Steptoe Cyberlaw Podcast

Jonathan Zittrain, who holds a surfeit of titles at Harvard, is our guest for episode 136. Among other topics, we explore the implications of routine doxing of political adversaries. Along the way I extract kind words from Jonathan for Sarah Palin and welcome him to the club of those who think mass doxxers are evil punks.  It’s a wide-ranging, informative, and un-ideological performance of the sort we’ve come to expect from Jonathan.

In the news, I note that the FBI seems to be getting reinforcements in the Great Crypto War, as European prosecutors prepare the battlefield with complaints about Islamic State use of Western encryption.

We’re seeing the rise of a new kind of security disclosure mandate, Katie Cassel tells us. First DOD and now Treasury are requiring their industry to disclose not just personal data breaches but the details of security breaches. But only Treasury was clever enough to do it without new regulatory authority.

NHTSA proposes some pretty thin cybersecurity guidance for vehicles, says Michael Vatis, and a couple of Senate Dems predictably call for tougher mandatory standards.

In more dog-bites-man news, European data protectionists have more hassles for US tech companies; this time it’s WhatsApp and Yahoo in the crosshairs.

Michael leads a tour of the FCC’s new “opt-in” privacy rules for ISPs. I make a bold prediction about how the privacy fight will shake out, and Michael—remarkably—thinks I may be right.

Katie explains HHS’s latest fine for a company that allowed file-sharing of medical files on one of its servers. Mike Daugherty, time to call your office.

Would the revolting magistrates have scuppered the FBI's effort to extract Huma's emails from Weiner's computer? Michael and I debate Orin Kerr's suggestion that there's a legal problem with expanding the search (or the seizure) to a new and different investigation. We mostly disagree with Orin.

And in continuing Rule 41 news, I narrowly escape an NFL taunting penalty while reporting that a whopping 23 out of 535 lawmakers are whining about expanded searches of pedophile computers.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-136.mp3
Category:general -- posted at: 5:32pm EST

Our guest for the episode is Rob Silvers, the assistant secretary for cybersecurity policy at DHS.  He talks about what the government can and should do about newly potent DDOS attacks and the related problem of the Internet of Things. The only good news: insecure defibrillators and pacemakers may kill you, but they haven’t yet been implicated in any DDOS attacks.

In the news, Michael Vatis and I debate whether the netizen reaction to a search warrant that also allows the FBI to collect phone security fingerprints during the search is overheated or justified. Maury Shenk explains an unusual UK tribunal ruling, holding that GCHQ’s and MI5’s bulk collection of data was once a violation of the European Convention on Human Rights. Luckily for the UK government, that illegality was cured by the government’s acknowledgment of the collection.

The financial industry faces new cybersecurity regulations; Katie Cassel explains. Then, as the junior member of the podcast crew, Katie also finds herself called on to explain when defense contractors have to disclose cyberattacks to the Department.

In other news, NSA contractor Harold Martin is looking less like a hoarder and more like a serious threat to national security, thanks to the Justice Department motion opposing bail. Maury explains why the EU’s top court thinks that even dynamic IP addresses are personal data. And I explain (or try to) why Julian Assange is a First Amendment cover boy when he blows national security secrets but apparently the second coming of Josef Stalin when he blows politically embarrassing secrets of the Clinton Global Initiative.  Or is the real problem the risotto recipe?

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-135.mp3
Category:general -- posted at: 1:31pm EST

Episode 134 features John Carlin’s swan song as assistant attorney general for national security.  We review the highs and lows of his tenure from a cybersecurity point of view and then look to the future, including how the U.S. should respond to Russia’s increasingly uninhibited use of cyberpower.  I introduce John to Baker’s Law of Post-Government Policy Advice: “The good news about leaving government is that you can say what you think. The bad news is that you can say what you think because nobody cares.”

In the news roundup, we explore the Geofeedia flap, in which large Silicon Valley companies are claiming the right to deny law enforcement access to public postings, even when that access is limited to particular geographic areas, such as the location of an ongoing riot.  Remarkably, they seem to think we ought to be praising them for this antisocial stand.

Maury Shenk updates us on the UK’s new privacy guidelines—and China’s effort to make its internet more protective of children, and the state.

Michael Vatis and I mull over the troubling news that Carbanak is targeting SWIFT endpoints. The G7 has financial cybersecurity guidelines, but it seems unlikely that they’ll turn the tide of an increasingly at-risk banking system.

Michael and I also touch on an Akamai report confirming that the Internet of things isn’t exclusively used to launch DDOS attacks on Brian Krebs; sometimes it’s used to launch mass credential theft attacks as well. Maybe, I suggest, this is a problem that lawsuits can address.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_134.mp3
Category:general -- posted at: 1:51pm EST

In episode 133, our guest is The Grugq, famous in hacker circles but less so among Washington policymakers.  We talk about the arrest of an NSA employee for taking malware and other classified materials home, the Shadow Broker leak of Equation Group tools, and the Grugq’s view that the United States has fundamentally misunderstood the nature of cyberconflict.

In the news, Alan Cohn and I discuss the DHS/DNI fingering of Russia – and Putin – for the DNC hack.  We ask whether this means that sanctions will follow, and I characterize the administration’s stance so far as an updating of Groucho Marx’s position:  “These are my red lines.  If you cross them, well, I have others.”  

I award “stupidest privacy scandal of the year” to the complaints that Yahoo! (gasp!) scanned email content in a search for a terror-related signature.  

Continuing what will become a rant-filled episode, I nominate the Third Circuit for membership in a Hall of Judicial Shame.  The court of appeals has joined the European Court of Justice in giving legal effect to the early Guardian articles claiming that PRISM allowed NSA to scan all emails in US webmail services.  That might have been a mistake in 2013, but in 2016, it can only be characterized as a lie, and not one the judiciary should be party to.  Katie Cassel hoses me down.

Maury Shenk, back from honeymoon in Jordan, explains why the TalkTalk case has such prominence in the UK – and why the company was lucky to be assessed one of the highest fines ever imposed by the UK data protection authority.

Katie explains the FCC’s revised proposal for privacy regulations.  But she can’t explain the FTC’s embarrassingly juvenile grandstanding in its ongoing turf war with the FCC.

And, to end the roundup on a choleric note, Alan goads me with HHS’s latest and most astonishingly nit-picking fine ‒ $400,000 for having a supplier contract that hadn’t been updated since the HI-TECH Act modified HIPAA.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_133.mp3
Category:general -- posted at: 9:19am EST

In episode 132, our threepeat guest is Ellen Nakashima, star cyber reporter for the Washington Post.  Markham Erickson and I talk to her about Vladimir Putin’s endless appetite for identifying ‒ and crossing ‒ American red lines, the costs and benefits of separating NSA from Cyber Command, and the chances of a pardon for Edward Snowden.  Ellen also referees a sharp debate between me and Markham over the wisdom of changing Rule 41 to permit judges to approve search warrants for computers outside their district.

In the news roundup, Meredith Rathbone explains the remarkably aggressive, not to say foolish, European proposal to impose export controls on products that would enable state surveillance in cyberspace.  Apparently locked in a contest with Brussels over who can propose the dumbest regulation of cyberspace, California has adopted a law that purports to prohibit entertainment sites like IMDb from publishing the true ages of actors and actresses.  Markham and I debate the constitutionality of the measure.

In other California news, Markham brings us up to date on the surveillance lawsuit against Google.  He also explains the deep Washington maneuvering over FCC Chairman Wheeler’s plan for cable set top boxes.  I call for a rule that requires cable CEOs to wait at home for days of rescheduled calls to find out whether they’re going to get the result they want.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_132.mp3
Category:general -- posted at: 2:02pm EST

1