know, someone in the Ukraine, someone in Australia could technically come to that website. It's really very Nevada-focused – just what is the impact of your website on Nevada residents?

Dave Bittner: [00:30:15] Well, suppose I'm someone like, for example, Amazon and I'm selling to folks who are in Nevada. Would this affect me?

Kim Phan: [00:30:22] Yes, it would. It depends on what Amazon's doing, right? So, I'd have to look again at Amazon's terms and what their privacy policy discloses, but if Amazon is taking information about, you know, my Prime membership, or if I'm ordering, you know, toilet paper or ice tea or clothes or whatever I'm ordering from Amazon, if they're taking that information and using personal information about me – my, you know, credit card that I used, the address that I shipped items to – if they're taking that information and then selling it on to other businesses that license or sell that information to other parties. You might have heard of these types of entities – they're called data brokers. 

Dave Bittner: [00:31:06] Mm-hmm.

Kim Phan: [00:31:05] So if Amazon's selling my information to these data brokers who are then going to sell it to who knows who else, right? Home Depot, Bed Bath & Beyond, you know, maybe they're selling my information to whoever else, right? If Amazon's engaged in activity and it impacts me and I'm a Nevada resident, which I'm not, but if I was, then this would apply. They would have to provide me with a mechanism for me to request that they not engage in those types of sales.

Dave Bittner: [00:31:34] Do you think that it's inevitable that we're going to end up with some sort of Federal action on this?

Kim Phan: [00:31:41] Oh, inevitable is far from the word I would use, I think. I think Federal legislation in this area is a slim to none possibility.

Dave Bittner: [00:31:53] Really?

Kim Phan: [00:31:54] Yeah. You know, I take a look at – you know, I've been working in this space for a long time, and you look at data breach legislation – you know, the basic concept that if a company has some sort of data breach, they have to notify the people who are impacted by that – there's fifty state laws now in effect, addressing that. There's also DC, Puerto Rico, the Virgin Islands, there's Guam. There's so many different disparate laws in place trying to address that one very discrete issue, and the Congress has never been able to get a single bill passed to address that, despite the patchwork of different requirements there are out there.

Kim Phan: [00:32:33] If the Congress can't get that very one narrow issue resolved in a manner that makes everyone happy, they're not gonna be able to pass comprehensive privacy legislation. It just seems insurmountable. I can see, you know, if you say the Democrats take the White House and they're able to flip the Senate and, you know, their power, you both the executive and legislative branch, they might be able to get data breach legislation passed, but even a broader privacy bill amongst the Democrats, I just see too much infighting to see that making its way all the way through.

Dave Bittner: [00:33:08] All right, Ben, what do you think about that?

Ben Yelin: [00:33:11] So, a very interesting discussion. I think Kim brought up a bunch of very interesting points. The thing that sticks out most to me is that the inability of Congress to get something done puts the onus on the states to create this legislation, which ends up being disadvantageous for companies, because as she talks about, you have to either tailor your policies to comply with the strictest privacy statute or you have to tailor your policies to apply to fifty different separate privacy regimes. And I get that a lot of tech companies probably do not want robust Federal privacy legislation. I can completely understand that impulse. But I think from a compliance perspective, it would be easier for them to have a Federal framework. And because, you know, we have a Congress that frankly doesn't have the ability to pass many large pieces of legislation in a given year, that really has devolved to the states. I think that's the result of institutional roadblocks and political polarization.

Dave Bittner: [00:34:18] I suppose it's a place where people could put pressure on their representatives that, hey, you know, we need some activity here because you're creating extra work for us by having us navigate fifty different policies here.

Ben Yelin: [00:34:34] Absolutely. I mean, it's sort of like a question of scale for these companies. I mean, do you want to have to hire a local Nevada lobbying shop to go in and lobby the Nevada state legislature before, you know, it goes to the next state? Then you're in Maryland and you have to lobby the Maryland legislators, whereas I think the Federal government could really preempt a lot of these state privacy statutes if they were to get involved.

Ben Yelin: [00:35:02] And just in terms of, like, how Congress could actually accomplish something like this. I bring up the CLOUD Act, which passed as part of a large appropriations bill, omnibus appropriations bill in the spring, which was attached as sort of a rider. And I kind of think, like, if you're gonna have strong data privacy legislation, it's hard for me to see that succeeding as a standalone bill. And I think Kim got to that point pretty well. But, you know, if it's something that the industry thinks would be advantageous, consumers think would be advantageous, you know, it's kind of something you might want to sneak into a larger piece of legislation at some point.

Dave Bittner: [00:35:47] I also think about that small mom-and-pop shop who's got their store in a strip mall somewhere selling, you know, dog food and dog/cat toys and collars and bones and things, and them having to navigate these sorts of things. You know, maybe I've got a little mail order business going in addition to my retail store. And now I've got to worry about who I'm selling to and where and what information I'm gathering. That could be a burden for a small business.

Ben Yelin: [00:36:17] Absolutely. And it actually ends up disadvantage - those types of regulations really do disadvantage small businesses, which in turn give an advantage to the companies that can afford to hire, you know, big compliance officers. Now, I don't think Kim got into any exemptions – and I haven't done the research myself – on, you know, what sized business is subject to these regulations. Anybody who can put up a public dot com, dot org website, you think about not mom-and-pop shops, but like UNLV, for example, they can hire – I'm sure they can hire compliance officers, but they're not a multinational company. I mean, they have finite resources.

Dave Bittner: [00:36:56] Right.

Ben Yelin: [00:36:57] So, you know, even though they might qualify as like a larger institution and be subject to this law, it still is gonna be a pretty large cost obligation. Yeah, I mean, I think that can be a real detriment to the companies. The reason I think states feel that they have an ability to do this is companies aren't going to give up on conducting online retail in the state of Nevada. I mean, you just can't lose all of those customers. 

Dave Bittner: [00:37:24] Mm-hmm.

Ben Yelin: [00:37:24] So Nevada has that as leverage. You know, it's not as much leverage as, say, California, where you'd be cutting out the market of the equivalent of the sixth largest world economy. But Nevada's a reasonably sized state. You've got Las Vegas...

Dave Bittner: [00:37:41] Right.

Ben Yelin: [00:37:41] ...You got a professional hockey team and soon a National Football League team.

Dave Bittner: [00:37:46] (Laughs)

Ben Yelin: [00:37:46] So, it's a fast-growing state. And, you know, you don't want to cut yourself off of that market. So, because the Nevada legislature knows that Amazon isn't going to stop selling to customers in Nevada, they have the leverage to do something like this.

Dave Bittner: [00:38:01] Hmm. All right. Well, our thanks to Kim Phan for joining us. That is our show. We want to thank all of you for listening. And of course, we want to thank this week's sponsor, KnowBe4. Go to kb4.com/kcm and check out their innovative GRC platform. That's kb4.com/kcm. You can request a demo and see how you can get audits done at half the cost, in half the time.

Dave Bittner: [00:38:26] Our thanks to the University of Maryland's Center for Health and Homeland Security for their participation. You can learn more at mdchhs.com.

Dave Bittner: [00:38:31] The Caveat podcast is proudly produced in Maryland at the startup studios of DataTribe where they're co-building, the next generation of cybersecurity teams and technologies, our coordinating producers our Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Ben Yelin: [00:38:49] And I'm Ben Yelin.

Dave Bittner: [00:38:50] Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music Castbox
Follow the CyberWire