The Cyberlaw Podcast

Fresh off a redeye from Israel, I interview Matthew Green of the Johns Hopkins Information Security Institute. Security news from the internet of things grows ever grimmer, we agree, but I get off the bus when Matt and the EFF try to solve the problem with free speech law.

In the news roundup, Matt joins Michael and me to consider the difficulties of retaliating for Putin’s intrusion into the US election. There just aren’t that many disclosures that would surprise Russians about Vlad, though the Botox rumors are high on my list.

In other news, the EU’s cybersecurity agency, ENISA, issues a report on crypto policy that has a surprisingly musty air.

Two new settlements show the limits of privacy law. Michael Vatis covers them both. Ashley Madison settles with the FTC and is assessed a large fine that has to be partially forgiven because the company can’t pay. We all thought that adultery was a more durable business model. And Google settles a class action for unlawful wiretapping by agreeing to scan everyone’s email a few microseconds later than it used to. To spike the football in its victory, Google offers most victims of the violation damages that amount to, well, nothing.

Ah, but Europe marches on, convinced that more privacy regulation will solve the twenty-first century for Europe. Given a choice between more privacy regulation or less, the EU of course chooses more. Maury Shenk explains.  Meanwhile faced with the problem of “fake news” and the real risk that Vladimir Putin will use doxing and propaganda against Angela Merkel in her election next year, Europe has the answer: more regulation, especially regulation that puts all the blame on American social media companies. The first amendment rights of Americans look to be collateral damage.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-143.mp3
Category:general -- posted at: 9:25am EST

Too busy to read the 100-page Presidential Commission on Enhancing National Security report on what the next administration should do about cybersecurity? No worries. Episode 142 features a surprisingly contentious but highly informative dialog about the report with Kiersten Todt, the commission’s executive director.

In the news, Lindsey Graham, John McCain, and a host of Dems want to investigate Russia’s role in the recent election, while the President-elect thinks it’s, well, fake news, to borrow a lefty trope. Michael Vatis presses me to pick a side. Long-time listeners won’t be surprised at my answer.

The Ninth Circuit offers ginger approval for the use of FISA-derived evidence in a criminal trial.

Gen. John Kelly is picked to head DHS. What does that say about its role in cybersecurity? Nothing, I venture. On crypto, though, we could finally see a commission. Chairman McCaul supports the idea, and it’s just possible that foreign government action and the Trump presidency will finally make Silicon Valley nervous enough to stop stonewalling and start talking.

We close with a definitive five-minute briefing on the future of net neutrality. The quick answer is that the dingoes are running the child care center.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-142.mp3
Category:general -- posted at: 2:35pm EST

We ask Rihanna to sum up the latest U.S.-EU agreement:

And that’s when you need me there
With you I’ll always share …
You can stand under my umbrella

RiRi’s got the theory right:  The Umbrella Agreement was supposed to make sure the U.S. and EU would always share law enforcement data.  But when the Eurocrats were done piling on the caveats, it’s clear what concessions that US has made but it isn’t clear if the EU has made any at all. Meanwhile, the Investigatory Powers Act has gained royal assent, Maury Shenk walks us through both developments.

The Trump administration is hinting at a change in responsibility for protecting critical infrastructure from cyberattack, and it’s consistent with the President-elect’s enthusiasm for turning hard jobs over to generals. Congress is doing its bit, elevating Cyber Command to full combatant command status. But the Obama administration may still be toying with the idea of firing Adm. Rogers.

In good news, DOJ and a boatload of other countries have sinkholed Avalanche botnet. Michael Vatis has the details.

Kudos to Sen. Cornyn, who held off a series of left/lib attacks on the changes to Rule 41 needed to catch even moderately sophisticated child porn and cyber law breakers.

Tom Donilon’s Commission on what the next administration should do about cybersecurity has delivered recommendations. The response:  crickets.

Lastly, Saudi Arabia suffers major Iranian attack.

We then turn to an interview with Scott Charney, Corporate Vice President for Trustworthy Computing at Microsoft.  I’ve known Scott for 25 years and he’s an acute observer of the international cybersecurity scene.  He discusses international pressures on technology companies including the conflicted roles of governments dealing with encryption.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-141.mp3
Category:general -- posted at: 10:03am EST

Episode 140 features long-time New York Times reporter, John Markoff, on the past and future of artificial intelligence and its ideological converse—the effort to make machines that augment rather than replace human beings. Our conversation covers everything from robots, autonomous weapons, and Siri to hippie poetry of the 1960s and Silicon Valley’s short memory on use of the term “cyber.”

In the news, Maury Shenk reports that five EU members now say they want EU-wide crypto controls. And that’s not counting France and Germany.  Maybe the real question is whether any EU countries oppose encryption regulation.  We can’t find any. Tongue firmly in cheek, I thank Tim Cook for bringing the need for government crypto regulation to the attention of governments around the world.

It turns out that the FBI actually hacked more than 8,000 computers in 120 countries in a single child porn investigation. Wow. And the Justice Department is lecturing me on the risk that active defense could cause unexpected foreign relations problems? Well, I guess they would know.

We-Vibe’s undisclosed collection of data about users of its smart-phone enabled vibrators spurs a class action. Or should that be a “lacks class” action? I confess to being nonplussed by the uses to which an Internet-connected vibrator app can be put. And even more nonplussed when Jennifer Quinn-Barabanov explains how We-Vibe could contribute to the law of standing.

The Wages of Defeat, part one: Election hack fever seizes the left, and I ask Alan what the law should do about vulnerable election infrastructure. Jill Stein is almost certainly wrong about election hacking this year (or in it for the money), but now that everyone has some reason to question the integrity of our election process, Alan and I ask whether there’s room for bipartisan improvements in electoral systems.

Wages of Defeat, part two: Fake news fever seizes the left. For sure it’s a real problem, and Putin is part of it, but solutions are hard to find. Fake news is often in the eye of the beholder, and neither the mainstream media (see, e.g., here or here) nor the barons of social media (Milo Yiannapoulos, call your office) have been exactly even-handed in dealing with conservative views. If we want to go after foreign government sponsored fake news, I suggest, maybe an updated Foreign Agent Registration Act is worth looking at. Between the first amendment and a lack of trust in would-be fake news umpires, there aren’t a lot of other attractive solutions out there.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-140.mp3
Category:general -- posted at: 11:54am EST

In this week’s episode, we guess at the near-term future with Betsy Cooper and Steve Weber of UC Berkeley’s Center for Long Term Cybersecurity. In all of their scenarios, the future is awash in personal data; the only question is how it’s used. I argue that it will be used to make us fall in love—with our machines.

In the news of the week, we explore the policy consequences of President-elect Trump’s personnel choices. I point out that the quickest route to the new administration’s short list seems to be an interview on the Steptoe Cyberlaw Podcast.

The internet advertising industry is trying to stamp out ad malware so that firms following a set of guidelines will earn a seal of approval Katie Cassel explains. Color me skeptical: would you buy an antivirus product that proclaimed that it scans “a reasonable percentage of” incoming code?

It’s apparently guidelines week in cybersecurity-land, as agencies rush to release their work before the transition. Two agencies issued guidelines on security practices. The Department of Homeland Security released the recommendations for internet-connected devices that Rob Silvers forecast on the podcast last month. Alan Cohn summarizes the principles, which include steps like security by design and regular vulnerability patches. Meanwhile, Katie tells us, NIST has released its  guidance for small business network security. We compare its guidance to the FTC’s. NIST wins.

Two Chinese Android phone backdoors have emerged in one week. Researchers at Kryptowire have uncovered a secret backdoor in large numbers of Android phones that ships users’ personal data, including their SMS messages and location, back to China. The company responsible, Shanghai Adups Technology Company, says it was a mistake, and that the software wasn’t supposed to be installed on phones for sale in the US.  Or perhaps the mistake was in getting caught. Investigations will follow, one hopes.

The second backdoor is an unsecured firmware upgrade channel that would allow a man-in-the-middle to add arbitrary code to an upgrade. I point out that Apple uses the same backdoor—just better secured—for the same purpose.  So its claim that it’s fighting the FBI to protect us from backdoors and their security risks is balderdash.

The 1990s have called, and they want their competition policy back. At least that seems to be the gravamen of Kaspersky’s complaint that Microsoft Defender is killing third party antivirus companies.

In other news that isn’t new, the effort to override Rule 41 changes still looks as dead as General Franco. That doesn’t mean that a forlorn left-right coalition will give up, of course, since there is still sympathetic lib/left press coverage to be milked from the issue.

Finally, in a sign of just how serious the cybersecurity crisis is, almost 2 in 5 American adults said they would give up sex for a year in exchange for never having to worry about being hacked.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-139.mp3
Category:general -- posted at: 10:32am EST

We couldn’t resist.  This week’s topic is of course President-elect Trump and what his election could mean for All Things Cyber.  It features noted cybercommentator Paul Rosenzweig and Daily Beast reporter Shane Harris. 

In the news, we’re reminded of the old Wall Street saying that bulls and bears can both make money in the market but pigs eventually get slaughtered. The same goes for the pigheaded, as the FTC has learned. Whatever modest satisfaction the FTC got from denying a stay of its order against LabMD surely evaporated when it forced the Eleventh Circuit to make an early call on the stay. The result: the court of appeals practically overrides the FTC decision on the motion. Or was the Commission just trying to make sure the proposed television series about LabMD had an ample supply of villains? If so, way to go, guys!

Katie Cassel announces her imminent retirement from the podcast. She also explains the DMCA’s new exemption for security researchers

This is getting ugly: Yahoo now says that some of its employees knew about its massive data breach in 2014 – two years before it was disclosed. Why the delay?  Yahoo says it’s investigating – and that it can’t be sure Verizon will follow through on the deal to buy the company.

Russia is getting ready to put some teeth in its data localization law. LinkedIn looks like the sacrificial goat, Maury Shenk tells us, and that’s just the camel’s nose under the tent.

How can section 230 immunity provide protection against one claim but not another based on the same facts? Katie makes it sound almost reasonable. Boy, are we going to miss her.

The Germans have revived an investigation of Facebook for not blocking Germany’s idea of hate speech, which probably includes hats that say “Make America Great Again.” Oh, this is going to be a fun four years.

Speaking of which, I wonder if the GRU woke up with the same hangover as the rest of the United States, suddenly realizing that they had no freaking clue what policies a Trump administration would follow. That would explain the rash of phishing attacks on Washington think tanks.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-138.mp3
Category:general -- posted at: 9:59am EST

The episode features a vigorous and friendly debate between me and Frank Cilluffo over his Center’s report on active defense, titled “Into the Gray Zone.”  It’s a long and detailed analysis by the Center for Homeland and Cyber Security at GW University. My fear: the report creates gray zones for computer defense that should not be seen as lawful—and turns far too many genuine gray zones black. 

Maury Shenk returns after missing last week due to the British determination not to follow US daylight savings practice. He updates us on challenges to the Privacy Shield Agreement in EU courts by privacy true believers (two and counting) and EU court challenges to government data practices in China, Russia, Algeria, and Saudi Arabia (none in evidence). Speaking of which, China has actually adopted the cybersecurity law it’s been threatening Western tech companies with for months, if not years.

Congress is starting to notice the FDA’s hapless response to medical device security. I predict that the FDA will not take serious notice until heart implants start tweeting: “I’d give this guy a cardiac arrest shock, but I’m too busy DDOSing the DNC.” 

Michael Vatis tells us what’s in the FTC’s Business Guide to Data Breach Response. It’s pretty good, but even if it weren’t, no one can ignore it, since it’s as close to rulemaking as the FTC gets in this field.

A remarkable official leak says that U.S. Cyber Command has pwned Russia’s IT infrastructure from its power grid to its military command system and is ready to strike if the Russians mess with the US election. Is it true? Clint Eastwood has the best answer.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-137.mp3
Category:general -- posted at: 5:01pm EST

Jonathan Zittrain, who holds a surfeit of titles at Harvard, is our guest for episode 136. Among other topics, we explore the implications of routine doxing of political adversaries. Along the way I extract kind words from Jonathan for Sarah Palin and welcome him to the club of those who think mass doxxers are evil punks.  It’s a wide-ranging, informative, and un-ideological performance of the sort we’ve come to expect from Jonathan.

In the news, I note that the FBI seems to be getting reinforcements in the Great Crypto War, as European prosecutors prepare the battlefield with complaints about Islamic State use of Western encryption.

We’re seeing the rise of a new kind of security disclosure mandate, Katie Cassel tells us. First DOD and now Treasury are requiring their industry to disclose not just personal data breaches but the details of security breaches. But only Treasury was clever enough to do it without new regulatory authority.

NHTSA proposes some pretty thin cybersecurity guidance for vehicles, says Michael Vatis, and a couple of Senate Dems predictably call for tougher mandatory standards.

In more dog-bites-man news, European data protectionists have more hassles for US tech companies; this time it’s WhatsApp and Yahoo in the crosshairs.

Michael leads a tour of the FCC’s new “opt-in” privacy rules for ISPs. I make a bold prediction about how the privacy fight will shake out, and Michael—remarkably—thinks I may be right.

Katie explains HHS’s latest fine for a company that allowed file-sharing of medical files on one of its servers. Mike Daugherty, time to call your office.

Would the revolting magistrates have scuppered the FBI's effort to extract Huma's emails from Weiner's computer? Michael and I debate Orin Kerr's suggestion that there's a legal problem with expanding the search (or the seizure) to a new and different investigation. We mostly disagree with Orin.

And in continuing Rule 41 news, I narrowly escape an NFL taunting penalty while reporting that a whopping 23 out of 535 lawmakers are whining about expanded searches of pedophile computers.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-136.mp3
Category:general -- posted at: 5:32pm EST

Our guest for the episode is Rob Silvers, the assistant secretary for cybersecurity policy at DHS.  He talks about what the government can and should do about newly potent DDOS attacks and the related problem of the Internet of Things. The only good news: insecure defibrillators and pacemakers may kill you, but they haven’t yet been implicated in any DDOS attacks.

In the news, Michael Vatis and I debate whether the netizen reaction to a search warrant that also allows the FBI to collect phone security fingerprints during the search is overheated or justified. Maury Shenk explains an unusual UK tribunal ruling, holding that GCHQ’s and MI5’s bulk collection of data was once a violation of the European Convention on Human Rights. Luckily for the UK government, that illegality was cured by the government’s acknowledgment of the collection.

The financial industry faces new cybersecurity regulations; Katie Cassel explains. Then, as the junior member of the podcast crew, Katie also finds herself called on to explain when defense contractors have to disclose cyberattacks to the Department.

In other news, NSA contractor Harold Martin is looking less like a hoarder and more like a serious threat to national security, thanks to the Justice Department motion opposing bail. Maury explains why the EU’s top court thinks that even dynamic IP addresses are personal data. And I explain (or try to) why Julian Assange is a First Amendment cover boy when he blows national security secrets but apparently the second coming of Josef Stalin when he blows politically embarrassing secrets of the Clinton Global Initiative.  Or is the real problem the risotto recipe?

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-135.mp3
Category:general -- posted at: 1:31pm EST

Episode 134 features John Carlin’s swan song as assistant attorney general for national security.  We review the highs and lows of his tenure from a cybersecurity point of view and then look to the future, including how the U.S. should respond to Russia’s increasingly uninhibited use of cyberpower.  I introduce John to Baker’s Law of Post-Government Policy Advice: “The good news about leaving government is that you can say what you think. The bad news is that you can say what you think because nobody cares.”

In the news roundup, we explore the Geofeedia flap, in which large Silicon Valley companies are claiming the right to deny law enforcement access to public postings, even when that access is limited to particular geographic areas, such as the location of an ongoing riot.  Remarkably, they seem to think we ought to be praising them for this antisocial stand.

Maury Shenk updates us on the UK’s new privacy guidelines—and China’s effort to make its internet more protective of children, and the state.

Michael Vatis and I mull over the troubling news that Carbanak is targeting SWIFT endpoints. The G7 has financial cybersecurity guidelines, but it seems unlikely that they’ll turn the tide of an increasingly at-risk banking system.

Michael and I also touch on an Akamai report confirming that the Internet of things isn’t exclusively used to launch DDOS attacks on Brian Krebs; sometimes it’s used to launch mass credential theft attacks as well. Maybe, I suggest, this is a problem that lawsuits can address.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_134.mp3
Category:general -- posted at: 1:51pm EST

In episode 133, our guest is The Grugq, famous in hacker circles but less so among Washington policymakers.  We talk about the arrest of an NSA employee for taking malware and other classified materials home, the Shadow Broker leak of Equation Group tools, and the Grugq’s view that the United States has fundamentally misunderstood the nature of cyberconflict.

In the news, Alan Cohn and I discuss the DHS/DNI fingering of Russia – and Putin – for the DNC hack.  We ask whether this means that sanctions will follow, and I characterize the administration’s stance so far as an updating of Groucho Marx’s position:  “These are my red lines.  If you cross them, well, I have others.”  

I award “stupidest privacy scandal of the year” to the complaints that Yahoo! (gasp!) scanned email content in a search for a terror-related signature.  

Continuing what will become a rant-filled episode, I nominate the Third Circuit for membership in a Hall of Judicial Shame.  The court of appeals has joined the European Court of Justice in giving legal effect to the early Guardian articles claiming that PRISM allowed NSA to scan all emails in US webmail services.  That might have been a mistake in 2013, but in 2016, it can only be characterized as a lie, and not one the judiciary should be party to.  Katie Cassel hoses me down.

Maury Shenk, back from honeymoon in Jordan, explains why the TalkTalk case has such prominence in the UK – and why the company was lucky to be assessed one of the highest fines ever imposed by the UK data protection authority.

Katie explains the FCC’s revised proposal for privacy regulations.  But she can’t explain the FTC’s embarrassingly juvenile grandstanding in its ongoing turf war with the FCC.

And, to end the roundup on a choleric note, Alan goads me with HHS’s latest and most astonishingly nit-picking fine ‒ $400,000 for having a supplier contract that hadn’t been updated since the HI-TECH Act modified HIPAA.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_133.mp3
Category:general -- posted at: 9:19am EST

In episode 132, our threepeat guest is Ellen Nakashima, star cyber reporter for the Washington Post.  Markham Erickson and I talk to her about Vladimir Putin’s endless appetite for identifying ‒ and crossing ‒ American red lines, the costs and benefits of separating NSA from Cyber Command, and the chances of a pardon for Edward Snowden.  Ellen also referees a sharp debate between me and Markham over the wisdom of changing Rule 41 to permit judges to approve search warrants for computers outside their district.

In the news roundup, Meredith Rathbone explains the remarkably aggressive, not to say foolish, European proposal to impose export controls on products that would enable state surveillance in cyberspace.  Apparently locked in a contest with Brussels over who can propose the dumbest regulation of cyberspace, California has adopted a law that purports to prohibit entertainment sites like IMDb from publishing the true ages of actors and actresses.  Markham and I debate the constitutionality of the measure.

In other California news, Markham brings us up to date on the surveillance lawsuit against Google.  He also explains the deep Washington maneuvering over FCC Chairman Wheeler’s plan for cable set top boxes.  I call for a rule that requires cable CEOs to wait at home for days of rescheduled calls to find out whether they’re going to get the result they want.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_132.mp3
Category:general -- posted at: 2:02pm EST

Our interview in episode 131 is with Matt Cutts and Lisa Wiswell from the Pentagon’s Defense Digital Service.  Matt joined the Digital Service from Google where he authored their SafeSearch content filter.  Lisa is a bureaucracy hacker with the Defense Digital Service and previously spent years working on cyber-warfare in DOD’s policy shop and in DARPA.  They both stress that the Service is looking for good code and policy hackers -- and that their Digital Service recruiting link is https://www.usds.gov/join

 

After a musical intro featuring the Beatles as reimagined by artificial intelligence, Michael Vatis explains why Microsoft's new German datacenters may succeed in putting customer data beyond the reach of US agencies, and why Microsoft might not want to state its goal quite that way.

 

Jennifer Quinn-Barabanov explains how a new lawsuit on behalf of Gilbert Chagoury will test whether the US government will punish leakers and whether the EU succeeds in its effort to get the Privacy Act to cover European nationals.  

Jen and I also tackle the record-breaking Yahoo! breach, and what it says about the actual impact of data breach risk on companies and investors.  Jen reveals this shocking statistic:   the median cost of a breach is $200,000 by some measures, hardly enough to get even the plaintiffs’ bar out of bed.  And, it turns out, nearly half of corporate GCs have already lived through a breach, so they likely know their own exposure pretty well.  

Speaking of records, Brian Krebs, a podcast alum, experienced his own unenviable record:  victim of world’s biggest DDOS attack, fueled by the Internet of things.  What next?  Networked Fords launching a denial of service attack on GM dealers?

Sliding seamlessly into the interview, Matt Cutts and I dive into the latest OpenSSL bug, the reasons Google launched BoringSSL, and the ways in which being boring is also being secure.  (As pretty much any overprotected ten-year-old boy could have told us.)

Matt and I debate whether SSL everywhere is just good, prudent security or the fruits of a Crypto Derangement Syndrome on the part of a Valley that hopes to secede from the United States (guess which side I took).

We take a long look at the Digital Service and what it has done so far.  Lisa Wiswell brags on “Hacking the Pentagon,” which paid the first bug bounties ever offered by a US government agency.   I congratulate her on avoiding the alternative ‒ filing a STFU lawsuit against the security researchers, unlike some I could mention (*cough* St. Judes *cough*).  This leads to a colloquy on what it will take to fix IT procurement in the US government.  We make a little progress, but find no silver bullets.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_131.mp3
Category:general -- posted at: 11:39am EST

In a law-heavy news roundup, Katie Cassel and I talk about New York’s dangerously prescriptive cybersecurity regs for banks and insurers. Maury Shenk and I uncover the seamy industrial politics behind the EU’s latest copyright and telecom proposals.  The Sixth Circuit deepens a circuit split over standing and how much injury it takes to support a federal data breach lawsuit – and then, oddly, decides not to publish its opinion.  Michael Vatis explains.

In other news, Michael notes that the CFTC has adopted its own very prescriptive cybersecurity testing rules.  At least pen testers should be happy; their specialty is increasingly required by regulators.  Katie hoses me down on the significance of the Ninth Circuit’s latest “failure to warn” decision for section 230 of the Communications Decency Act.  Good news for section 230, not so much for Match.com.

Finally, the FTC continues to vie for the title of federal agency with the least sense of moderation. The FTC is opposing a motion to stay in the LabMD case.  Pending appeal, it wants to impose strict cybersecurity procedures on a business whose servers are probably stored in Mike Daugherty’s garage.  As Winston Churchill said about nuclear weapons, at some point all you’re doing it making the rubble bounce.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: Episode_130.mp3
Category:general -- posted at: 4:02pm EST

This week’s podcast interview is with Ciaran Martin, the chief executive of the UK’s National Cyber Security Centre. While the US political climate makes it implausible that the National Security Agency would be asked to head a nationwide cybersecurity center designed to work with the private sector, that’s exactly the job that the United Kingdom given to GCHQ, the British equivalent of NSA. I ask why, and a lot more too.

Direct download: Episode_129a.mp3
Category:general -- posted at: 9:35am EST

In episode 129, Alan Cohn and I dive deep on the Government Oversight Committee’s predictably depressing and unpredictably entertaining report on the OPM hack.  Cheeky Chinese hackers register their control sites to superhero alter egos.  And poor, patriotic Cytech finds an intruder during a sales demo, rushes to provide support without a contract, and ends up not just stiffed but accused of contributing to a violation the Antideficiency Act. The overmatched OPM security team launches a desperate operation Big Bang to oust one team of hackers, while another is safely ensconced in the network, biding its time before exfiltrating all its data.  

And for those who’ve complained that we never talk about cybertax law, a feast:  Steptoe’s premier international tax partner (and head of the firm) explains everything you need to know about the fight between Apple and the EU over Ireland’s tax regime for the company.  I am shocked to discover that Brussels is doing, well, what Brussels usually does.  

Alan and I talk about one more PlayPen decision, United States v. Torres.  It may be the last word on the subject, in part because it’s so sensible (the FBI did perform a search, it had a warrant and probable cause, the warrant didn’t conform to Rule 41, but so what?  No suppression) and in part because the Supreme Court has agreed to change the Rule.  I confidently predict that Sen. Wyden’s effort to stop the rule change will fail.

 

Direct download: Episode_129.mp3
Category:general -- posted at: 11:28am EST

The podcast is back with a bang from hiatus.  Our guest, Scott DePasquale, is the CEO of Utilidata, an electric utility IoT and cybersecurity company.  Scott talks about his contribution to the Internet Security Alliance’s upcoming book, The Cyber Security Social Contract.  

Episode 128 also brings you a news roundup from the most momentous August in cybersecurity history.  Maury Shenk brings the SWIFT hack to life by describing his own brush with cyber bank fraud.   I cover the Shadow Brokers’ disclosure of what most believe to be an NSA hacking toolkit.   Meanwhile, Russia is hacking our political process and only the side whose ox is being gored seems to care.  

The EU, with an instinct for the capillaries, continues to fight the US on these issues.  Privacy Shield is up, and a lot of serious companies are signing up, despite the uncertainties.  Maury and I note the entry of France and Germany into the Great Crypto World War – at a comfortably leisurely pace.  And, in a welcome move, the European Court of Justice has reaffirmed that there are still some (modest and blurry) limits to the assertion of data protection jurisdiction over internet merchants.

The FTC had a busy month.  It served LabMD a mess of home cookin’ and the company is now free to argue its case before an unbiased court of appeals.  Speaking of which, the ninth circuit court of appeals shot down the FTC’s effort to steal the FCC’s common-carrier-regulating turf, and the FTC has finally deigned to notice (and even pat on the head) NIST’s Cybersecurity Framework. 

The UK’s terror watchdog has more or less endorsed the value of bulk collection of personal data.  And Baltimore has put it into effect, adopting an “eye in the sky” technology that has solved serious crimes without harming anyone’s privacy; naturally the privacy lobby is determined to make sure it’s never used again.

In privacy class action news, the lawyers for CareFirst deserve a bonus; they’ve now killed three class action cases (here, here, and here) where the breach was serious but the plaintiffs couldn’t claim that the stolen data was ever used to harm them.  And Judge Koh, to her shame, has approved $4 million in legal fees for the lawyers who brought a class action against Yahoo! and settled for a no-damages injunction that lets Yahoo! keep reading its users emails, but after it’s been sent, not before.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

 

Direct download: Episode_128.mp3
Category:general -- posted at: 10:41am EST

I know we promised to take August off, but I was inspired by the flap over the DNC hack and the fact that I’m at the Aspen Homeland Security Working Group meeting in Colorado. I waylaid two former intelligence community members on the Aspen campus and asked for their views on the DNC hack.  Well, to be accurate, I start the interview by asking whether Putin really has the balls to step into the US electoral campaign in this way.  Answering the question are two men with the perspective of long years dealing with Soviet and then Russian intelligence:  Charles Allen, who became intelligence chief for DHS after a full career at CIA, and John McLaughlin, who ended his career at CIA as the Deputy Director and Acting Director.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.!

Direct download: Episode_127.mp3
Category:general -- posted at: 10:07am EST

If Vladimir Putin can do it, so can we. This week the podcast dives deep into the US presidential campaign.

I of course talk with Maury Shenk about evidence that the Russians are behind “Guccifer 2.0” and the DNC data leak – aided by a Wikileaks that looks more and more like an FSB front.  I compare the largely indistinguishable Dem and GOP platform planks on encryption ‒ and draw a lesson from the straddles:  there’s little doubt that every lobbyist who contributed to the platforms was working for Silicon Valley, so the failure to endorse the Valley’s view may spell trouble for techie triumphalism.  I also spike the football for the Justice Department, whose policy views on the dangers of hacking back were swamped when the GOP called for letting victims of hacking have their way with the hackers.

Our interview this week touches on the insider threat. Andy Irwin describes the new DOD rule requiring contractors to devise insider monitoring plans for cleared personnel, and two industry leaders, Ed Hammersla, CSO of Forcepoint, and Brian White, COO of RedOwl Analytics, talk about what technology can do to spot incipient employee defections and data theft.  A discussion of the role of natural language processing naturally reminds me of George Carlin and the seven dirty words you can’t say on the radio.

In other news, Katie Cassel unpacks another in a long line of increasingly incoherent 9th Circuit rulings on when it violates the CFAA for unwanted visitors to log on to a site.  Katie also explains why the outcome of another data breach lawsuit might persuade Scottrade to change its name to Scot-Free.

Maury updates us on UK politics, from Theresa May’s honeymoon to the possibility that UK data retention law will survive review in the European Court of Justice.  I flag a good (and, sadly, already outdated) House Homeland Security Committee report on 100 ISIS-linked terror plots against the West since 2014, a surprise reprieve for Silent Circle, and Whatsapp’s continuing “If it’s Tuesday we must be shut down; if it’s Wednesday we must be back up” drama in Brazil.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Episode_126.mp3
Category:general -- posted at: 5:28pm EST

In the news roundup, Michael Vatis covers Microsoft’s surprising Second Circuit victory over the Justice Department in litigation over a warrant for data stored in Ireland.  The hidden issue in that case was data localization – the same issue driving the Justice Department’s new legislative proposal to allow foreign nations to obtain information from US data repositories.  That proposal is unpacked by special guest David Kris, former Assistant Attorney General for National Security and author of the treatise, National Security Investigations and Prosecutions.

In other news, LabMD has found yet another defendant in its campaign against Tiversa.  Michael discusses what may be the first judicial decision requiring a warrant to use a Stingray to locate a criminal suspect.  And HHS tries to achieve a plausible policy goal with an overreaching legal interpretation; as Michael explains, the result could be massive unintended consequences.

In quick hits:  more evidence that foreign nations are targeting our energy grid, FDIC engages in a surprisingly successful breach cover-up, a Chinese browser sends data back to China unmolested (all because we still haven’t funded the Europocrisy Prize, I argue), and the cyberwar on ISIS is going slowly, mainly, I argue, because cyberwar on ISIS is not all that good an idea.

What’s the argument in favor of hacking back that is best calculated to infuriate the State Department?  We talk hackback with the father and son team that produced a thoughtful paper on the topic for the Hoover Institution.  Jeremy, a law professor at the Scalia Law School, and his son, Ariel Rabkin, a computer scientist out of Berkeley, have the expertise to deal gracefully and concisely with the policy debate over hacking back.  Their proposal charts a middle ground while cheerfully eviscerating State’s hand-wringing about the international consequences of permitting hacking victims to act outside their networks.  Bonus feature:  lifetime career advice from yours truly!

Our interview is with Jeremy Rabkin and Ariel Rabkin, author of Hacking Back without Cracking Up, published by the Hoover Institution.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Episode_125.mp3
Category:general -- posted at: 9:45am EST

What’s the difference between serving in Congress and spying in the back alleys of a Middle Eastern bazaar?  Why not ask the one Congressman who’s done both – Rep. Will Hurd (R-TX).  He also has cybersecurity chops from his career in industry, so he makes the perfect guest for episode 124a of the podcast.  Just running through his week takes us from the difficulty of setting red lines in cyberspace to what we know about foreign penetration of the Clinton email server.  But we manage as well to cover the declining fortunes of the Massie-Lofgren amendment and the reasons (and possible cures) for the disaster that is federal IT procurement.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Episode_124a.mp3
Category:general -- posted at: 1:27pm EST

This week’s news roundup is dominated by the Ninth Circuit and the European Union.  The EU parliament has approved the Privacy Shield that replaces the Safe Harbor.  Michael Vatis, Alan Cohn and I ask whether companies should seek protection under what may prove to be a pretty leaky Shield.  And the EU has approved cybersecurity rules for critical industries and verdammte amerikanische Unternehmen … er, digital service providers.  You may not like the EU penchant for regulation as a first resort, but Alan and I conclude that the initiative on cybersecurity standard-setting may finally have moved to Brussels.

In Ninth Circuit news, the Nosal case has come back for another round of appellate decision-making, and this time the decision goes against Mr. Nosal.  Michael and I debate whether sharing a password should lead to criminal penalties.  In other news, the lib/left continues its campaign to impose a warrant requirement on reuse of section 702 data.  They’ve already lost in two courts, and my guess from oral argument in US v. Mohammud is that they won’t do better in the third.  

Elsewhere, Russia has finally adopted its aggressive new law regulating digital service providers in the name of fighting terrorism. The FCC privacy regs attract some support from other agencies, notably the FBI and Secret Service.  Silent Circle, already silently circling the drain, has dropped its faddish warrant canary “for business reasons.”  And kudos to Yingmob for its new business model; the Chinese company seems to have combined legitimate adtech business lines with a line of malware that has infected ten million Android phones.  No word yet on whether Yingmob employees can take a break from writing malware to play foosball.  

Our interview with Will Hurd will follow later in the week.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Episode_124.mp3
Category:general -- posted at: 10:01am EST

Edward Snowden criticizes Russia’s mass surveillance law, and a Russian official retaliates by outing him ‒ as a Russian intelligence source. Silent Circle, the phone company that built its marketing on fear and loathing of the NSA, is nearing bankruptcy. And members of the dominant European Parliament faction are asking the Commission, “Hey! How come you keep demanding more data export and privacy concessions from the US without asking for bupkis from China?” And the FBI now has three politically viable paths to win back authority to obtain electronic communications transaction records with a National Security Letter.

Truly, episode 123 feels like a reward for living through 2013.

In other news, Alan Cohn and Katie Cassel report on the Bank for International Settlements’ surprisingly sophisticated cybersecurity standards. I whinge about Bob Litt’s 18 pages of binding commitments to Europe on how the US will conduct intelligence from now on. Alan and I compliment CBP on its technical savvy in easing border clearance ‒ and ponder the role of stools in protecting the homeland.

I report that Belgian courts have reversed a verdict by the local DPA against Facebook, and Maury Shenk comments on broader implications for EU data protection. Katie notes that FTC commissioner Maureen Olhausen continues to tout the advantages of her agency’s “flexible” privacy and security standard and to diss the FCC’s more explicit approach. I mock the ACLU for demanding the right to violate criminal law to get information from private companies and ask if I can do the same to get the ACLU to answer my questions about whether it provides real security for its clients. And Maury reports that China is still rolling out new internet regulations, from online search standards to where to store Chinese citizens’ personal data (China, natch).

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Episode_123.mp3
Category:general -- posted at: 4:05pm EST

Was Iran’s cyberattack that bricked vast numbers of Saudi Aramco computers justified by a similar attack on the National Iranian Oil Company a few months’ earlier? Does NSA have the ability to “replay” and attribute North Korean attacks on companies like Sony? And how do the last six NSA directors stack up against each other? Those and other questions are answered by our guest for episode 122, Fred Kaplan, author of Dark Territory: The Secret History of Cyber War.

In the news roundup, we explore British corollary of the Pottery Barn Rule: “You Brexit, you owns it.” As the UK and the EU struggle to deal with fallout from the historic UK vote, all the incentives seem to be in place for the EU to do what it does best: vindicate the worst instincts of the European elite. In the name of deterring other departures, the EU is unlikely to offer the UK much in the way of concessions. On data protection, for example, Maury Shenk points out that the UK will likely have to keep its current law -- and adapt to the new regulation -- just to avoid a claim that British privacy law is inadequate.

In other news, DHS has released final guidelines for protecting privacy while sharing cyber threat information; I think they’re pretty good.

Michael Vatis and I also puzzle over the dicta adopted in a recent EDVA opinion that the utter insecurity of personal computers leaves users without a reasonable expectation of privacy and allows the FBI to use hackers’ tools without a warrant. I love it when a district court stakes out territory that makes even me feel like a civil libertarian.

The FTC drops a heavy fine on inMobi. Michael points out the much heavier weaponry that COPPA allows the Commission to deploy in privacy cases that involve children. But we have trouble mustering much sympathy for inMobi. 

Finally, we’re still trolling for listener feedback on whether we should go to the trouble of trying to arrange CLE credit for listening to the podcast. Based on reaction so far, we won’t. So if you’d like to get CLE credit for the podcast, it’s time to send your vote to CyberlawPodcast@Steptoe.com.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-122.mp3
Category:general -- posted at: 4:35pm EST

With Stewart on vacation, the blockchain takes over the podcast! In episode 121, Jason Weinstein and Alan Cohn talk all things bitcoin, blockchain, and distributed ledger technology, and interview Jamie Smith, Global Chief Communications Officer for the BitFury Group, one of the largest full-service blockchain technology companies.

In the news roundup, Alan led off with a discussion about Etherium and the DAO, which of course begins by answering the question, “What is Etherium and what is the DAO?” As Alan explains, Etherium is a public blockchain similar to the Bitcoin blockchain, with code written in such a way as to optimize programming of “smart contracts,” self-executing contracts that transmit funds or take other actions based on the occurrence of defined events. Etherium is run by a non-profit organization, the Etherium Foundation, and has its own native currency called Ether. The DAO is an acronym for a “distributed autonomous organization,” which is essentially an organization that can operate in a decentralized manner (for example, on a blockchain) based on its programmed code rather than the actions of any governing individuals. In this instance, “The DAO” is the first of these types of organizations, which was created to fund projects that would work on Etherium. For most of May, people could purchase DAO tokens using Ether, and the DAO tokens gave their holders the ability to vote “Yes” or “No” on funding proposals made to the DAO by companies or individuals wanting to build things. The submission of proposals, the voting, and the funding of projects were all programmed to take place essentially without human intervention, all based on the DAO’s programmed code. (Whew!)

Now for the news—the first major splash made by the DAO was not the funding of its first project, but rather an attacker’s “recursive call” attack which allowed him/her/them to withdraw approximately 3.6 million Ether—worth about $55M at the time of the attack—by exploiting an element of the code meant to allow people to withdraw from the DAO and convert their DAO tokens back to Ether. As Alan explained (and probably needed a glass of water and maybe a snack by this point), the DAO’s creators and the Etherium Foundation were left with only a few responses, none of them ideal—void the attacker’s transactions but by doing so, demonstrate that transactions on a public blockchain can be voided; lock up the funds and figure out the next steps, which probably leads to a voiding of the transaction; roll back the entire Etherium ecosystem to just before the attack (kind of like reverting your iPhone to a backup) but effectively constituting a “bailout” of the DAO; or concluding that “the code is its own documentation” and anything done under the code is permissible, which preserves the integrity of the DAO (and Etherium) but leaves the attacker holding a lot of other peoples’ money.

For listeners who made it through all of that, Jason explained how the New York State Department of Financial Services issued its second BitLicense, this time to Ripple (the global settlement network, not the fortified wine), and at this pace, would get to double digits in terms of BitLicenses issued by 2022. Jason noted that this comes at the same time as industry efforts to focus attention on the dangers inherent in state-by-state licensing systems, although a single federal approach seems far off at this time.

Alan described the European Parliament’s recent resolution concerning virtual currencies, which was hailed as an anti-money laundering and counter terrorism financing action but in fact covers many aspects of virtual currencies and distributed ledger technology. The main headline was Parliament’s call on the European Commission to create a Task Force on virtual currencies. Alan channels Stewart for a moment, noting that the resolution actually says that Parliament “recalls that the internet, despite attempts to promote a multi-stakeholder approach, is still governed by the National Telecommunication and Information Administration, an agency of the United States Department of Commerce.” That must still sting.

Jason notes that the blockchain has also come to DC in a big way, with one day of a three-day symposium run by the Federal Reserve, the World Bank, and the International Monetary Fund dedicated to blockchain. The White House also got into the game, holding a FinTech summit with various White House and Administration officials. The President’s Council of Advisors on Science and Technology heard from industry leaders on blockchain, and the White House Commission on Enhancing National Cybersecurity heard testimony on blockchain technology in one of its first meetings.

Finally, Alan reports on the Central Bank of Canada’s experiment with developing a digital version of the Canadian dollar based on blockchain technology. Dubbed “CAD-coin” and running on the “Jasper” Distributed Ledger Settlement Platform (rather than something more inspired and Canadian, like “Molson”), the Central Bank’s experiment with a private blockchain is meant to “better understand the technology first-hand,” and we applaud them for that.

In the interview, Jamie Smith first debunks rumors that she is, in fact, Satoshi Nakamoto, the original creator of Bitcoin (“We are all Satoshi,” Jamie graciously explains.) Jamie describes how she first got involved in the blockchain space, her experience leaving a comfortable post-Administration job at a global PR firm to join the BitFury Group, and her process of realizing that Bitcoin is not “criminal money” and that blockchain technology can change the world for the better. Jamie describes recent initiatives backed by the BitFury Group, including the Blockchain Trust Accelerator launched in conjunction with the think tank New America and the National Democratic Institute, and the Global Blockchain Business Council. Jamie also describes events at the second Blockchain Summit on Sir Richard Branson’s Necker Island (Jason attended the first Blockchain Summit last year, and Alan attended this year’s Summit). Jamie gives a shout-out to the Blockchain Alliance, the organization co-founded by the Chamber of Digital Commerce and Coin Center to create a forum for the blockchain industry to engage with law enforcement (full disclosure: Steptoe serves as counsel to the Blockchain Alliance and Jason serves as its Director).

Next week, Stewart will be back and the podcast will turn back to cybersecurity issues. As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 (202) 862-5785.

Direct download: PC122w_music.mp3
Category:general -- posted at: 11:09am EST

European hypocrisy on data protection is a lot like the weather. Everyone complains about it but no one does anything about it. Until today.

In episode 120, we announce the launch of the Europocrisy Prize. With the support of TechFreedom, we’re seeking tax deductible donations for a prize designed encourage the proliferation of Schrems-style litigation, but with a twist. We’ll award the prize to anyone who brings complaints that force Europe to apply the same human rights and data export standards to Russia, China, and Saudi Arabia as it applies to the US. More on the prize here.

We’re inspired to this announcement, because as Katie Cassel tells us in the news roundup, the data protection commissioner in Hamburg is hot-dogging on the privacy issue, and with relish. He has imposed fines on US companies for the offense of being caught by surprise when the Safe Harbor went down. Naturally, as far as we can tell, no similar cases have been launched against Russia, China, or any of the other countries that never even bothered to negotiate over privacy with the EU. The Europocrisy Prize, though, should go a long way to even the score.

We’re joined for the news roundup by Paul Rosenzweig of Red Branch Consulting, and he clues us in on the fight over ICANN’s future now being waged in Congress. Meanwhile, Alan Cohn explains why standing is such a high threshold for data breach plaintiffs, leading us to muse on exactly how much harm we can show from the disclosure of our naked pictures on the internet (in contrast to viewers, for whom injury may be presumed).

I highlight a workmanlike opinion from Judge Doumar on the FBI’s remote hacking of child porn aficionados. I also thank Sen. Cornyn and others on the Judiciary Committee for exposing just how little privacy groups care about ECPA reform. Sen. Cornyn has offered an amendment that would give back to the FBI the NSL access they had in 2008 to electronic communications transactions records. In order to keep Sen. Cornyn’s amendment off their reform bill, they’ve apparently ditched the whole bill.

In other privacy misrepresentation news, the UK press is full of headlines claiming that the “controversial” Investigatory Powers Act is moving forward “despite hacking and snooping fears.” Clue for the press: When the House of Commons vote to send a bill to the House of Lords is 444 to 69, calling it “controversial” just makes you look stupid and ideological. Most significantly, the bill goes out of its way to make clear that, if Apple makes the same arguments in the UK that it made against the FBI, it will lose. Tim Cook’s publicity campaign is really paying dividends, eh?

Katie explains the US Justice Department’s proposal to modify US law and streamline the production of electronic evidence to foreign governments. If they do that without extracting an end to EU data export restraints, the DOJ’s license to practice diplomacy should be revoked.

In other news, the French government has convicted Uber and two of its executives of failing to show sufficient respect to French officialdom. And the right to be forgotten turns out to be unworkable (who could have foreseen that!?).

Finally, we poll DHS alumni on whether the department’s cybersecurity organization, NPPD, should be raised to the status of a full-blown DHS component. Suzanne Spaulding will be pleased with the answer.

Note: Our interview with Rep. Will Hurd was delayed at the last moment, so we’re releasing it separately from the episode 120 news roundup.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: E_120.mp3
Category:general -- posted at: 11:32am EST

Our guest for episode 119 is Kevin Kelly, founding executive editor of Wired Magazine and author of The Inevitable: Understanding the 12 Technological Forces that will Shape our Future. Kevin and I share many views – from skepticism about the recording industry’s effort to control their digital files to a similar skepticism about EFF’s effort to control private data – but he is California sunny and I am East Coast dark about where emerging technology trends are taking us. The conversation ranges from Orwell and the Wayback Machine to the disconcerting fluidity and eternal noobie-ness of today’s technological experience. In closing Kevin sketches a quick but valuable glimpse of where technology could take us if it comes from Shenzhen rather than Mountain View, as it likely will.

The news roundup leavens deep thoughts about the future with loose talk about sex and politics. I ask whether the FOIA classification review of Hillary Clinton’s email is compounding the damage done by her use of a homebrew server. I discover the weird connection between leak defenders like Julian Assange and Jacob Appelbaum and sexual extortion – and even offer a theory to explain it (caution: involves threesomes). And we award the Dumbest Journalism of 2016 prize to Jason Leopold, Marcy Wheeler, and Ky Henderson for a VICE article that spends thousands of words trying in vain to justify its headline – and also manages to bury the only interesting news the reporters turned up. (They have pole-dancing competitions in China? And the organizer invited Edward Snowden’s girlfriend to compete, just as Snowden was getting ready to release NSA’s files? Sounds like a great story, but the authors dropped it in favor of tendentious NSA bashing.) And to cap the week off, North Korea cloned Facebook for its nomenklatura, only to have a Scottish teen take it over because the logon credentials were left at “admin” and “password.”

More seriously, I report that USTR will in the future try to negotiate limits on data localization even for financial institutions. Maury Shenk reports on the successful EU jawboning of big American tech companies to crack down on “hate speech” on line.

Organizations whose hate speech has mainly been aimed at Smith v. Maryland and the third party rule had a bad week, I note, as the only circuit to require warrants for cell-site location recedes in an en banc opinion that drastically cuts the Supreme Court’s incentive to grant cert on the issue.

Maury reports on delays to the EU’s Paris-related changes in anti-money-laundering regulation. And I puzzle over the newfound enthusiasm in Republican and cable industry circles for FTC-style privacy regulation.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 119th episode (mp3).

Direct download: Podcast_119.mp3
Category:general -- posted at: 4:19pm EST

Episode 118 digs deep into DARPA’s cybersecurity research program with our guest, Angelos Keromytis, associate professor at Columbia and Program Manager for the Information Innovation Office at DARPA. Angelos paints a rich picture of a future in which we automate attribution across networks and international boundaries and then fuse bits of attribution data as though they were globules of the Terminator reassembling into human form. 

Direct download: Podcast_118.mp3
Category:general -- posted at: 8:20am EST

Our guest, Patrick Gray, is the host of the excellent Risky Business security podcast. He introduces us to the cybersecurity equivalent of decapitation by paper cut and offers a technologist’s take on multiple policy and legal issues. In the news roundup, Michael explains the many plaintiff-friendly rulings obtained by the banks suing Home Depot over its data breach. We wonder whether the rulings are so plaintiff-friendly that the banks will eventually regret their successes. Michael also explains just how deliberately meaningless is the Supreme Court decision in Spokeo, Inc. v. Robins.

Alan Cohn lays out the new DOD rule requiring government contractors to adopt basic cybersecurity measures. Michael explains why the court rejected Mozilla's bid to intervene in the big FBI-child porn case. I cheer Google on in its appeal of the egregious CNIL ruling extending French “right to be forgotten” censorship to the world – and mock the handful of Senators who have gone on record as favoring legislation to overturn the Rule 41 changes and make the internet safe for child exploitation. Finally, Alan explains why the SEC thinks cybersecurity is the top threat to financial systems 

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail toCyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_117.mp3
Category:general -- posted at: 12:56pm EST

Ransomware is the new black. In fact, it’s the new China. So says our guest for episode 116, Dmitri Alperovitch, the CTO and co-founder of CrowdStrike. Dmitri explains why ransomware is so attractive financially – and therefore likely to get much worse very fast. He and I also explore the implications and attribution of the big bank hacks in Vietnam and Bangladesh.

 

In the news roundup, Michael Vatis reports on the new federal trade secrets law. In addition, inspired by the Edelson firm’s sealed complaint against a Chicago-based law firm for cybersecurity failings, Steptoe’s chair emeritus, Roger Warin, charts the legal and strategic terrain of suing law firms for bad security. The hazards of class action litigation in this field are illuminated by the district court’s recent ruling on the Zappos breach, which Michael unpacks for us.

 

Unable as always to resist a sitting duck, I quote the FTC’s condescending Congressional testimony promising to give the FCC the benefit of its 40 years of security expertise. It plans to offer comments on the FCC’s proposed privacy regulations. But the FTC fails to note that in all those 40 years, it has never had occasion to ask anyone for comment on its own privacy or security standards – which are scattered haphazardly across a series of brochures and weblinks and consent decrees. As I point out, that makes it hard not just for companies that want to comply, but also for the FTC, which has no way to amend its outdated security guidance, most notably the bad advice it gave several years ago about requiring employees to change passwords frequently. Maybe it’s time for the FCC to return the favor, and give the FTC the benefit of its own years of experience in actually issuing and taking comment on proposed regulations.

 

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_116.mp3
Category:general -- posted at: 4:46pm EST

Does the FISA court perform a recognizably judicial function when it reviews 702 minimization procedures for compliance with the Fourth amendment? Our guest for episode 115 is Orin Kerr, GWU professor and all-round computer crime guru. Orin and I spend a good part of the interview puzzling over Congress’s mandate that the FISA court review what amounts to a regulation for compliance with an amendment that is usually invoked only in individual cases. Maybe, I suggest, the recent court ruling on 702 minimization and the Fourth amendment doesn’t make sense from an Article III point of view because the FISA judges long ago graduated from deciding cases and controversies to acting as special masters to oversee the intelligence community. We also explore an upcoming Orin Kerr law review piece on how judicial construction of the Fourth amendment should be influenced by statutes that play in the same sandbox. 

In the news roundup, Maury Shenk provides an overview of the data protection logjam now building up in Brussels, including EU Parliament approval of the new US-EU law enforcement agreement. In FTC news, Katilin Cassel explains why Amazon is liable for kids’ in-app purchases; I seize on recent UK government advice not to change passwords too often to mock the FTC for its outmoded advice on the topic and its inability to shed its old guidance gracefully; and Maury and I examine how and why the FTC is enforcing quasi-voluntary privacy regimes like the Privacy Shield/Safe Harbor.

Katie explains HHS’s remarkable new enforcement policy – imposing large fines on health providers who voluntarily disclose a paperwork omission that caused no actual privacy harm. I flag the First Circuit’s decision to create a circuit conflict on the meaning of the Video Privacy Protection Act.

I express astonishment that the tech press continues to think there’s a constitutional problem with forcing someone to use his fingerprint to unlock a phone. The Onion and Operation Vowel Lift also make an appearance.

Direct download: Podcast_115.mp3
Category:general -- posted at: 1:44pm EST

Our guest for episode 114 is General Michael Hayden, former director of the NSA and CIA; he also confirms that he personally wrote every word of his fine book, Playing to the Edge: American Intelligence in the Age of Terror. In a sweeping interview, we cover everything from Jim Comey’s performance at the AG’s hospital bedside (and in the Clinton email investigation) to whether the missed San Diego 9/11 calls were discovered before or after the 215 program was put in place. Along the way, we settle the future of Cyber Command, advise the next president on intelligence, and lay out the price the intelligence community is paying for becoming so darned good at hunting terrorists.

Michael Vatis and I do the news roundup. It’s bad news this week for the same child porn defendants who got good news last week, when a court overturned the search warrant used to search their computers after they visited an FBI-run Tor node. Now, though, the Supreme Court has approved a change to Rule 41 authorizing geographically unbound search warrants in computer cases. Unless Congress comes to their rescue by rejecting the proposed rule change, an unlikely prospect indeed, the new rule will take effect at the end of the year.

Well, that was fast, at least by the standards of Washington lawyers. We’ve gone from attribution to proposed retribution in less than two years. Indictments in 2014 charged that the Chinese government had broken into US Steel’s computer network. Now US Steel is claiming that the hackers stole advanced steel technology and gave it to a Chinese competitor, and it’s asking the International Trade Commission to exclude the competitor’s products from the United States, on the ground that stealing secrets is an unfair trade practice. With the government eager to send a message on commercial cyberespionage, look for plenty fireworks over the next year as the case is brought to judgment.

The big FISA news revolves around notices given to litigants when section 702 played a role in their cases. A rare notice of that kind has been given to an Iraqi refugee accused of traveling to Syria. He has promised a constitutional challenge. Meanwhile, if you’re wondering whether OFAC uses 702 intelligence to issue sanctions, and whether the targets get notice when that happens, the New York Times is fighting to get those answers, using FOIA. It’s losing. Congress is also taking a harder look at 702, with fourteen of the usual suspects asking DNI Clapper to estimate how many Americans’ communications are swept up in the program.

In other news, Michael notes that Nebraska has expanded its breach law to cover more data – and to make sure that the encryption exception only applies to encryption that’s not fatally compromised.

Direct download: Podcast_114.mp3
Category:general -- posted at: 2:34pm EST

No holds are barred as a freewheeling panel of cryptographers and security pros duke it out with me and the Justice Department over going dark, exceptional access, and the Apple-FBI conflict. Among the combatants: Patrick Henry, a notable cryptographer with experience at GCHQ, NSA, and the private sector; Dan Kaminsky, the Chief Scientist at White Ops; Kiran Raj, who is Senior Counsel to the Deputy Attorney General; and Dr. Zulfikar Ramzan the CTO of RSA Security. Our thanks to Catherine Lotrionte who generously agreed to let me record this one-hour panel at her remarkable Annual International Conference on Cyber Engagement.

In the news roundup Maury Shenk discusses the real and mythical import of the UK’s pending surveillance bill, and I mock the journalists who claimed to find scandal in GCHQ’s elaborate compliance regime for access to bulk personal data. Alan Cohn and I return to the Apple-FBI fight, and I can’t help pointing out that Apple, the self-proclaimed champion of security, didn’t bother to tell its customers that it was no longer providing security patches to QuickTime on Windows. Alan manages to explain Apple’s thinking with two words: “on Windows.”

The FBI’s decision to manage a child porn distribution node for a few weeks and prosecute its customers has come a cropper, but not for the reason you might think. Instead, Alan reports, at least one court is now willing to enforce the limits of Rule 41 and declare that a Virginia magistrate cannot issue a search warrant for a computer located in Massachusetts. That ups the stakes for the ongoing effort to amend this problem out of the Federal Rules.

I read an 80-page FISA opinion so you don’t have to. One of the technolibertarians’ favorite proposals – requiring warrants for searches of already-collected 702 data – has now been briefed to the court by one of the first FISA amici. And rejected. The argument was slapped down in an opinion by Judge Hogan. In the old days, government critics would have been able to press such an argument for years; now, thanks to the vigilant FISA amici and the transparency in FISA opinions that they cried for, that argument has suffered a body blow before it has even built up a head of steam.

And, just to show that we yield to no one in condemning abusive government data collection, I brief our listeners on where all the data created by their cheap Chinese drones is ending up – and which government has access to it. Suddenly, European-style data export bans are acquiring a strange new appeal.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_113.mp3
Category:general -- posted at: 11:40am EST

European news and sensibilities dominate episode 112. I indulge in some unseemly gloating about Europe’s newfound enthusiasm for the PNR data it wasted years of my life trying to negotiate out of the US counterterrorism toolbox. I pester our guest, Eric Jensen, about his work on the Tallinn 2.0 manual covering the law of cyberwar; the manual seems to offer an ever-more-European take on cyberweapons and the law of armed conflict. And if you think that’s a compliment, you haven’t been listening.

In other European news, Michael Vatis notes that the European Parliament has formally approved the EU’s sweeping new data protection regulation. And Maury Shenk tells us the Privacy Shield is acquiring a few dents, particularly from the Article 29 Working Party of data protection regulators, who are raising hard questions about US intelligence policy.

The fad for ruling that phone location records can only be obtained with a warrant may be receding. Michael says that another circuit has rejected the claim, while the last circuit to credit the notion has now gone en banc.

There’s better news for privacy campaigners in the House, where the Judiciary Committee has reported out a bill requiring warrants for even very old email content. It will face more scrutiny in the Senate, I predict, and with luck will attract a few balancing amendments that favor law enforcement and intelligence.

In Apple news, the FBI files the world’s shortest brief, saying “Yes we still want the data on that New York iPhone.” Leakers say the FBI hasn't learned much from the unlocked San Bernardino iPhone, a phone which it appears the FBI paid professional hackers a one-time fee to crack.

Alan Cohn and I have fun unpacking a report that the US government has worse cybersecurity than any other industry segment. Among agencies the FTC fares far better than NASA, and I manfully admit that the Commission must be doing something right.

Michael notes that the Seventh Circuit has again found plaintiffs to have standing in a data breach case, this time on grounds that will make future breach notices a lot less user-friendly.

Alan and I offer at least faint praise for the White House Commission on Enhancing National Cybersecurity. And Uber issues a transparency report that (surprise!) does more to serve the company’s interests than to educate the public.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_112.mp3
Category:general -- posted at: 11:51am EST

Just how sophisticated are the nations planning and carrying out cyberattacks on electric grids? Very, is the short answer. Our guest for episode 111, Suzanne Spaulding, DHS’s Under Secretary for the National Protection and Programs Directorate, lays out just how much planning and resources went into the attack on Ukraine’s grid, what it means for US industry, the information sharing that can mitigate the consequences, and why the incident reinforces the need to stand up the Cyber and Infrastructure Protection Agency at DHS.

Our news roundup concentrates on the draft Senate bill on encryption from Senators Burr and Feinstein. Not surprisingly, I find the critics to be mostly off point and occasionally unhinged in inimitable tech-sector fashion. Sen. Wyden condemns the bill, and no one is surprised. The White House ducks a fight over the legislation, and mostly no one cares any more. I offer the view that as more Silicon Valley firms adopt easy, universal, unbreakable crypto, the tide will slowly turn against them, as the list of crypto victims keeps getting longer.

Kaitlin Cassel and Alan Cohn unpack the consequences for law firms of the Mossack Fonseca leak, and Suzanne Spaulding weighs in with advice for the legal profession.

The US adds China’s Internet controls to its list of trade barriers. Kaitlin and I muse on the significance of that step (short term: none; long term: we could see a WTO case against China).

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_111.mp3
Category:general -- posted at: 10:51am EST

Steptoe recently held a client briefing in its Palo Alto office on developments in the Chinese legal and regulatory environment that are impacting US technology companies operating in China. I took advantage of the event to sneak in a quick discussion with Susan Munro and Ying Huang of Steptoe's China practice, on how China is regulating the Internet, with special emphasis on data protection, data localization, and more.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_110.mp3
Category:general -- posted at: 10:45am EST

In episode 109, we interview Perianne Boring of the Chamber of Digital Commerce on the regulatory challenges of bitcoin and the blockchain. In the news roundup, we bring back Apple v. FBI for what we hope will be one last round, as the San Bernardino magistrate voids her All Writs Act motion for mootness and attention shifts to other investigators hoping to crack iPhone security, both in the US and in Europe. 

In a change of pace, I dip into the Hillary Clinton email scandal, wondering whether US intelligence agencies caught foreign spies exploiting Clinton’s unsecured emails on her first trip to Asia. Alan Cohn reminds me that using government networks wouldn’t have exactly guaranteed their security.

Kaitlin Cassel makes her first appearance on the podcast, explaining the FCC’s new ISP privacy rules. We all try, unsuccessfully, to figure out why the FTC is so sure it knows more about privacy and security regulation than the FCC.

Alan and I explore the flap over insider-trading attacks on BigLaw, and I wonder out loud whether the whole story is hype. What’s not hype, however, is a breaking story on the biggest data spill in history, which outs the hidden assets of everyone from Putin cronies to Icelandic pols.

The FBI’s reluctance to expose its investigative techniques to the world did not begin with the iPhone, I remind listeners; the Bureaus is fighting a court order demanding that it turn over its Tor exploit source code to a defendant in a child porn case.

And speaking of “privacy” tools that turn out to be mostly boons for criminals, the US government-funded Tor Project is sinking ever deeper into swamps of human depravity. According to Cloudflare, 94 percent of Tor traffic is per se malicious. And according to other sources, most of the remaining 6% is to child porn and other criminal sites. I’m not sure how many more privacy victories like that the tech world can afford. And if you were wondering whether that’s just a one-off, check out the remarkable story of everyone’s favorite encryption program – which it turns out was mostly created by a Deep Nerd who evolved into a no-kidding, murder-for-hire monster. But don’t worry. I’m sure there’s no connection between a burning desire for privacy and a burning desire to do things abhorred by the overwhelming mass of humankind. It’s probably just a coincidence.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_109.mp3
Category:general -- posted at: 2:27pm EST

It’s an extended news roundup with plenty of debate between me and Nuala O’Connor, the President and CEO of the Center for Democracy and Technology (CDT). We debate whether and how CDT should pay more attention to Chinese technology abuses and examine the EU ministers’ long list of privacy measures to be rolled back and security measures to be beefed up in the wake of the Brussels and Paris Daesh attacks.

Meredith Rathbone reports on the sanctions case of the decade, as ZTE gets hit with a bag full of bricks – or is it marshmallows? – for its role in flouting US export controls. We speculate about why the US danced an enforcement two-step in this case – and who its next dance partner might be.

The Justice Department has launched a second set of indictments against foreign cyber hackers, this time aimed at Iranians who DDOS’s US banks and tried to flood the basements of Rye, NY, suburbanites. Michael Vatis and I speculate on whether other finance ministers might agree that sanctions should be imposed on those who hack banks – and on whether the Southern District will overreach in its forfeiture tactics.

I fume over the French bureaucracy’s claim that it can regulate what Americans are allowed to read on line. Nuala weighs in, and we find ourselves – mirabile dictu – in broad agreement about the dangers of the “right to be forgotten.”

I confess to uncharacteristically muted views about whether NSA should share raw traffic with other agencies. Nuala almost does the same.

And as a palate cleanser, who can resist a bitter, pointless turf fight, complete with public disparagement of one regulator by another? Hatfield v. McCoy? Stalin v. Trotsky? Hamilton v. Burr? They got nothin’ on FTC v. FCC, as FCC Commissioner Ohlhausen makes the imprudent decision to hold up FTC’s inscrutable security regulation as a gold standard – just when LabMD is making it look more like a protection racket.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_108.mp3
Category:general -- posted at: 12:23pm EST

What kind of internet world order does China want, and will it succeed? That’s the question we ask Adam Segal, Maurice R. Greenberg Senior Fellow at the Council on Foreign Relation and author of The Hacked World Order. We review China’s surprising success at getting tech companies to help it build an authoritarian Internet – the technological equivalent of persuading Jello to nail itself to the wall. Meanwhile, every nation, it seems, is busy reasserting sovereignty over cyberspace. Except the United States. Which raises the question whether other countries will decide to assert sovereignty over our cyberspace. We’re the Syria of cyberspace!

In the news roundup, I note that an apparent FBI raid on Tiversa is making the FTC look more and more like the dumb muscle called in to enforce someone else’s shakedown scheme. Imagine Edith Ramirez as The Hulk: “LabMD bad! FTC smash!”

Maury Shenk examines the latest Spanish decision on Google and the Right to Be Forgotten and I conclude that it’s classic TL;DR material.

Turning next to the FBI-Apple fight, I thank the President for opening SXSW for me and muse on his surprisingly strong endorsement of the FBI’s position. I also dissect the “lawyerly” affidavit submitted by Apple to deflect (though not answer) the questions I asked in an earlier blog post.

Maury and I consider whether WhatsApp is likely to be hit with an Apple-style wiretap order due to its strong end-to-end encryption, and I am surprised to hear that WhatsApp may have its own intercept backdoor, which makes an Apple order more likely.

Alan Cohn explains how a lost laptop can cost you $3.9 million. And I claim vindication when the Home Depot breach lawsuits settle at or below the Baker Range of $.50 to $2.00 per victim. Home Depot gets its bill down to $.10 to $.50 per victim – though that’s before the banks take their cut.

If you’re left feeling sorry for the plaintiffs’ bar, though, I have one word for you: malvertising. Alan notes that I’ve waited a lifetime to be able to sue the BBC and New York Times, but that time has come, as both have apparently infected their readers with ransomware.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_107.mp3
Category:general -- posted at: 4:06pm EST

In bonus episode 106, Stewart and Alan interview Phil Reitinger, former DHS Deputy Undersecretary for Cybersecurity and Sony Corporation CISO and current Director of the new Global Cyber Alliance, making up for the famous “lost episode” that Stewart and Alan recorded with Phil on the sidelines of the RSA Conference (“The best interview I ever conducted,” according to Phil).

Stewart first asks Phil about his old organization, DHS’s National Protection and Programs Directorate (NPPD).  Phil waxes eloquent about the triumphs and travails of NPPD, and also wonders what the impact on NPPD will be from President Obama’s recent creation of a Federal Chief Information Security Officer in the Executive Office of the President (Alan wonders—less eloquently—about that too).  Phil also notes that “we are all medieval barbers” when it comes to knowing how to treat today’s cybersecurity ills (“We know where to put the leeches, but that’s about it,” says Phil).

We then get to the meat of the interview.  Alan asks Phil all about the new Global Cyber Alliance, launched in partnership with the Center for Internet Security, the New York County District Attorney’s Office (and its asset forfeiture funds), and the City of London Police Department.  Phil explains that the Alliance will not follow the example of other organizations that are long on talk and short on action, and instead will gather subject matter experts to focus specific things, using the mantra of “Do Something.  Measure It.”  The Alliance will look in particular for issues where the global cyber community has an answer to a problem, but is struggling with implementation; the Alliance will provide the project management backbone to allow ad hoc groups of subject matter experts to drive towards implementation of the solution.  Ultimately, the Alliance wants to move from addressing specific risks to measuring and mitigating systemic cybersecurity risk—for example, the global risk of DDOS attacks— but the Alliance has no intention of leaving discrete problems unsolved while it searches for ways to address systemic problems.  Phil also explains that despite its founding partners, the Alliance will not be solely focused on cybercrime or prosecution issues, but rather will be focused on prevention.

Finally, Stewart and Phil talk about the FTC and FOIA, noting that Steptoe represented Phil in a FOIA action against the FTC to get it to disclose exactly what standards it is holding business to regarding cybersecurity and data privacy.  Phil colorfully explains the different ways in which the FTC told him to “pound sand,” and also throws around fancy legal terms like the “non-delegation doctrine."

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail toCyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_106.mp3
Category:general -- posted at: 10:52am EST

Doing our best to avoid turning this into the Applelaw podcast, episode 105 begins with Maury Shenk unpacking the new US-EU Privacy Shield details.  His take: more hassles for companies accused of noncompliance, more detailed privacy disclosures and compliance obligations for most members, and a modicum of pain for the intelligence community, but it’s still basically the same framework as the Safe Harbor.

Plenty of news from the FTC, as we ask how embarrassed the Commission should be now that one of its “common sense” security requirements has been discredited by its own chief technologist; we also ponder one Commissioner’s decision to weigh in on encryption regulation, and the Commission’s foray into security for the Internet of Things. 

Michael Vatis tells us the significance of the CFPB’s first data security enforcement order and the FCC’s new privacy rules for Internet providers.  Maury brings us mixed news on data protection skirmishes in Germany.  Hamburg’s biggest privacy hot dog looks more like chopped liver after a court ruling undercuts its jurisdictional claims, but Facebook’s “like” button may require its own “I consent” button. 

Finally, we return to the Apple-FBI case, submerge under a flood of amicus briefs, gauge the level of anger in the US government’s brief, and brace for the hearing on March 22.  In other news, I explain what Doris Day can teach us about Tim Cook, and Apple lawyers respond to concerns that China induced Apple to install probably-backdoored encryption algorithms in Chinese iPhones.  Relax, Apple’s lawyers have told journalists, the decision to install secret Chinese government crypto “was a trade issue, not a security issue.”  Well, whew!  No worries then.

In the interview, Alan Cohn and Jason Weinstein talk to Robin Weisman and Peter Van Valkenburgh from Coin Center.  Robin and Peter explain Coin Center’s ongoing work to educate policy makers about digital currencies and blockchain technology, and they correct two of the most common misconceptions about bitcoin – that it’s anonymous and that it’s unregulated.  They also discuss other possible applications for blockchain technology and help us make sense of the debate about private blockchains vs. the bitcoin blockchain. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 
 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm. 

Direct download: Podcast_105.mp3
Category:general -- posted at: 1:33pm EST

Live from RSA, it’s episode 104, with special guest Jim Lewis, CSIS’s renowned cybersecurity expert and Steptoe’s own Alan Cohn.  We do an extended news roundup before an RSA audience that yields several good questions for the panel.  We had invited Bruce Sewell, Apple’s General Counsel, to participate, but he didn’t show.  So we felt no constraint as we alternately criticized and mocked Apple’s legal arguments for not providing assistance to the FBI in gaining access to the San Bernardino terrorist’s phone.  We review the bidding on encryption on Capitol Hill and observe that the anti-regulatory forces have lost ground as a result of the fight Apple has picked. That leads into a discussion of China’s backdoors into the iPhone and Baidu’s role in compromising users of its products.   

We pivot to the latest details on the unfortunately named Privacy Shield,  which apparently is what you call a warmed-over Safe Harbor with a few dispute resolution tweaks.  Jim Lewis speculates on whether Europe is likely to launch an effective attack on the US 702 program.  I advance the theory that Europe is happy to hate US tech companies both for cooperating with law enforcement and for not cooperating with law enforcement.  And as Brazil’s jailing of a Facebook executive shows, that sentiment is not confined to Europe. 

In other news, North Korea’s hacking team has been pantsed in a recent Novetta report that strengthens the FBI’s attribution of the Sony attack – but raises questions about how effectively the administration has deterred continuing North Korean intrusions. 

In response to a question about whether Apple could solve its legal problems by building a phone that Apple itself can’t update, I point out that no one wants an unpatchable phone that can’t accept security updates.   Jim Lewis gives a quick update on his project to give advice to the next administration on cybersecurity.  Jim, Alan, and I offer bets on how long it will take for Internet companies to be regulated for security. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 
 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_104.mp3
Category:general -- posted at: 3:02pm EST

Due to technical difficulties, the interview for the 103rd episode will be released as a separate post next week.  In the news roundup, we explore Apple’s brief against providing additional assistance to the FBI in its investigation of the San Bernardino killings. Michael Vatis finds good and bad in the brief – some entirely plausible arguments about burden mixed with implausible ones aimed more at the public than at the magistrate judge. I suggest that the burden argument may be weaker than it seems, both because the costs can be spread over many requests for assistance and because the accounting of work to be done feels “as padded as a no-bid government contract offer.” Which, now that the FBI has offered to pay Apple’s costs, is pretty much exactly what it is.

In other news, Michael and Jason Weinstein look at the California AG’s breach report, and its unlikely suggestion that the states adopt a unified approach to breach reporting. And I offer highlights and lowlights from the DHS guidelines for information sharing, shining particular light on a troubling proposal that some shared fields will have to be scrubbed by human beings before the information is passed on to at-risk sysadmins. In the words of Silicon Valley, human review doesn’t scale.

As always, the Cyberlaw Podcast welcomes feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_103.mp3
Category:general -- posted at: 11:59am EST

What is the most surprising discovery a law firm partner makes when he jumps to the National Security Agency? I direct that and other questions at Glenn Gerstell, who has just finished six months in the job as General Counsel at the National Security Agency.

In the news roundup, we begin, of course, with the fight between Apple and the Justice Department. I open the discussion by reminding the audience that the war on terror cannot be a war on one of the world’s great religions and insisting that Apple remains a religion of peace. Michael Vatis describes the Justice Department’s latest filing, and we trade for deep discovery, not only at the FBI but also at Apple.

CFIUS has released its annual report – only eighteen months late – and the report shows continuing tough review standards from the Committee, Stephen Heifetz reports. There is no sign yet that Chinese acquisitions will experience a smoother ride in future.

Michael and I report on Google’s new effort to accommodate European data censors by geolocating users of google.com.

Finally, the judiciary is allowing defense lawyers to take a close look at the code used by the FBI to capture data about users of a child porn site seized by the Bureau.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_102.mp3
Category:general -- posted at: 6:18pm EST

The Second Annual Triple Entente Beer Summit again filled the Washington Firehouse loft with an audience at least as knowledgeable as the panel, which consisted of Ben WittesShane Harris,Stewart BakerTamara Cofman Wittes, and Alan Cohn. The Triple Entente Beer Summit brings together members of the LawfareRational Security, and the Steptoe Cyberlaw podcasts.

The topic of the day was the confrontation between Apple and the Justice Department over gaining access to the iPhone used by one of the terrorists responsible for the mass killing in San Bernardino, California. Suffice it to say that the podcast was not sponsored by Apple, nor will it be any time prior to the heat death of the universe.

We also dig into the Nitro Zeus story, claiming that in 2009 the United States prepared a massive cyberattack on Iran as an alternative to kinetic action in the event that nuclear talks failed and Iran began a nuclear breakout.

Finally, the panel explores the administration’s rekindled enthusiasm for CVE – countering violent extremism. We provide a definitive answer to the question, “Do we need more GS-14s tweeting on terrorism?” And Tamara Wittes challenges us to find the difference between late Obama and late Bush in the messaging department.

Then the audience takes over, greatly raising the tone of the podcast with a series of thoughtful questions for the panel.

It was a fine evening, and we look forward to another reunion soon.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: Podcast_101.mp3
Category:general -- posted at: 12:06pm EST

We devote episode 100 to “section 702” intelligence – the highly productive counterterrorism program that collects data on foreigners from data stored on US servers. What’s remarkable about the program is its roots: President Bush’s decision to ignore the clear language of FISA and implement collection without judicial approval. That decision has now been ratified by Congress – and will be ratified again in 2017 when the authority for it ends. But what does it say about the future of intelligence under law that our most productive innovation in intelligence only came about because the law was broken?

Our guest for the episode, David Kris, thinks that President Bush might have been able to persuade Congress to approve the program in 2001 if he’d asked. David may be right; he is a former Assistant Attorney General for National Security, the coauthor of the premier sourcebook on intelligence under law, "National Security Investigations & Prosecutions,” and the General Counsel of Intellectual Ventures. But what I find surprising is how little attention has been paid to the question. How about it? Is George Bush to FISA what Abraham Lincoln was to habeas corpus?

My interview with David leaves Lincoln to the history books and instead focuses entirely on section 702. David lays out the half-dozen issues likely to be addressed during the debate over reauthorization, including the risk that the legislation will attract efforts to limit overseas signals intelligence, now governed mainly by Executive Order 12333. He then pivots to the issues he thinks Congress should grapple with but probably won’t – from the growing ambiguity of location as a proxy for US citizenship to the failure of current intelligence law to adequately extract intelligence from the technologies that have emerged since 9/11, particularly social media and advertising technology.

In the news roundup, Maury Shenk and Michael Vatis take us deep into the US-EU agreement on “Privacy Shield” – a replacement for the Safe Harbor. The short version: there’s many a slip twixt cup and lip, but the EU has once again taken off the table its unenforceable threat to stop transatlantic data flows.

In other news, Michael and Alan explain how HIPAA became a divorce lawyer’s dream weapon.

The Brits, meanwhile, are lapping the United States in creative use of intelligence law. Maury and Michael explore how the UK proposes to bring the big webmail providers to heel.

I note the controversy at Berkeley over some garden-variety network monitoring, adopted in response to a serious health data breach. University academics are appalled to discover that protecting patient privacy might limit their ability to do what they want on university networks. HIPAA enforcers v. entitled academic lefties: all I ask is more popcorn.

Hey, remember Norse Security, the company that went to the press to say that the FBI was all wet when it attributed the Sony attack to North Korea? Well, Norse imploded last week, after a laid-off employee’s published criticisms were amplified by security blogger Brian Krebs. Choicest bit from the Norse co-founder’s post: the company’“demonstrat[es] how today’s media can be manipulated by persons to suit their purposes or personal vendettas and how facts can be misrepresented to lead an entire industry astray.” Yep. You know what they say: Live by the flashy but inaccurate press report, die by the flashy but inaccurate press report.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_100.mp3
Category:general -- posted at: 3:30pm EST

Our guest is Amit Ashkenazi, whom I interviewed while in Israel.  Amit is Legal Advisor of The Israel National Cyber Bureau and a former general counsel to Israel’s data protection agency.  Israel is drafting its own cybersecurity act, and we discuss what if anything that country can learn from the US debate – and what the US can learn from Israel’s cybersecurity experience.  We explore the challenges Israel will face in trying to start a new cybersecurity agency, how Israel strikes the balance between security and privacy, the risks of using contractors to staff a new agency, the danger of stating agency authorities with too much specificity, and why the agency is likely to look more like DHS than the FBI. 

In the news roundup, I discuss the dynamics of the Safe Harbor talks with Maury Shenk, boldly predicting that the EU will cave on the remaining issues once it’s convinced the US means business.

Jason Weinstein and I talk about the Judicial Redress Act and the gratifying Senate Judiciary Committee amendment – an amendment that the EU must have seen as a bad sign for the future if the Safe Harbor talks fail.  The Act is intended to facilitate the Justice Department’s “umbrella” agreement over data protection and law enforcement.  We conclude that it is a largely one-sided set of concessions by the United States in return for an illusory “data peace in our time.”  We nonetheless find a fine reason for the Obama administration to have accepted all these limits. 

Alan Cohn and I check in on the status of DHS’s Einstein cyberdefense  
program and the reasons why GAO has criticized its progress.  And we close with a bit of “dog bites man” crypto news

As always, the Cyberlaw Podcast welcomes feedback.  Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_99.mp3
Category:general -- posted at: 6:51pm EST

If there really is another crypto war in Washington, then this week’s podcast features several war correspondents and at least one victim of PTSD.  Our guest is Melanie Teplinsky, former cybersecurity lawyer at Steptoe, adjunct professor at American University’s Washington College of Law, advisory board member for Crowdstrike, and a regular columnist on privacy and security issues for the Christian Science Monitor.  

We cover crypto news from Davos to the New York legislature.  We also discuss my latest policy provocation, designed to unveil yet another example of European hypocrisy where privacy, data protection, and the United States are concerned.  Inspired by the still-stalled Safe Harbor talks, I announce plans to award a Europocrisy Prize for filings that force European data protection authorities to assess the adequacy of surveillance law in important European trading partners who aren’t the United States, such as China, Russia, Saudia Arabia, and Algeria.  Amazingly, in twenty years of bitter attacks on US privacy adequacy, that’s never been done. 

We dig into several developments in the world of litigation.  Michael Vatis and Alan Cohn discuss several new cases:  a lawsuit claiming that fake emails should be covered by a forgery insurance policy, a hacked casino’s effort to recover from the security consultant that incorrectly told the casino its security problems had been solved, and a Minnesota decision that shoots down still more creative arguments for injury from the breach plaintiff’s bar.   

Michael tells us why the FBI isn’t apologizing for running a child porn site for two weeks in order to catch pedophiles.  And I predict with a bit of enthusiasm that the Senate Judiciary Committee will add more conditions to the Judicial Redress Act, as Congressional patience with Europocrisy begins to wear thin.   

Finally, Alan reveals that the Obama administration has just created the worst Schedule C job in government.  

Direct download: Podcast_98.mp3
Category:general -- posted at: 12:38pm EST

Back for a rematch, John Lynch and I return to the “hackback” debate in episode 97, with Jim Lewis of CSIS providing color commentary. John Lynch is the head of the Justice Department’s computer crime section. We find more common ground than might be expected but plenty of conflict as well. I suggest that Sheriff Arpaio in Arizona may soon be dressing hackers in pink while deputizing backhackers, while Jim Lewis focuses on the risk of adverse foreign government reactions. We also consider when it’s lawful to use “web beacons” and whether trusted security professionals should be given more leeway to take action outside their customers’ networks. In response to suggestions that those who break into hacker hop points might be sued by the third parties who nominally own those hop points, I suggest that those parties could face counterclaims for negligence. We close with a surprisingly undogmatic discussion of Justice Department “no-action letters” for computer security practitioners considering novel forms of active defense. 

In the news roundup, Alan Cohn and I consider whether Twitter should worry about being sued for providing material support to ISIS.  Answer:  Yes, at least a little.  Tim Cook, too, for that matter.  

Meredith Rathbone leads us through the Wassenaar wilderness, providing glimpses of a promised land.  And Maury Shenk brings good news for sane corporate security programs from the unlikeliest of sources – the European Court of Human Rights.   

Maury reports incremental progress on cybersecurity in the only law-writing process that makes Congress’s adoption of the Cyber Security Act look expeditious.  

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 
 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm. 

Direct download: PC_97.mp3
Category:general -- posted at: 12:57pm EST

How do you graduate as a conservative with two Harvard degrees? We learn this and much more from Sen. Tom Cotton (R-AR), our guest for episode 96 . We dive deep with the Senator on the 215 metadata program and its USA FREEDOM Act replacement. We ask what the future holds for the 702 program, one of the most important counterterrorism programs and just entering yet another round of jockeying over renewal; Sen. Cotton has already come out in favor of making the program permanent. To round things out, Sen. Cotton assesses the risks of Going Dark for our intelligence community and the difficulties that the Safe Harbor negotiations pose for US intelligence.

In the news roundup, evidence mounts that someone has hacked the Ukrainian electric grid.  Michael isn’t ready to point the finger at Russia yet; but I pretty much am. Whoever gets the blame, this probably means another aspirational cyberwar norm down the tubes.

In the United Kingdom, US tech firms are lobbying against a security bill, but Maury Shenk questions whether they’re mainly complaining about rules that are already part of UK law.

In the US, administration officials and Silicon Valley are happy talking about cooperation to discourage terrorist use of social media, but Michael isn’t sure what will come of the effort. I unveil a half-baked proposal to activate a Mom Squad, on the theory that the best weapon against radicalization of adolescents is letting their parents know what they’re up to. Michael reminds me that the government can’t tell Mom without getting a search warrant for private content, just as my daughter calls to say she’s been reading my blog and I need an intervention.

File this one in the bulging folder labeled “Privacy protects the privileged”: Volkswagen says it can’t comply with US government investigative demands because of the privacy of its employees – apparently including the privacy of employees who lied to US investigators. Maury and I explore VW’s data protection justifications, all of which seem, well, arguable.

And in short takes, as predicted, Justice wants to moot the Klayman/Leon victory over NSA. Meanwhile, NSA's General Counsel makes his maiden public statement in Lawfare, and says a few things that the Cruz campaign will welcome. Defense counsel are making explosive charges against the FBI’s handling of a child porn investigation. And in the tastiest privacy irony of the week, the EU’s otherwise pointless "cookie notice" requirement turns out to be great news for malware distributors, if no one else. Where would we be without the steady hand of wise European data protection officials?

Finally, after weeks of cajoling, our listeners have come through. We have entries in the iTunes podcast reviews, and we’re averaging five stars. Many thanks!

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the ninety-sixth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: Podcast_96.mp3
Category:general -- posted at: 1:09pm EST

We’re back from hiatus with a boatload of news and a cautiously libertarian technologist guest in Nick Weaver of the International Computer Science Institute in Berkeley.  To start Episode 95 of the podcast, Michael Vatis and I plumb the meaning of the Cyber Security Act’s passage.  The big news?  Apparently Santa is real, state laws prohibiting employer access to social media credentials may have been preempted, at least a bit, and ISPs just got new authority to monitor traffic to find bits that threaten other people.  Now if we could just find something useful to do with the defensive measures provision … 

Maury Shenk and Alan Cohn dig into the latest deal moving a new European data protection regulation forward – and the slow-motion disaster around the Safe Harbor. 

Maury and Michael note that the encryption debate just won’t stay dead, no matter how much Silicon Valley keeps pounding the stake into its heart.  In addition to the FBI, tech companies are seeing a whole bunch of new eyes gleaming in the dark – China’s new security law, Pakistan’s fight with Blackberry, the new UK legislation, and Brazil’s shot across Whatsapp’s bow.  In every case, government has crowded Silicon Valley hard for more cooperation on access to customer data – but without (quite) insisting on a built-in backdoor.   

Speaking of governments, Michael tells us that regulators closed 2015 with a bang, with HIPAA, COPPA, and order-enforcement fines up to $100 million.  And Alan points to the CFTC’s new testing rules, which I contend may have smuggled something close to strict security liability into the Federal Register.   

Michael brings us up to date on the never-ending turmoil over what access in excess of authorization means under the CFAA.  None of us are surprised that courts think it includes access in violation of a court order

The interview with Nick Weaver explores the charms and evils of bulk surveillance, not to mention its inevitability.  Nick analyzes the two Silicon Valley business models – which he shorthands as selling shiny stuff and selling people’s souls.  (Guess which model he disapproves of.)  Which leads us to the question of tracking terrorists as though we wanted to sell them beheading videos.  Call it Son of 702.  Which leads me to ask how soon it will be before the government blocks the sale of an online ad network to China on national security grounds.

Direct download: Podcast_95.mp3
Category:general -- posted at: 10:26am EST

1