Episode 345: How COVID-Tracking Phone Apps Failed

We interview Jane Bambauer on the failure of COVID-tracking phone apps. She and Brian Ray are the author of "COVID-19 Apps Are Terrible—They Didn't Have to Be," a paper for Lawfare's Digital Social Contract project. It turns out that, despite high hopes, the failure of these apps was overdetermined, mainly by twenty years of privacy scandalmongering and privacy laws. In essence, Google and Apple set far too strict rules for the apps in an effort to avoid privacy-based political attacks, and the governments that could have reined them in surrendered instead, in order to avoid privacy-based political attacks. So, we have no one to blame but ourselves, and our delusional enthusiasm for privacy.; In the news roundup, suddenly face recognition isn't toxic at all, since it can be used to identify pro-Trump protestors. And, of course, we have always been at war with Oceania. Dave Aitel explains why face recognition might work even with a mask but still not be very good. And Jane Bambauer reprises her recent amicus argument that Illinois's biometric privacy law is a violation of the first amendment.; If you heard last week’s episode about Silicon Valley speech suppression, you might be interested in seeing the proposal I came up with then, now elaborated into a Washington Post Op-Ed. Meanwhile, Dave reports that Parler may be back from the dead but dependent on Russian infrastructure. Dave wants to know if that means Parler can be treated by the Biden team like TikTok was treated by the Trump administration.; Dave also brings us up to speed on the latest SolarWinds news. He also casts a skeptical eye on a recent New York Times article pointing fingers at JetBrains as a possible avenue of attack. The story was anonymously sourced and remains conspicuously unconfirmed by other reporting.; Not dead yet, the Trump administration has delivered regulations for administering the executive order allowing the exclusion of risky components from the national IT and communications infrastructure. Maury Shenk explains the basics.; Speaking of which, China is getting ready to strike back at such measures, borrowing the basic blocking statute rubric invented by the Europeans. Blocking statutes can be effective, but only by putting private companies in a vise between two inconsistent legal duties. Bad news for the companies, but more work for lawyers.; I ride one more hobbyhorse, critiquing Mozilla's decision to protect "user privacy" while imposing new burdens and risks on enterprise security. The object of my ire is Firefox's Encrypted Client Hello. Dave corrects my tech but more or less confirmed that this is one more nail in the coffin for CISO control of corporate networks.; Matthew Heiman and I dig into the latest ransomware gang tactics – going after top executive emails to raise the pressure to pay. The answer? I argue for more fake emails.; In a few quick hits, Maury tells us about the CNIL's decision that privacy law prevents France from using drones to enforce its coronavirus rules.; I note a new FDIC cybersecurity rule that isn't (yay!) grounded in personal data protection.; Maury explains the recently EU advocate general's opinion, which would probably make Schrems II even less negotiable than it is now. If it's adopted by the European Court of Justice, which I argue it will be unless the Court can find some resolution that is even more anti-American can the advocate general’s proposal.; And, finally, Matthew tells us that the State Department has reorganized to deal with cyber issues – a reorganization that may not last longer than a few months.; And more. The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.