Fri, 26 September 2014
For those who think the podcast is best when we have a guest from the opposite end of the political spectrum, episode 35 should be a treat. (We’re late this week, but it will be well worth the wait.) Our guest is Julian Sanchez, a senior fellow at the Cato Institute who studies surveillance and other issues at the intersection of technology and civil liberties. He is a founding editor of the policy blog Just Security, and recently debated another of our guests, Orin Kerr, on Apple’s recent announcement that it would no longer be able to decrypt iPhones for law enforcement. We dig into that issue in detail, asking such questions as how often encryption has actually stymied an investigation, whether “hacking” the phone is a substitute for help from the company, what this means for corporate users of iPhones, the implications for Apple (and Google) in other countries, and whether Google/Apple run a risk under current US law of lawsuits by prosecutors or by crime victims.
Our news roundup begins with some of the first good news NSA has received in months. It looks as though Snowden fatigue may finally be setting in abroad as well as here. Last week, Glenn Greenwald, Edward Snowden, and Internet multimillionaire Kim Dotcom teamed up to “close one of the Five Eyes” by driving New Zealand’s government out of office in national elections. They combined strategic leaks, a Snowden attack on the prime minister as a liar, and Dotcom’s multimillion dollar campaign war chest. Well, the elections are over, and the Anti-NSA Dream Team was trounced. In less good news, NSA Director Mike Rogers admits to having missed more than he’d like about ISIS’s rise. We debate how much the political furor over the agency contributes to these problems.
In other news, we discover that auto-forwarding someone else’s email is a wiretap – and why suing for a privacy violation is much better than seeking alimony. Meanwhile, the Home Depot case sets a new record, and the Neiman Marcus data breach case gives comfort to class action defense lawyers all across the country. The Texas Court of Criminal Appeals tells us that the constitution may protect upskirt photos.
And, finally, we speculate whether the whole privacy law thing will finally melt down over health data, especially now that concerns about HIPAA are stifling innovation by app companies, spurring a turf war between the FTC and HHS, and, most of all, getting in the way of rapid response by government agencies accused of wrongdoing.
Finally, we announce a new feature of the Steptoe Cyberlaw Podcast: feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone here’s the number: 202.862.5785. We may play your message on the podcast if it’s particularly insightful or entertainingly abusive.
Tue, 16 September 2014
Our guest this week is Dr. Phyllis Schneck, the Deputy Undersecretary for Cybersecurity for the Department of Homeland Security’s National Protection and Programs Directorate (NPPD). She and Marc Frey, Senior Director in Steptoe’s DC office and former Chief of Staff at DHS’s Office of Policy Development, discuss the status of cybersecurity legislation and DHS’s highest cybersecurity priorities.
We begin the podcast with This Week in NSA, as newly released documents indicate that back in 2008, the US government threatened to fine Yahoo $250,000 a day if it failed to comply with an order for data under the PRISM program.
We dive into the Alien Tort Statute suit that was dismissed against Cisco. And, even though Stewart isn’t here this week, we give an update on his favorite topic – the right to be forgotten. We also have a new competitor for the title of “strangest ruling against Google in a European court this year” – as a German court has ordered Google to provide more responsive customer support.
Last week, we told you about how Yelp had prevailed in an extreme case claiming that the company suppresses bad reviews for its advertisers. This week, California adopted a law that further protects customers’ ability to post negative reviews to Yelp and other sites.
This week in data breaches: Home Depot confirms its breach, and the congressional reaction is predictable. On a related front – in the newly minted “This Week in Judge Koh,” she finds that the Adobe breach victims have standing based on risk of future harm – we explain how this can be reconciled with Clapper and what its implications might be for future class actions.
Tue, 9 September 2014
Our guest this week is Orin Kerr, professor of law at George Washington University and well-known scholar in computer crime law and internet surveillance. Orin is our second return guest, and he demonstrates why, opining authoritatively on the future of NSA’s 215 program and the “mosaic” theory of fourth amendment privacy as well as joining in our news roundup.
We begin the podcast with This Week in NSA, which again consists of news stories not written by Glenn Greenwald and the Snowdenistas. Most prominent are the stories claiming that Snowden’s leaks contributed to US intelligence failures against ISIS, the decision by Justice and DNI officials to support Sen. Leahy’s USA Freedom bill, and the release of a less-redacted version of Jack Goldsmith’s OLC opinion holding that the 215 program’s predecessor is not only legal but requires no FIS court approval, at least in time of war. We find even more evidence that Snowden leaks harmed our ability to monitor ISIS, doubt that Sen. Leahy’s bill will pass before the elections, and speculate about whether OLC has a macro that inserts its plenary Article II article into every opinion it produces.
Meanwhile, Yelp prevails in an extreme case claiming that the company suppresses bad reviews – but only for advertisers. To which the Ninth Circuit says, “So what? It’s Yelp’s site.” If only the aggrieved shopowner had sued under EU privacy law, which might require Yelp to forget those bad reviews.
Speaking of the right to be forgotten, I explain what I’ve learned by actually filing censorship demands of my own. The headline? Google will suppress European search results for anyone anywhere. You don’t have to be a European to have your peccadilloes forgotten. The full post is here.
And, speaking of foreign censorship of US information, LinkedIn is being accused of applying Chinese censorship to Chinese customers, even on LinkedIn’s U.S. site. Three cases make a trend, and censoring the news that Americans read by threatening to hold their news suppliers liable abroad is definitely a trend.
This week in data breaches: Home Depot is accused, and Sen. Rockefeller calls on the company to respond. Will “tokenization” solve the problem, at least for stores – or is that a solution only a lawyer could love? We also look at the healthcare.gov hack and conclude that it’s been hyped.
In other regulatory action, Google takes a big hit for kids’ in-app purchases and Verizon agrees to pay $7.4 million for sending inadequate notices to customers. But the class action bar isn’t likely to get rich off either case.
Wed, 3 September 2014
We’re back! After a much needed hiatus, during which we shared wilderness paths with bison, woke up to wolf cries, and celebrated the value of ibuprofen, the Steptoe Cyberlaw Podcast is back on the net.
The hiatus allows us to cover this month in NSA, which is a good thing, because the Snowden News Machine is sputtering. The most significant news was probably made by NSA itself, which released a redacted opinion of the FISC, shedding a lot of light on why the government abandoned its internet 215 program. Judge Bates’s heavily redacted program criticizes the agency relentlessly for making promises about its technology and procedures that it just couldn’t keep. My guess is that the agency heads and DOJ got so tired explaining and apologizing to the court that they finally just killed the program.
In other NSA news, Snowdenista journalists try to make an issue of the fact that NSA has developed a search engine for metadata called ICREACH. Public reaction: Well, duh.
More egregiously, Laura Poitras and Der Spiegel provided detailed information about US intelligence collection on Turkey in a scarcely veiled effort to sabotage the US-Turkey relationship – and to relieve the German government of the embarrassment of a leak showing that despite Angela Merkel’s claim that friends shouldn't spy on friends, Germany spies enthusiastically on Turkey.
Mustn't embarrass the German government, after all. Its insistence on moral purity in intelligence collection is the main political/diplomatic support for what’s left of the Snowden campaign. But that purity is looking a little sullied after revelations that German intelligence intercepted both Hillary Clinton and John Kerry as they carried out diplomatic efforts.
In other August news, the Microsoft case questioning the government’s authority to issue warrants for overseas data continued to evolve over the month, with the government greatly raising the stakes: If Microsoft wants to appeal, the government says, its only option is to refuse compliance with the warrant and let the court hold it in contempt. And it looks like the district court agrees.
Elsewhere, Linkedin settles its data breach case for a relatively modest $1.25 million. NIST seeks comment on how its Cybersecurity Framework is working out. And a federal court in Massachusetts offers novel (and probably bad) advice to those hoping to avoid liability under federal computer abuse law: Just make sure the computer’s been disconnected from the Internet before you attack it. Finally in what looks like an increasingly American exceptionalist view, US courts continue to hold that search engines aren’t liable for the links they publish or their autocomplete suggestions.
Our guest for the week is David Hoffman, Intel’s Chief Privacy Officer, and one of the most thoughtful privacy officials going. Apart from his unaccountable fondness for the European Court of Justice’s decision on the right to be forgotten. We debate the decision again, and I discover that David and I are famous by Google’s standards, while Michael is not. I propose new ways to throw a legal spanner in the European data protection agencies’ works.