Wed, 25 May 2016
Our guest, Patrick Gray, is the host of the excellent Risky Business security podcast. He introduces us to the cybersecurity equivalent of decapitation by paper cut and offers a technologist’s take on multiple policy and legal issues. In the news roundup, Michael explains the many plaintiff-friendly rulings obtained by the banks suing Home Depot over its data breach. We wonder whether the rulings are so plaintiff-friendly that the banks will eventually regret their successes. Michael also explains just how deliberately meaningless is the Supreme Court decision in Spokeo, Inc. v. Robins.
Alan Cohn lays out the new DOD rule requiring government contractors to adopt basic cybersecurity measures. Michael explains why the court rejected Mozilla's bid to intervene in the big FBI-child porn case. I cheer Google on in its appeal of the egregious CNIL ruling extending French “right to be forgotten” censorship to the world – and mock the handful of Senators who have gone on record as favoring legislation to overturn the Rule 41 changes and make the internet safe for child exploitation. Finally, Alan explains why the SEC thinks cybersecurity is the top threat to financial systems
As always, the Cyberlaw Podcast welcomes feedback. Send e-mail toCyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
Tue, 17 May 2016
Ransomware is the new black. In fact, it’s the new China. So says our guest for episode 116, Dmitri Alperovitch, the CTO and co-founder of CrowdStrike. Dmitri explains why ransomware is so attractive financially – and therefore likely to get much worse very fast. He and I also explore the implications and attribution of the big bank hacks in Vietnam and Bangladesh.
In the news roundup, Michael Vatis reports on the new federal trade secrets law. In addition, inspired by the Edelson firm’s sealed complaint against a Chicago-based law firm for cybersecurity failings, Steptoe’s chair emeritus, Roger Warin, charts the legal and strategic terrain of suing law firms for bad security. The hazards of class action litigation in this field are illuminated by the district court’s recent ruling on the Zappos breach, which Michael unpacks for us.
Unable as always to resist a sitting duck, I quote the FTC’s condescending Congressional testimony promising to give the FCC the benefit of its 40 years of security expertise. It plans to offer comments on the FCC’s proposed privacy regulations. But the FTC fails to note that in all those 40 years, it has never had occasion to ask anyone for comment on its own privacy or security standards – which are scattered haphazardly across a series of brochures and weblinks and consent decrees. As I point out, that makes it hard not just for companies that want to comply, but also for the FTC, which has no way to amend its outdated security guidance, most notably the bad advice it gave several years ago about requiring employees to change passwords frequently. Maybe it’s time for the FCC to return the favor, and give the FTC the benefit of its own years of experience in actually issuing and taking comment on proposed regulations.
As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
Wed, 11 May 2016
Does the FISA court perform a recognizably judicial function when it reviews 702 minimization procedures for compliance with the Fourth amendment? Our guest for episode 115 is Orin Kerr, GWU professor and all-round computer crime guru. Orin and I spend a good part of the interview puzzling over Congress’s mandate that the FISA court review what amounts to a regulation for compliance with an amendment that is usually invoked only in individual cases. Maybe, I suggest, the recent court ruling on 702 minimization and the Fourth amendment doesn’t make sense from an Article III point of view because the FISA judges long ago graduated from deciding cases and controversies to acting as special masters to oversee the intelligence community. We also explore an upcoming Orin Kerr law review piece on how judicial construction of the Fourth amendment should be influenced by statutes that play in the same sandbox.
In the news roundup, Maury Shenk provides an overview of the data protection logjam now building up in Brussels, including EU Parliament approval of the new US-EU law enforcement agreement. In FTC news, Katilin Cassel explains why Amazon is liable for kids’ in-app purchases; I seize on recent UK government advice not to change passwords too often to mock the FTC for its outmoded advice on the topic and its inability to shed its old guidance gracefully; and Maury and I examine how and why the FTC is enforcing quasi-voluntary privacy regimes like the Privacy Shield/Safe Harbor.
Katie explains HHS’s remarkable new enforcement policy – imposing large fines on health providers who voluntarily disclose a paperwork omission that caused no actual privacy harm. I flag the First Circuit’s decision to create a circuit conflict on the meaning of the Video Privacy Protection Act.
I express astonishment that the tech press continues to think there’s a constitutional problem with forcing someone to use his fingerprint to unlock a phone. The Onion and Operation Vowel Lift also make an appearance.
Wed, 4 May 2016
Our guest for episode 114 is General Michael Hayden, former director of the NSA and CIA; he also confirms that he personally wrote every word of his fine book, Playing to the Edge: American Intelligence in the Age of Terror. In a sweeping interview, we cover everything from Jim Comey’s performance at the AG’s hospital bedside (and in the Clinton email investigation) to whether the missed San Diego 9/11 calls were discovered before or after the 215 program was put in place. Along the way, we settle the future of Cyber Command, advise the next president on intelligence, and lay out the price the intelligence community is paying for becoming so darned good at hunting terrorists.
Michael Vatis and I do the news roundup. It’s bad news this week for the same child porn defendants who got good news last week, when a court overturned the search warrant used to search their computers after they visited an FBI-run Tor node. Now, though, the Supreme Court has approved a change to Rule 41 authorizing geographically unbound search warrants in computer cases. Unless Congress comes to their rescue by rejecting the proposed rule change, an unlikely prospect indeed, the new rule will take effect at the end of the year.
Well, that was fast, at least by the standards of Washington lawyers. We’ve gone from attribution to proposed retribution in less than two years. Indictments in 2014 charged that the Chinese government had broken into US Steel’s computer network. Now US Steel is claiming that the hackers stole advanced steel technology and gave it to a Chinese competitor, and it’s asking the International Trade Commission to exclude the competitor’s products from the United States, on the ground that stealing secrets is an unfair trade practice. With the government eager to send a message on commercial cyberespionage, look for plenty fireworks over the next year as the case is brought to judgment.
The big FISA news revolves around notices given to litigants when section 702 played a role in their cases. A rare notice of that kind has been given to an Iraqi refugee accused of traveling to Syria. He has promised a constitutional challenge. Meanwhile, if you’re wondering whether OFAC uses 702 intelligence to issue sanctions, and whether the targets get notice when that happens, the New York Times is fighting to get those answers, using FOIA. It’s losing. Congress is also taking a harder look at 702, with fourteen of the usual suspects asking DNI Clapper to estimate how many Americans’ communications are swept up in the program.
In other news, Michael notes that Nebraska has expanded its breach law to cover more data – and to make sure that the encryption exception only applies to encryption that’s not fatally compromised.