Steptoe Cyberlaw Podcast

It’s an extended news roundup with plenty of debate between me and Nuala O’Connor, the President and CEO of the Center for Democracy and Technology (CDT). We debate whether and how CDT should pay more attention to Chinese technology abuses and examine the EU ministers’ long list of privacy measures to be rolled back and security measures to be beefed up in the wake of the Brussels and Paris Daesh attacks.

Meredith Rathbone reports on the sanctions case of the decade, as ZTE gets hit with a bag full of bricks – or is it marshmallows? – for its role in flouting US export controls. We speculate about why the US danced an enforcement two-step in this case – and who its next dance partner might be.

The Justice Department has launched a second set of indictments against foreign cyber hackers, this time aimed at Iranians who DDOS’s US banks and tried to flood the basements of Rye, NY, suburbanites. Michael Vatis and I speculate on whether other finance ministers might agree that sanctions should be imposed on those who hack banks – and on whether the Southern District will overreach in its forfeiture tactics.

I fume over the French bureaucracy’s claim that it can regulate what Americans are allowed to read on line. Nuala weighs in, and we find ourselves – mirabile dictu – in broad agreement about the dangers of the “right to be forgotten.”

I confess to uncharacteristically muted views about whether NSA should share raw traffic with other agencies. Nuala almost does the same.

And as a palate cleanser, who can resist a bitter, pointless turf fight, complete with public disparagement of one regulator by another? Hatfield v. McCoy? Stalin v. Trotsky? Hamilton v. Burr? They got nothin’ on FTC v. FCC, as FCC Commissioner Ohlhausen makes the imprudent decision to hold up FTC’s inscrutable security regulation as a gold standard – just when LabMD is making it look more like a protection racket.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_108.mp3
Category:general -- posted at: 12:23pm EST

What kind of internet world order does China want, and will it succeed? That’s the question we ask Adam Segal, Maurice R. Greenberg Senior Fellow at the Council on Foreign Relation and author of The Hacked World Order. We review China’s surprising success at getting tech companies to help it build an authoritarian Internet – the technological equivalent of persuading Jello to nail itself to the wall. Meanwhile, every nation, it seems, is busy reasserting sovereignty over cyberspace. Except the United States. Which raises the question whether other countries will decide to assert sovereignty over our cyberspace. We’re the Syria of cyberspace!

In the news roundup, I note that an apparent FBI raid on Tiversa is making the FTC look more and more like the dumb muscle called in to enforce someone else’s shakedown scheme. Imagine Edith Ramirez as The Hulk: “LabMD bad! FTC smash!”

Maury Shenk examines the latest Spanish decision on Google and the Right to Be Forgotten and I conclude that it’s classic TL;DR material.

Turning next to the FBI-Apple fight, I thank the President for opening SXSW for me and muse on his surprisingly strong endorsement of the FBI’s position. I also dissect the “lawyerly” affidavit submitted by Apple to deflect (though not answer) the questions I asked in an earlier blog post.

Maury and I consider whether WhatsApp is likely to be hit with an Apple-style wiretap order due to its strong end-to-end encryption, and I am surprised to hear that WhatsApp may have its own intercept backdoor, which makes an Apple order more likely.

Alan Cohn explains how a lost laptop can cost you $3.9 million. And I claim vindication when the Home Depot breach lawsuits settle at or below the Baker Range of $.50 to $2.00 per victim. Home Depot gets its bill down to $.10 to $.50 per victim – though that’s before the banks take their cut.

If you’re left feeling sorry for the plaintiffs’ bar, though, I have one word for you: malvertising. Alan notes that I’ve waited a lifetime to be able to sue the BBC and New York Times, but that time has come, as both have apparently infected their readers with ransomware.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_107.mp3
Category:general -- posted at: 4:06pm EST

In bonus episode 106, Stewart and Alan interview Phil Reitinger, former DHS Deputy Undersecretary for Cybersecurity and Sony Corporation CISO and current Director of the new Global Cyber Alliance, making up for the famous “lost episode” that Stewart and Alan recorded with Phil on the sidelines of the RSA Conference (“The best interview I ever conducted,” according to Phil).

Stewart first asks Phil about his old organization, DHS’s National Protection and Programs Directorate (NPPD).  Phil waxes eloquent about the triumphs and travails of NPPD, and also wonders what the impact on NPPD will be from President Obama’s recent creation of a Federal Chief Information Security Officer in the Executive Office of the President (Alan wonders—less eloquently—about that too).  Phil also notes that “we are all medieval barbers” when it comes to knowing how to treat today’s cybersecurity ills (“We know where to put the leeches, but that’s about it,” says Phil).

We then get to the meat of the interview.  Alan asks Phil all about the new Global Cyber Alliance, launched in partnership with the Center for Internet Security, the New York County District Attorney’s Office (and its asset forfeiture funds), and the City of London Police Department.  Phil explains that the Alliance will not follow the example of other organizations that are long on talk and short on action, and instead will gather subject matter experts to focus specific things, using the mantra of “Do Something.  Measure It.”  The Alliance will look in particular for issues where the global cyber community has an answer to a problem, but is struggling with implementation; the Alliance will provide the project management backbone to allow ad hoc groups of subject matter experts to drive towards implementation of the solution.  Ultimately, the Alliance wants to move from addressing specific risks to measuring and mitigating systemic cybersecurity risk—for example, the global risk of DDOS attacks— but the Alliance has no intention of leaving discrete problems unsolved while it searches for ways to address systemic problems.  Phil also explains that despite its founding partners, the Alliance will not be solely focused on cybercrime or prosecution issues, but rather will be focused on prevention.

Finally, Stewart and Phil talk about the FTC and FOIA, noting that Steptoe represented Phil in a FOIA action against the FTC to get it to disclose exactly what standards it is holding business to regarding cybersecurity and data privacy.  Phil colorfully explains the different ways in which the FTC told him to “pound sand,” and also throws around fancy legal terms like the “non-delegation doctrine."

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail toCyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_106.mp3
Category:general -- posted at: 10:52am EST

Doing our best to avoid turning this into the Applelaw podcast, episode 105 begins with Maury Shenk unpacking the new US-EU Privacy Shield details.  His take: more hassles for companies accused of noncompliance, more detailed privacy disclosures and compliance obligations for most members, and a modicum of pain for the intelligence community, but it’s still basically the same framework as the Safe Harbor.

Plenty of news from the FTC, as we ask how embarrassed the Commission should be now that one of its “common sense” security requirements has been discredited by its own chief technologist; we also ponder one Commissioner’s decision to weigh in on encryption regulation, and the Commission’s foray into security for the Internet of Things. 

Michael Vatis tells us the significance of the CFPB’s first data security enforcement order and the FCC’s new privacy rules for Internet providers.  Maury brings us mixed news on data protection skirmishes in Germany.  Hamburg’s biggest privacy hot dog looks more like chopped liver after a court ruling undercuts its jurisdictional claims, but Facebook’s “like” button may require its own “I consent” button. 

Finally, we return to the Apple-FBI case, submerge under a flood of amicus briefs, gauge the level of anger in the US government’s brief, and brace for the hearing on March 22.  In other news, I explain what Doris Day can teach us about Tim Cook, and Apple lawyers respond to concerns that China induced Apple to install probably-backdoored encryption algorithms in Chinese iPhones.  Relax, Apple’s lawyers have told journalists, the decision to install secret Chinese government crypto “was a trade issue, not a security issue.”  Well, whew!  No worries then.

In the interview, Alan Cohn and Jason Weinstein talk to Robin Weisman and Peter Van Valkenburgh from Coin Center.  Robin and Peter explain Coin Center’s ongoing work to educate policy makers about digital currencies and blockchain technology, and they correct two of the most common misconceptions about bitcoin – that it’s anonymous and that it’s unregulated.  They also discuss other possible applications for blockchain technology and help us make sense of the debate about private blockchains vs. the bitcoin blockchain. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 
 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm. 

Direct download: Podcast_105.mp3
Category:general -- posted at: 1:33pm EST

Live from RSA, it’s episode 104, with special guest Jim Lewis, CSIS’s renowned cybersecurity expert and Steptoe’s own Alan Cohn.  We do an extended news roundup before an RSA audience that yields several good questions for the panel.  We had invited Bruce Sewell, Apple’s General Counsel, to participate, but he didn’t show.  So we felt no constraint as we alternately criticized and mocked Apple’s legal arguments for not providing assistance to the FBI in gaining access to the San Bernardino terrorist’s phone.  We review the bidding on encryption on Capitol Hill and observe that the anti-regulatory forces have lost ground as a result of the fight Apple has picked. That leads into a discussion of China’s backdoors into the iPhone and Baidu’s role in compromising users of its products.   

We pivot to the latest details on the unfortunately named Privacy Shield,  which apparently is what you call a warmed-over Safe Harbor with a few dispute resolution tweaks.  Jim Lewis speculates on whether Europe is likely to launch an effective attack on the US 702 program.  I advance the theory that Europe is happy to hate US tech companies both for cooperating with law enforcement and for not cooperating with law enforcement.  And as Brazil’s jailing of a Facebook executive shows, that sentiment is not confined to Europe. 

In other news, North Korea’s hacking team has been pantsed in a recent Novetta report that strengthens the FBI’s attribution of the Sony attack – but raises questions about how effectively the administration has deterred continuing North Korean intrusions. 

In response to a question about whether Apple could solve its legal problems by building a phone that Apple itself can’t update, I point out that no one wants an unpatchable phone that can’t accept security updates.   Jim Lewis gives a quick update on his project to give advice to the next administration on cybersecurity.  Jim, Alan, and I offer bets on how long it will take for Internet companies to be regulated for security. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 
 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_104.mp3
Category:general -- posted at: 3:02pm EST

Due to technical difficulties, the interview for the 103rd episode will be released as a separate post next week.  In the news roundup, we explore Apple’s brief against providing additional assistance to the FBI in its investigation of the San Bernardino killings. Michael Vatis finds good and bad in the brief – some entirely plausible arguments about burden mixed with implausible ones aimed more at the public than at the magistrate judge. I suggest that the burden argument may be weaker than it seems, both because the costs can be spread over many requests for assistance and because the accounting of work to be done feels “as padded as a no-bid government contract offer.” Which, now that the FBI has offered to pay Apple’s costs, is pretty much exactly what it is.

In other news, Michael and Jason Weinstein look at the California AG’s breach report, and its unlikely suggestion that the states adopt a unified approach to breach reporting. And I offer highlights and lowlights from the DHS guidelines for information sharing, shining particular light on a troubling proposal that some shared fields will have to be scrubbed by human beings before the information is passed on to at-risk sysadmins. In the words of Silicon Valley, human review doesn’t scale.

As always, the Cyberlaw Podcast welcomes feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_103.mp3
Category:general -- posted at: 11:59am EST

1