How COVID-Tracking Phone Apps Failed

Episode 345 of the Cyberlaw Podcast


In this episode, I interview Jane Bambauer on the failure of COVID-tracking phone apps. She and Brian Ray are the authors of "COVID-19 Apps Are Terrible—They Didn't Have to Be," a paper for Lawfare's Digital Social Contract project. It turns out that, despite high hopes, the failure of these apps was overdetermined, mainly by twenty years of privacy scandalmongering and regulation. In essence, Google and Apple set far too strict rules for the apps in an effort to avoid privacy-based political attacks, and the governments that could have reined them in surrendered instead, also in order to avoid privacy-based political attacks. So, we have no one to blame but ourselves, and our delusional valuation of privacy over life itself. Sometimes, privacy really does kill.

In the news roundup, we discover that face recognition suddenly isn't toxic at all, since it can be used to identify pro-Trump protestors.  Dave Aitel explains why face recognition might work even with a mask but still not be very good.  And Jane Bambauer reprises her recent amicus argument that Illinois's biometric privacy law is a violation of the first amendment.

If you heard the part of episode 344 last week about Silicon Valley speech suppression, you might be interested in seeing a further elaboration of proposal I came up with then, now  a Washington Post Op-Ed. Meanwhile, Dave reports that Parler may be back from the dead but dependent on Russian infrastructure. Dave wants to know if that means Parler can be treated by the Biden team like TikTok was treated by the Trump administration.

Dave also brings us up to speed on the latest SolarWinds news. He also casts a skeptical eye on a recent New York Times article pointing fingers at JetBrains as a possible avenue of attack. The story was anonymously sourced and remains conspicuously unconfirmed by other reporting.

Not dead yet, the Trump administration has delivered regulations for the exclusion of risky components from the national IT and communications infrastructure. Maury Shenk explains the basics.

Speaking of which, China is getting ready to strike back at such measures, borrowing the basic blocking statute rubric invented  by the Europeans. Blocking statutes can be effective, but only by putting private companies in a vise between two inconsistent legal duties. Bad news for the companies, more work for lawyers.

I ride one more hobbyhorse, critiquing Mozilla's decision to protect "user privacy" while imposing new burdens and risks on enterprise security. The object of my ire is Firefox's Encrypted Client Hello. Dave corrects my tech but more or less confirms that this is one more nail in the coffin for CISO control of corporate networks.

Matthew Heiman and I dig into the latest ransomware gang tactics -- going after top executive emails to raise the pressure to pay. The answer? I argue for more fake emails

In our concluding quick hits, Maury tells us about the CNIL's decision that privacy law prevents France from using drones to enforce its coronavirus rules. I note a new FDIC cybersecurity rule that isn't (yay!) grounded in personal data protection. Maury explains the recently EU advocate general's opinion, which would probably make Schrems II even less negotiable than it is now.  If it's adopted by the European Court of Justice, which I argue it will be unless the Court can find some resolution that is even more anti-American than the advocate general's proposal. And, finally, Matthew tells us that the State Department has reorganized to deal with cyber issues – a reorganization that may not last longer than a few months.

Download the 345th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

NEXT: An Example of Why I No Longer Trust the New York Times

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. This is nonsense ... the COVID app trackers didn't fail because of privacy concerns. They failed because (i) the limitations of the technology, and (ii) our poor understanding of what constitutes a contact.

    Singapore, South Korea, and China had much more privacy invasive COVID app trackers, and they did not really help them identify very many infected individuals. At the same time, any excess identifications are one more opportunity to limit spread.

    1. AtR,
      Singapore and China have done very well. And unlike in Korea, in China the citizen are not allowed to grow tired of the measures.

      1. Good point ... bring on the tyranny, Caesar!

      2. Actually when I flew through Korea last April downloading the tracking app was mandatory to clear immigration.

  2. Baker,
    Many of us do not want our every movement tracked at our own expense by technology that we have paid for.

  3. I simply didn't update my iOS devices when it came out that Apple was adding "contact tracing" support to the OS. I'll continue not updating after reading this article, because I don't trust a freedom-hating lawyer's opinion on technical matters.

    Remember when Reason was a libertarian magazine? I miss those days. Now I just come here to know what scumbags like this guy are telling each other.

    1. Give it up.
      Apple has you by the balls.
      either get rid of the smartphone altogether, or "just relax and enjoy it".

      1. I never got one, for this reason.

        1. To be fair, for you to own a *smart* phone would be irony on a cosmic scale.

          1. Given your own track record, the real iron here is...

  4. Should I voluntarily use an app that tracks whomever I contacted, produces data that can be subpoenaed, and can be used to blame me for someone getting sick?

    That’s not a hard question to answer.

  5. "our delusional valuation of privacy over life itself"

    Here I thought I was at

    Here I thought was "often libertarian."

    As C.S. Lewis warned us: "Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive."

    1. I'd like to hear him use that line if he's ever invited to speak at any Veterans/Memorial Day events.

  6. These apps are for our good.
    I have that directly from Skynet.

  7. Why are you here again? You're clearly an authoritarian statist. Every post of yours I read is so confused on basic principles, it's not even wrong.

    Are you part of Volokh solely to make it obvious how pro-liberty the other bloggers are? One of these people is very much not like the others.

    (As usual, you're making the basic mistake of thinking that if only some central authority had more control, we could have avoided all the bad things. With no evidence that better phone-mediated contact tracing would have actually prevented a single covid-19 death, your position is nonsense. And that's before even getting into the downsides of pervasive state surveillance, which is certainly measurable in bodies).

    1. Stewart Baker provides us a rare "government insider" view of issues. Most government types hold their cards closer to their chest. I find that valuable, even if my libertarian slant makes me oppose most of them. Most, but not all. Several times Stewart has persuaded me to change my mind. I do have a slant, but I try to keep an open mind.

      Are you arguing for a monoculture in which you only see or hear material from those who agree with you?

      1. I don't just read one source. I just find his presence on Volokh surprising given his views.

  8. I have my state’s version of ‘the’ tracking app. The local community fearmongers of panic porn daily report on FaceBook their morbidity and mortality events. Meanwhile I have received no Exposure Notification.

    So lay back and enjoy it as today at 1100 I will stand with my fellows and toast the health, wealth and welfare of my President Donald. J. Trump, and damn our enemies.

    1. In Spain there are still people who are upset about the fact that Queen Isabella II succeeded her father King Ferdinand VII in 1833 instead of his brother Don Carlos.

      And yet life goes on.

  9. On the bright side, telescreen sales are still strong.

Please to post comments