Steptoe Cyberlaw Podcast

Our guest for episode 90 is Charlie Savage, New York Times reporter, talking about Power Wars, his monumental new book on the law and politics of terrorism in the Obama (and Bush) administrations.  I pronounce it superb, deeply informative, and fairly unbiased, “for a New York Times reporter.”  With that, the fat is in the fire, and Charlie and I trade views – and occasional barbs – about how the Bush and Obama administrations handled the surveillance issues that arose after 9/11.

In the news roundup, Michael Vatis and I puzzle over the FTC’s astonishing loss on its own home court.  We wonder why the FTC failed to do the right thing and drop the LabMD case when the FTC’s source began to lose credibility by the shovel-load.  I suggest that FTC leadership was suffering from the rarely spotted “Darrel Issa Derangement Syndrome.”     

Jason Weinstein deconstructs the claim that the European Union is “cracking down” on bitcoin in response to the attacks in Paris. 

Stepping out of character, I defend the value of diplomatic “words on paper,” finding promise in the G20’s announcement that all twenty members join in condemning cyberespionage for commercial purposes.  

Michael recaps the latest in litigation over the nearly expired NSA 215 program.  D.C. Circuit Judge Kavanagh has explained why Judge Leon is wrong about the program, depriving the district court judge of the last word on the subject and demonstrating that its lawfulness can be assessed without resort to exclamation points.

Working a technology help desk could drive a man to suicide.  Until ISIS opened its own terrorist help line, though, we thought that was a bug not a feature.  In the same vein, I mock Glenn Greenwald for insisting that Snowden taught ISIS nothing about security about a week before we got to see a tech manual, apparently in use by the terror group, which invokes Fast Eddie’s advice about which remote storage systems are safe to use. 

Direct download: Podcast_90.mp3
Category:general -- posted at: 8:10pm EST

The NSA metadata program that is set to expire in two weeks was designed to provide early warning of a terror attack planned in a foreign safe haven and carried out inside the United States.  Those are some of the most deadly terror attacks we’ve seen, from 9/11 to Mumbai.  And now Paris.   

Our guest for the podcast is Mark Shuttleworth, founder of Thawte and Canonical/Ubuntu.  He makes it clear from the start that he could hardly disagree with me less on issues such as encryption and intelligence collection.  But we nonetheless get a great tour of the technology horizon.  Mark is helping to build the future of computing, from the internet of things to mobile phones, the desktop, and the cloud.  We explore what that means for privacy and security; we even touch on artificial intelligence and just how suddenly its risks will be upon us.    

In other news, Michael Vatis and I unpack Microsoft’s ground-breaking effort to avoid US jurisdiction over its cloud -- by storing data in Germany under the control of a German company.  

deal appears to be within reach in principle; the main question is how many additional enforcement concessions the EU can wring from the US.  The Paris attacks will make US concessions less likely and weaken European determination to extract them, we suspect. 

Finally, Michael explains how New York is showing its determination to out-regulate the feds when it comes to bank and insurance cybersecurity. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

So should the United States be terminating the 215 program just as the Paris attacks show why it was created?  That’s the question I ask in Episode 89 of the podcast as we watch the DC circuit cut short Judge Leon’s undignified race to give the program one last kick before it’s terminated.   Meanwhile, Alan Cohn and I handicap the US-EU talks aimed at reaching Safe Harbor 2.0.  

deal appears to be within reach in principle; the main question is how many additional enforcement concessions the EU can wring from the US.  The Paris attacks will make US concessions less likely and weaken European determination to extract them, we suspect. 

Finally, Michael explains how New York is showing its determination to out-regulate the feds when it comes to bank and insurance cybersecurity. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_89.mp3
Category:general -- posted at: 10:57pm EST

Where the hell are the FTC, Silicon Valley, and CDT when human rights and privacy are on the line? If the United States announced that it had been installing malware on 2% of all the laptops that crossed US borders, the lawsuits would be flying thick and fast, and every company in Silicon Valley would be rolling out technical measures to defeat the intrusion. But when China injects malware into 2% of all the computers whose queries cross into Chinese territory, no one says boo. Not the US government, not CDT or EFF, and not the big browser companies. That’s the lesson I draw from episode 88 of the podcast, featuring an in-depth discussion of China’s Great Cannon with Adam Kozy and Johannes Gilger of Crowdstrike. They expand on their 2015 Blackhat talk about China’s deployment of Great Firewall infrastructure to hijack American and Taiwanese computers and use them in a DDOS attack against Github. 

China’s first internet email, in 1987, said “Across the Great Wall we can reach every corner of the world.” And boy, did they mean it. The question now is what the other corners of the world are going to do about it. 

In other news, Michael Vatis covers the latest Safe Harbor developments, as the European Commission releases a statement saying, more or less, that American companies can expect years of litigation over the adequacy of US privacy law. Remarkably, that’s meant to be good news. 

Speaking of dubious European claims to offer good news, Michael and I note that the UK deputy data protection commissioner has announced with pride that the Right to Be Forgotten hasn’t actually “stopped the internet working.” So far; but the net is young. 

I summarize an earlier blog post claiming that the crypto wars are over and USTR has handed Jim Comey a loss while Mary Jo White gets a win. This because the Trans-Pacific Partnership trade deal included language prohibiting members from demanding encryption keys for most purposes other than financial regulation. I also acknowledge a significant caveat drawn to my attention by Simon Lester of Cato: Despite the TPP, a member is free to adopt any measure “that it considers necessary for … the protection of its own essential security.” If Jim Comey’s lawyers can’t squeeze his key access proposals into that provision, the “essential security” of their jobs is seriously at risk. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm. 

 

Direct download: Podcast_88.mp3
Category:general -- posted at: 11:26am EST

What good is CISA, anyway?

Now that both the House and Senate have passed information sharing bills that are strikingly similar but not identical, the prospects for a change in the law are good. But what are those changes, and how much difference will they make to network defenders?

That’s the topic we explore in episode 87 with our guest, Ari Schwartz. Ari has just finished a tour as senior director for cybersecurity on the United States National Security Council Staff at the White House. He and I and Alan Cohn go deep into the weeds so you won’t have to. Our conclusion? The main value of the bill is that it frees some companies from aging privacy rules that prevented information sharing with groups that include the government. It also enables companies to monitor their networks without fear of liability under even older privacy laws preventing interception of communications without all parties’ consent. The other lesson to be drawn from the bill is that privacy groups are still something of a paper tiger without business support. More than seventy senators voted for CISA over the bleeding bodies of every privacy group in the country.

In other news, Maury Shenk and I unpack the latest claim that the US and EU have agreed in principle on a deal to replace the Safe Harbor struck down by the European Court of Justice. We’re profoundly skeptical that a deal will be reached quickly, or that it will actually give companies much in the way of safety. 

Jason Weinstein provides a blow-by-blow recounting of the fight between Apple and the Justice Department. The real question is whether Magistrate Judge Orenstein will call the fight for Apple before the defendant is sentenced. We think he will.

Also in the category of “Put me in the newspaper, I’m a pro-privacy judge,” the Fourth Circuit panel that insisted on a warrant for historical cell tower location data had better enjoy their fifteen minutes of fame now. Their opinion is going to be reviewed en banc – and Jason and I are betting it won’t survive.

Finally, it looks as though privacy groups didn’t just waste money asking the Second Circuit to block the last month of the section 215 bulk collection program. They actually managed to effectively overrule the only court of appeals decision finding the program unlawful. In rejecting the privacy campaigners’ motion for an injunction, the Second Circuit declared that Congress had knowingly authorized it and therefore that it no longer violated the relevant statute. Pyrrhus salut.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_87.mp3
Category:general -- posted at: 4:58pm EST

1