In this episode, I interview Jane Bambauer on the failure of COVID-tracking phone apps. She and Brian Ray are the authors of "COVID-19 Apps Are Terrible—They Didn't Have to Be," a paper for Lawfare's Digital Social Contract project. It turns out that, despite high hopes, the failure of these apps was overdetermined, mainly by twenty years of privacy scandalmongering and regulation. In essence, Google and Apple set far too strict rules for the apps in an effort to avoid privacy-based political attacks, and the governments that could have reined them in surrendered instead, also in order to avoid privacy-based political attacks. So, we have no one to blame but ourselves, and our delusional valuation of privacy over life itself. Sometimes, privacy really does kill.
In the news roundup, we discover that face recognition suddenly isn't toxic at all, since it can be used to identify pro-Trump protestors. Dave Aitel explains why face recognition might work even with a mask but still not be very good. And Jane Bambauer reprises her recent amicus argument that Illinois's biometric privacy law is a violation of the first amendment.
If you heard the part of episode 344 last week about Silicon Valley speech suppression, you might be interested in seeing a further elaboration of proposal I came up with then, now a Washington Post Op-Ed. Meanwhile, Dave reports that Parler may be back from the dead but dependent on Russian infrastructure. Dave wants to know if that means Parler can be treated by the Biden team like TikTok was treated by the Trump administration.
Dave also brings us up to speed on the latest SolarWinds news. He also casts a skeptical eye on a recent New York Times article pointing fingers at JetBrains as a possible avenue of attack. The story was anonymously sourced and remains conspicuously unconfirmed by other reporting.
Speaking of which, China is getting ready to strike back at such measures, borrowing the basic blocking statute rubric invented by the Europeans. Blocking statutes can be effective, but only by putting private companies in a vise between two inconsistent legal duties. Bad news for the companies, more work for lawyers.
I ride one more hobbyhorse, critiquing Mozilla's decision to protect "user privacy" while imposing new burdens and risks on enterprise security. The object of my ire is Firefox's Encrypted Client Hello. Dave corrects my tech but more or less confirms that this is one more nail in the coffin for CISO control of corporate networks.
In our concluding quick hits, Maury tells us about the CNIL's decision that privacy law prevents France from using drones to enforce its coronavirus rules. I note a new FDIC cybersecurity rule that isn't (yay!) grounded in personal data protection. Maury explains the recently EU advocate general's opinion, which would probably make Schrems II even less negotiable than it is now. If it's adopted by the European Court of Justice, which I argue it will be unless the Court can find some resolution that is even more anti-American than the advocate general's proposal. And, finally, Matthew tells us that the State Department has reorganized to deal with cyber issues – a reorganization that may not last longer than a few months.
You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.