Dumbest privacy issue of the decade?

Episode 214 of the Cyberlaw Podcast


This episode features a new technology-and-privacy flap: The police finally catch a sadistic serial killer, and the press can't stop whining about DNA privacy. I argue that DNA privacy is in the running for Dumbest Privacy Issue of the Decade, in which it turns out that privacy is all about making sure the police can't use your data to catch killers. Paul Rosenzweig refuses to take the other side of that debate.

Ray Ozzie has released a technical riposte to the condescending Silicon Valley claim that math proves the impossibility of securely accommodating law enforcement access. Paul and I muse on the aftermath, in which Silicon Valley may actually have to try winning the debate rather than claiming that there is none.

Jim Lewis and I note the likelihood that ZTE is contemplating litigation against the US ban on technology sales to the company. What really bothers Jim, though, is the likelihood that the US sanction will accelerate China's move to complete self-sufficiency in the technology sphere. That's something that neither the US government nor US industry is really ready for.

The House intel committee's report on Russia and the election is out. It finds no scandal, other than Russia's shocking attack on our institutions, though it does criticize "ill-advised" action by Trump campaign officials. The minority report says that the investigation should have gone on even longer. Paul and I have different takes on the value of the exercise.

Gen. Paul Nakasone is about to take over at NSA, after a remarkably easy ride to confirmation. Jim Lewis finds comfort and diversion in the effort of privacy campaigners to add some bumps to the general's road.

Finally, Paul and I debate whether Donald J. Trump Jr. committed a Computer Fraud and Abuse Act felony by logging on to an opposition website with "guessed" credentials supplied by Wikileaks. Actually, there isn't much debate about whether that's a crime, but I question whether criminalizing such a trivial violation of network mores raises more questions about the CFAA than about DJT Jr.

And a bit of special pleading: How can there possibly not be any reviews of The Cyberlaw Podcast on Stitcher Radio? Yet it appears to be true. Please get out there and comment, loyal Stitcher listeners to the podcast!

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 214th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

NEXT: China Moves to Restrict Social Media Dissemination of 'Peppa Pig'—My Two-Year-Old's Favorite TV Show

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. First he cites a case where DNA privacy would have prevented a case of mistaken identity. And, on a legal blog, has already tried and convicted a man in his head. While citing an article that quotes someone warning people to not do exactly that. Maybe Baker should ask some of his co-bloggers for a due process refresher course. Or, more likely, an introductory course.

    Then, in a utter misunderstanding of either the math behind encryption or perhaps the word “riposte”, does nothing more than point to another meaningless variation of the “You can compromise encryption in a way that only law enforcement can use” bit. Without, of course, speaking a syllable of how only law enforcement can have access to the back door.

    The sad part is that someone with a reasonable grasp of basic rhetorical skills could probably make an intelligent case here. But Baker’s rampant fallacies make it clear that he should leave arguing the point to those better suited to the task.

  2. I’m glad someone else also thinks the DNA “privacy” issue is dumb. My husband and I read the articles that claimed finding the killer raised “questions” about privacy. Our reaction was, “what questions?!”

    All we could think is the rhetorical question method of advancing an argument was used precisely because if you stated the question, the answer was obviously: That’s not a problem!

    1. I don’t think the Golden State Killer case is that problematic, but if the government starts attempting to subpoena information from private DNA databases that would be a big problem.

      And Stewart is a dangerous evil totalitarian. The fact that he thinks anything that “catches criminals” is good basically disqualifies him from serious discussion.

      1. Dilan,
        >basically disqualifies him from serious discussion.
        Yet you are discussing of your own volition. I conclude you either enjoy or value participating in un-serious discussions.

        >f the government starts attempting to subpoena information from private DNA databases that would be a big problem.
        Can they subpoena credit card record in private databases? Cell phone records in private databases? Personal email sent to me by someone who might later be charged in a criminal case? I’m not a lawyer, so that’s a real question.

        But it seems to me that the government getting evidence from private DNA databases would be about the same in terms of privacy issues. I wouldn’t view the government getting subpoena for the DNA data any more of a problem than the others. But perhaps I’m missing something. Could you explain the precise nature of the big problem you think such subpoena’s would result in?

    2. Last I heard, DNA matching wasn’t nearly accurate enough to be sure that a large enough database won’t contain a false positive, i.e., unless they have corroborating evidence, there’s a serious risk that the defendant is in fact innocent.

  3. Ray Ozzie has released a technical riposte to the condescending Silicon Valley claim that math proves the impossibility of securely accommodating law enforcement access.

    This article strikes me as the cybersecurity equivalent of a water engine crank. A guy with no background in security or encryption (but hey, he wrote an e-mail program 30 years ago, so he MUST know what he’s talking about) manages to come up with something all those egghead experts say is impossible. Suck it expertise!

    And of course Stewart Baker is ready to invest his life savings in the scheme because even though he has no clue about security or encryption either, Ozzie is telling him what he desperately wants to believe is true.

    And of predictably, the article reports that within 30 minutes of showing this system to actual experts they’re already finding flaws in it. But Baker has no concerns whatsoever that there might be further flaws. No, that’s just Big Encryption trying to keep Ozzie’s water engine down.

    1. Ozzie is not a crank, but his proposed scheme is not particularly groundbreaking; it’s just another iteration on kew escrow, with the private keys being held by e.g. Apple instead of the government, stored in a secure vault and only accessed by “highly trusted employees”. (Trusted by *who*, exactly, is not specified.)

      1. *key escrow, that is.

    2. At least Baker linked to an excellent response to The Ozzie based article. I’m not sure why he did because it sure doesn’t match Baker’s summary, but he nevertheless did.

  4. Regardless of the facts of this particular case, characterizing privacy concerns as “whining” does not exactly inspire confidence that you’re taking the matter seriously.

    1. This is pretty much how Stewart Baker rolls, as you’ll see if you look back through the history of Baker posts here.

  5. I would say there are indeed some serious privacy concerns when it comes to your DNA. In theory, somebody could even frame you with DNA evidence, given a good sequence from you.

    1. If they are clever and think it out, someone can frame you with eyewitness testimony. Someone can frame you dropping items with your fingerprints at a crime scene– possibly including on a commercial brand of butcher’s knife. Someone can frame you leaving a trail that makes it appear you were hacking.

      Are you envisioning a particular danger with DNA that would make framing someone with DNA qualitatively different from other ways of framing people?

  6. I have to say that using an ancestry DNA database (or whatever it was) in the GSK case to find possible connections to the killer was sheer genius on the part of the police. I’m surprised that there were enough people in the db to actually get a partial match but, there ya go.

    [Continued on next post to get around the 1500 char limit]

    1. Any expectation of privacy would depend greatly on the site’s terms of use and the expectations – implicit and explicit – of the user. In the GSK case, the site reportedly used was GEDmatch.com, a research company that according to their website is entirely supported by donations, volunteers and researchers. Their terms of use and privacy policies are given on the site but two items of particular interest as they relates to privacy are:

      The part of their “GEDMatch Purpose” statement which reads, “DNA and Genealogical research, by its very nature, requires the sharing of information. Because of that, users participating in this site should expect that their information will be shared with other users.”, and

      The part of their “Privacy” policy which reads, “In today’s world, there are real dangers of identity theft, credit fraud, etc. We try to strike a balance between these conflicting realities and the need to share information with other users. In the end, if you require absolute privacy and security, we must ask that you do not upload your data to GEDmatch. If you already have it here, please delete it.”

      Given these two statements, I doubt anyone who posts their DNA data to the site can reasonably claim a right to privacy.

      Besides, DNA is just metadata anyway and we know that doesn’t deserve 4A protection. 😉

  7. I was more disturbed by the discarded DNA* aspect of the EARONS case. If the government can collect discarded DNA then they can build their own DNA database — or just selectively harass people they don’t happen to like for whatever reason.

    I think that a warrant should be required to harvest discarded DNA. Maybe / hopefully they got a warrant here, but I would guess they didn’t and that State v. EARONS is only going to further solidify the parctice of warrantless discarded DNA collection.


    * I don’t think the police officially said that they collected discarded DNA from the suspect, but it was strongly suggested by what they did say.

Please to post comments