Steptoe Cyberlaw Podcast

No holds are barred as a freewheeling panel of cryptographers and security pros duke it out with me and the Justice Department over going dark, exceptional access, and the Apple-FBI conflict. Among the combatants: Patrick Henry, a notable cryptographer with experience at GCHQ, NSA, and the private sector; Dan Kaminsky, the Chief Scientist at White Ops; Kiran Raj, who is Senior Counsel to the Deputy Attorney General; and Dr. Zulfikar Ramzan the CTO of RSA Security. Our thanks to Catherine Lotrionte who generously agreed to let me record this one-hour panel at her remarkable Annual International Conference on Cyber Engagement.

In the news roundup Maury Shenk discusses the real and mythical import of the UK’s pending surveillance bill, and I mock the journalists who claimed to find scandal in GCHQ’s elaborate compliance regime for access to bulk personal data. Alan Cohn and I return to the Apple-FBI fight, and I can’t help pointing out that Apple, the self-proclaimed champion of security, didn’t bother to tell its customers that it was no longer providing security patches to QuickTime on Windows. Alan manages to explain Apple’s thinking with two words: “on Windows.”

The FBI’s decision to manage a child porn distribution node for a few weeks and prosecute its customers has come a cropper, but not for the reason you might think. Instead, Alan reports, at least one court is now willing to enforce the limits of Rule 41 and declare that a Virginia magistrate cannot issue a search warrant for a computer located in Massachusetts. That ups the stakes for the ongoing effort to amend this problem out of the Federal Rules.

I read an 80-page FISA opinion so you don’t have to. One of the technolibertarians’ favorite proposals – requiring warrants for searches of already-collected 702 data – has now been briefed to the court by one of the first FISA amici. And rejected. The argument was slapped down in an opinion by Judge Hogan. In the old days, government critics would have been able to press such an argument for years; now, thanks to the vigilant FISA amici and the transparency in FISA opinions that they cried for, that argument has suffered a body blow before it has even built up a head of steam.

And, just to show that we yield to no one in condemning abusive government data collection, I brief our listeners on where all the data created by their cheap Chinese drones is ending up – and which government has access to it. Suddenly, European-style data export bans are acquiring a strange new appeal.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_113.mp3
Category:general -- posted at: 11:40am EST

European news and sensibilities dominate episode 112. I indulge in some unseemly gloating about Europe’s newfound enthusiasm for the PNR data it wasted years of my life trying to negotiate out of the US counterterrorism toolbox. I pester our guest, Eric Jensen, about his work on the Tallinn 2.0 manual covering the law of cyberwar; the manual seems to offer an ever-more-European take on cyberweapons and the law of armed conflict. And if you think that’s a compliment, you haven’t been listening.

In other European news, Michael Vatis notes that the European Parliament has formally approved the EU’s sweeping new data protection regulation. And Maury Shenk tells us the Privacy Shield is acquiring a few dents, particularly from the Article 29 Working Party of data protection regulators, who are raising hard questions about US intelligence policy.

The fad for ruling that phone location records can only be obtained with a warrant may be receding. Michael says that another circuit has rejected the claim, while the last circuit to credit the notion has now gone en banc.

There’s better news for privacy campaigners in the House, where the Judiciary Committee has reported out a bill requiring warrants for even very old email content. It will face more scrutiny in the Senate, I predict, and with luck will attract a few balancing amendments that favor law enforcement and intelligence.

In Apple news, the FBI files the world’s shortest brief, saying “Yes we still want the data on that New York iPhone.” Leakers say the FBI hasn't learned much from the unlocked San Bernardino iPhone, a phone which it appears the FBI paid professional hackers a one-time fee to crack.

Alan Cohn and I have fun unpacking a report that the US government has worse cybersecurity than any other industry segment. Among agencies the FTC fares far better than NASA, and I manfully admit that the Commission must be doing something right.

Michael notes that the Seventh Circuit has again found plaintiffs to have standing in a data breach case, this time on grounds that will make future breach notices a lot less user-friendly.

Alan and I offer at least faint praise for the White House Commission on Enhancing National Cybersecurity. And Uber issues a transparency report that (surprise!) does more to serve the company’s interests than to educate the public.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_112.mp3
Category:general -- posted at: 11:51am EST

Just how sophisticated are the nations planning and carrying out cyberattacks on electric grids? Very, is the short answer. Our guest for episode 111, Suzanne Spaulding, DHS’s Under Secretary for the National Protection and Programs Directorate, lays out just how much planning and resources went into the attack on Ukraine’s grid, what it means for US industry, the information sharing that can mitigate the consequences, and why the incident reinforces the need to stand up the Cyber and Infrastructure Protection Agency at DHS.

Our news roundup concentrates on the draft Senate bill on encryption from Senators Burr and Feinstein. Not surprisingly, I find the critics to be mostly off point and occasionally unhinged in inimitable tech-sector fashion. Sen. Wyden condemns the bill, and no one is surprised. The White House ducks a fight over the legislation, and mostly no one cares any more. I offer the view that as more Silicon Valley firms adopt easy, universal, unbreakable crypto, the tide will slowly turn against them, as the list of crypto victims keeps getting longer.

Kaitlin Cassel and Alan Cohn unpack the consequences for law firms of the Mossack Fonseca leak, and Suzanne Spaulding weighs in with advice for the legal profession.

The US adds China’s Internet controls to its list of trade barriers. Kaitlin and I muse on the significance of that step (short term: none; long term: we could see a WTO case against China).

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_111.mp3
Category:general -- posted at: 10:51am EST

Steptoe recently held a client briefing in its Palo Alto office on developments in the Chinese legal and regulatory environment that are impacting US technology companies operating in China. I took advantage of the event to sneak in a quick discussion with Susan Munro and Ying Huang of Steptoe's China practice, on how China is regulating the Internet, with special emphasis on data protection, data localization, and more.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_110.mp3
Category:general -- posted at: 10:45am EST

In episode 109, we interview Perianne Boring of the Chamber of Digital Commerce on the regulatory challenges of bitcoin and the blockchain. In the news roundup, we bring back Apple v. FBI for what we hope will be one last round, as the San Bernardino magistrate voids her All Writs Act motion for mootness and attention shifts to other investigators hoping to crack iPhone security, both in the US and in Europe. 

In a change of pace, I dip into the Hillary Clinton email scandal, wondering whether US intelligence agencies caught foreign spies exploiting Clinton’s unsecured emails on her first trip to Asia. Alan Cohn reminds me that using government networks wouldn’t have exactly guaranteed their security.

Kaitlin Cassel makes her first appearance on the podcast, explaining the FCC’s new ISP privacy rules. We all try, unsuccessfully, to figure out why the FTC is so sure it knows more about privacy and security regulation than the FCC.

Alan and I explore the flap over insider-trading attacks on BigLaw, and I wonder out loud whether the whole story is hype. What’s not hype, however, is a breaking story on the biggest data spill in history, which outs the hidden assets of everyone from Putin cronies to Icelandic pols.

The FBI’s reluctance to expose its investigative techniques to the world did not begin with the iPhone, I remind listeners; the Bureaus is fighting a court order demanding that it turn over its Tor exploit source code to a defendant in a child porn case.

And speaking of “privacy” tools that turn out to be mostly boons for criminals, the US government-funded Tor Project is sinking ever deeper into swamps of human depravity. According to Cloudflare, 94 percent of Tor traffic is per se malicious. And according to other sources, most of the remaining 6% is to child porn and other criminal sites. I’m not sure how many more privacy victories like that the tech world can afford. And if you were wondering whether that’s just a one-off, check out the remarkable story of everyone’s favorite encryption program – which it turns out was mostly created by a Deep Nerd who evolved into a no-kidding, murder-for-hire monster. But don’t worry. I’m sure there’s no connection between a burning desire for privacy and a burning desire to do things abhorred by the overwhelming mass of humankind. It’s probably just a coincidence.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_109.mp3
Category:general -- posted at: 2:27pm EST

1