The Cyberlaw Podcast

In this episode, I interview Elsa Kania, author of a Center for a New American Security report on China’s plan for military uses of artificial intelligence—a plan that seems to have been accelerated by the asymmetric impact of AlphaGo on the other side of the Pacific.

In the news, Brian Egan notes that China’s perspective on “sovereignty in cyberspace” was further elaborated at China’s World Internet Conference, and I point out that China continues its “two steps forward, one step back” process of bringing U.S. companies to heel on security issues.

Nick Weaver explains that the U.S. financial institutions’ “project doomsday” could just as easily be cast as “fire hydrant standardization.” It could be, but it won’t, at least not by headline writers.

Nick also calls out Apple for failing to follow U.S. law in responding to pen/trap and wiretap orders.

I take a victory lap, as the director of national intelligence promises to apply the Gates procedures to unmasking of transition officials. As recommended by me (well, and the House intelligence committee). No need to call them the Baker procedures, though, guys.

Bleeping Computer says Germany is planting backdoors into modern devices. Maybe so, I offer, but whether that includes encryption is not at all clear. 

Finally, Nick digs into the remarkable work that Citizen Lab and Bill Marczak continue to do on authoritarian government hacking. He says, with evidence, that efforts to control sales to untrustworthy governments are actually working.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-196.mp3
Category:general -- posted at: 8:04am EST

Episode 195 features an interview with Susan Hennessey of Lawfare and Andrew McCarthy of the National Review. They walk us through the “unmasking” of US identities in intelligence reports—one of the most divisive partisan issues likely to come up in the re-enactment of Section 702 of FISA. I bask momentarily in the glow of being cast as a civil liberties extremist. And Thidwick the Big-Hearted Moose offers insights into 702 reform.

In the news roundup, I try to count votes after the Supreme Court argument in Carpenter v. United States. I count at least four likely votes to require a warrant for cell phone location data and only two likely votes for the United States (and the preservation of the third party doctrine). The other justices didn’t exactly wear their votes on their sleeve, but the smart money favors a whole new ballgame for criminal discovery. The court’s biggest problem will be finding a rationale that doesn’t open up decades of litigation. Justice Gorsuch distinguishes himself with a rationale that is creative, libertarian-conservative, and, well, cockamamie.

Phil West provides the tech angle on the biggest Congressional news—tax reform and what it means for Silicon Valley

Nick Weaver and Jamil Jaffer walk us through the Justice Department’s impressive haul of indictments and guilty pleas in the world of cyberespionage. Yet another NSA exploit hoarder has been caught and pled guilty. And for the first time, Justice has the goods on cyberespionage by Boyusec, a Chinese “security” firm tied to China’s Ministry of State Security. The company has conveniently gone out of business after being outed, but the indictment does raise the question whether the US-China agreement on commercial cyberespionage was really just about which Chinese cyberspies would be allowed to steal U.S. commercial secrets.

There’s yet another flashpoint in China-US cyber relations—drones. A DHS analyst has publicly trashed the dominant drone maker, China’s DJI, as providing the Chinese government with access to data collected by its drones and as targeting sensitive US infrastructure for its sales. The DJI response is not exactly nuanced: A DJI spokesman called the report “insane.”

Meanwhile, Uber's problems seem neverending. The latest disaster focuses on the company’s use of quick-to-vanish messaging services like Wickr and Telegram. Such services are popular among “Technorati” who like to fancy themselves as targets of government surveillance. Problem is, when they are under surveillance, or just a discovery obligation, the use of evanescent messaging is often seen as a sign of guilt. This messaging movement could turn out to be extremely costly—first for Uber and then for Silicon Valley in general. I'm not sure that putting employees on the honor system not to use those services for company business is going to be enough.

Apple was in the news for giving up root access to anyone who insisted. And its attempt to rush out a patch wins the Equifax Prize for Breach Fixes That Create New Security Problems. Perhaps the security team was off providing support to Tim Cook for his keynote speech at the celebration of the Chinese internet (“We are proud to have worked alongside many of our partners in China to help build a community that will join a common future in cyberspace.”) Nick Weaver suggests as a result that we take a closer look at Facetime intercept capability.

Finally, it’s down to the wire on Section 702. Jamil Jaffer, Susan Hennessey and our other commentators think we may escape without too much damage to the intelligence program.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 195th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-195.mp3
Category:general -- posted at: 11:09am EST

Our interview this week is with Rob Reid, author of “After On” and “Year Zero,” two books that manage to translate serious technology nightmares into science fiction romps. We cover a lot of ground: synbio and giving eighth graders the tools for mass human extinction, the possibility that artificial intelligence (AI) will achieve takeoff and begin to act counter to humanity’s interests in a matter of hours. Along the way, we consider the possibility that the first AI will arise from a social media behemoth and will devote its exponential power to maximizing human hookups.

In the news, we explore the massive public relations disaster that is the Uber data breach and reach the surprising conclusion that the whole thing may turn out worse in the media than in the courts. Except in the EU, Maury Shenk reminds me. Europe just hates Uber viscerally. So much so that Jim Lewis suggests the company’s EU subsidiary will soon have to be renamed Unter.

Actually, it’s not just Uber that the EU hates. It’s all things technological, at least to judge by the European Parliament’s latest plan to use export controls to cripple technology companies whose products can be misused by authoritarian governments.

I note the release of the ODNI’s report on the intelligence community’s "masking" of U.S. identities in intel reports. We talk about the temptation to weaponized unmasking during transitions, and I ask why the “Gates procedures” that provide special protection for unmasking of Congressional identities shouldn’t also be used to protect Presidential transition teams.

Jim and I discuss Russia’s imposition of constraints on Radio Free Europe that match the new restrictions on RT in the United States. Jim and I struggle toward a Universal Theory of Putin as Overrated Global Troll.

Remember those Chinese "security" cameras deployed by US agencies that we covered in the last episode? Yeah, it's worse than you thought: the Chinese are getting close to identifying everyone caught on camera using gait and facial recognition.

I note that Sen. Ron Wyden (D-OR) has another campaign underway to imply that the Justice Department is imposing decryption assistance requirements under FISA without judicial review. In fact, if there is such an effort, the company on the receiving end already has a judicial remedy. And Maury explains that the head of Germany's new cybersecurity agency is joining the German government chorus arguing for "hack back," but only by the German government.

My candidate for “Dumbest Public Policy Battle of the Season”: The complaint that someone faked a bunch of meaningless, content-free comments on net neutrality. The problem is really the idea that the policy debate should be influenced by counting votes in the World’s Skeeviest Online Poll, an idea that seems to have sparked a kind of bot arms race between supporters and opponents of the FCC’s policy.

And my candidate for Coolest Technology Story of the Season: Feeding graphene to spiders and discovering that it greatly strengthens their webs. Every fifteen-year-old science fair participant should take heart: It turns out that with great quantities of graphene comes great responsibility.

As always, The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 194th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-194.mp3
Category:general -- posted at: 7:27pm EST

We celebrate the holiday season by interviewing David Ignatius, Columnist and Associate Editor at The Washington Post and the author of multiple spy thrillers, including his most recent, "The Quantum Spy." David and I discuss themes from the book, from quantum computing to ethnic and gender tensions at the Agency, while managing to avoid spoilers. It’s a fun and insightful work.

 

Steptoe partner Stewart Baker with David Ignatius.

In the news, I flag Twitter’s weird journey from the free speech wing of the free speech party to the censorship wing of the Censor’s Party. Twitter is now revoking the verification checks for people whose speech it disapproves of. It’s even de-checking people based on its assessment of their off-line conduct. So maybe that should be the Stasi wing of the Censor’s Party. And, not surprisingly, given Silicon Valley’s steep leftward-tilt, the censorship seems to fall far more harshly on the right than on less PC targets.

Markham Erickson and I treat Twitter’s wobbly stance as a symptom of the breakdown of the Magaziner Consensus, as both left and right for their own reasons come to view Big Tech with suspicion. Markham has shrewd observations about what it all means for the (questionable) future of social media’s section 230 immunity.

We dive into a surprising new analysis of China’s “50c Army.” Turns out that the Chinese government strategy for flooding the internet is 180 degrees off from Russia’s. Instead of a Trollfest, Chinese government-funded social media is saccharine sweet. Cheerleading and changing the subject are what its army does best.

Markham, Brian Egan, and I give broadly positive reviews to the US government’s recently announced Vulnerability Equities Process. And, in a correction to those who’ve said that other countries don’t have such a process, I point to evidence that China has one–in which all the equities seem to point to exploit, exploit, exploit.

All of which ought to turn the story of US agencies using Chinese “security” cameras from disquieting to positively frightening. Speaking of which, the Chinese company that made your drone has provided a case study on how not to do a bug bounty program. Read it and weep.

On a lighter note, we talk backflipping robots and a surprising peril of traveling with your family this holiday season–thumbprint phone security failure followed by titanic spousal air rage. Where is Tim Cook’s privacy schtick when we really need it?

Download the 193rd Episode (mp3).

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-193.mp3
Category:general -- posted at: 5:23pm EST

With the Texas church shooting having put encryption back on the front burner, I claim that Apple is becoming the FBI's crazy ex-girlfriend in Silicon Valley—and offer the tapes to prove it. When Nick Weaver rises to Apple's defense, I point out that Apple responded to a Chinese government man-in-the-middle attack on iCloud users with spineless obfuscation rather than a brave defense of user privacy. Nick asks for a citation. Here it is: https://support.apple.com/en-us/HT203126 (Careful:  don't click without a chiropractor standing by.)

Nick provides actual news to supplement the New York Times' largely news-free front page storyabout leak and mole fears at NSA.

I gloat, briefly, over hackback's new respectability, as the Active Cyber Defense Certainty Act acquires new cosponsors, including Trey Gowdy, and hacking back acquires new respectability. But not everywhere.

Michael Sulmeyer finally gets a word in edgewise as the conversation shifts to the National Defense Authorization Act. He discusses the Modernizing Government Technology Act, the growing Armed Services Committee oversight of cyberoperations, and the decision to lift—and perhaps separate—Cyber Command from National Security Agency. I take issue with any decision that requires that a three-star NSA director to argue intelligence equities with a four-star combatant commander

We end with Michael Sulmeyer and I walking through the challenges for the Pentagon in deterring cyberattacks. We both end up expressing skepticism about the current path. 

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 192nd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-192.mp3
Category:general -- posted at: 1:48pm EST

Episode 191 is our long-awaited election security podcast before a live, and lively, audience. Our panel consists of Chris Krebs, formerly of Microsoft and now the top cybersecurity official at DHS (with the longest title in the federal government as proof), and Ed Felten, formerly the deputy chief technology officer of the federal government and currently Princeton professor focused on cybersecurity and policy. We walk through the many stages of election machinery and the many ways that digitizing those stages has introduced new insecurities into our election results.

When all is said and done, however, the entire panel ends up more or less in one place: Election security is not to be taken for granted; it will be hard to achieve, but it’s not impossible, or even unaffordable. With sufficient will and focus, and perhaps a touch of Ned Ludd, we may be able to overcome the risk of foreign hackers interfering in our elections. At least outside of New Jersey.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 191st Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-191.mp3
Category:general -- posted at: 9:51am EST

In our 190th episode, Stewart Baker has a chance to interview Sen. Sheldon Whitehouse (D-RI), who has a long history of engagement with technology and security issues. In this episode, we spend a remarkably detailed half-hour with him, covering the cybersecurity waterfront, from the FBI’s problems accessing the Texas church shooter’s phone, and what Silicon Valley should do about that, to Vladimir Putin’s electoral adventurism and how to combat it. Along the way, we touch (skeptically) on the NIST Cybersecurity Framework and more enthusiastically on allowing private citizens to leave their networks to track the hackers who’ve attacked them.  Plus: botnet cures, praise for Microsoft, a cybersecurity inspector general (or, maybe, bug bounties), DHS’s role in civilian cybersecurity, and how much bigger Rhode Island really is at low tide!

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 190th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-190.mp3
Category:general -- posted at: 1:34pm EST

In our 189th episode Stewart Baker has a chance to interview United States Representative Tom Graves, co-sponsor of the Active Cyber Defense Certainty (ACDC) Act, which allows those whose networks are under persistent attack to leave their network to conduct investigative action.  Representative Graves offers a measured but deeply felt defense of the proposal and is optimistic about its reception.  And, with the hard-hitting investigative approach The Cyberlaw Podcast is known for, I ask the tough question:  “Is this bill a tribute to AC/DC – and if so, which song?”  (Hint in the title of the blog post.)

Mark your calendars for November 7th when we will gather for a live taping of a special episode on Election Cybersecurity at our Dupont Circle offices here in DC. To register please visit the Events page of our website at steptoe.com.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 189th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-189.mp3
Category:general -- posted at: 2:38pm EST

In this episode, Brian Egan and I deconstruct the endlessly proliferating “FISA 702 Reform” bills, from the irresponsible House Judiciary bill to the “I’ll see your irresponsible and raise you crazy” bipartisan extremist bill beloved of Sens. Wyden and Paul (and talk about truth in advertising: what else would you call a bill that takes us back to the pre-9/11 status quo but S.1997?). Even the relatively restrained Senate Intelligence bill takes fire for its, ahem, “creative” approach to FBI searches of 702 data. Brian does not share my distaste for all of the options, but agrees that the cornucopia of 702 proposals makes it even more unlikely that anything other than a straight-up short-term reauthorization can be passed before the end of the year.

In other legislative news, CFIUS reform is also in the air, and Sen. Cornyn's carefully scripted rollout has begun. In her podcast debut, Alexis Early unpacks this complex bill. Need a one-word explanation? China. The bill tries to block all of the avenues China is believed to have traveled in its pursuit of US technology over the last decade. We also discuss how the bill would remove the veneer of “voluntariness” from at least part of the CFIUS process, which could impact a range of filers – particularly US technology companies seeking foreign investment.

Meanwhile, if you’re looking for confirmation that privacy is really just another word for protecting privilege, Twitter is apparently eager to provide it. Even as criticism and warnings about Russian misuse of Twitter to divide Americans and “diss” Hillary Clinton were rolling in last summer, the Russians were busily deleting their phony posts, and Twitter was right there to help. The company told even independent researchers who had saved Russian posts that the researchers had to delete any post that Twitter was deleting (which seems to be anything that the Russians deleted). This of course made it hard to criticize Twitter’s policies on foreign government trolling, since the evidence was gone, but the justification that Twitter offered was, naturally, privacy. Maybe the company’s privacy policy should come with a slogan: “Privacy: Good for you. Better for us.”

Of course, Twitter claims that it has to force the deletion of inconvenient tweets because of EU data protection policy. And indeed, European exceptionalism on the privacy front was front and center last week, with the European Parliament’s approval of a draft ePrivacy directive that law enforcement will hate, an unfavorable opinion on how many data protection authorities can regulate Facebook (clue: all of them), and an absolutely undecipherable explanation from the Article 29 working party of European restrictions on automated decision-making (my translation: “If you use AI in your business and we don’t like you, you’re toast.”). Maury Shenk provides a less jaundiced summary of these developments.

We do quick hits on Kaspersky’s defense, which looks more like it was designed to embarrass the US than to exonerate the company, on Microsoft’s eagerness to drop its gag order lawsuit in response to a change in DOJ policy, and on the FBI’s claim that encryption is now defeating half of the phone searches it tries to do. 

Our interview is with Chris Painter, the State Department’s top cyber diplomat under President Obama. He offers candid views about the Tillerson reorganization, which pushes his old office deeper into “deep State” (the State bureaucracy). He also assesses what went right and wrong for cyber diplomacy on his watch, and what the US should be doing going forward. Brian Egan referees as Chris and I have what the State Department might call a “frank and candid exchange of views.”

Mark your calendars for November 7th when we will gather for a live taping of a special episode on Election Cybersecurity at our Dupont Circle offices here in DC. To register please visit the Events page of our website at steptoe.com.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 188th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-188.mp3
Category:general -- posted at: 4:37pm EST

I had a chance to talk to Tom Bossert, President Trump’s Homeland Security Adviser, on the record, and we’re releasing the conversation as a bonus episode of the Cyberlaw Podcast. The talk ranges from Peggy Noonan’s observations on White House staff work to the vast improvement in the West Wing’s carpeting before turning to our main topic – the looming deadline for renewing authority for FISA section 702. Tom is deeply familiar with the issues in the debate over 702. He stands by the administration’s position that 702 should be renewed without amendment and without a sunset but he discusses with nuance the many legislative proposals for changing the program as well. Finally, we talk about the executive order that unleashed a flood of internal reports on empowering DHS to protect the US government’s systems, measures to protect critical infrastructure, and the administration’s hunt for a new cyberspace deterrence strategy.

Mark your calendars for November 7th when we will gather for a live taping of a special episode on Election Cybersecurity at our Dupont Circle offices here in DC. To register please visit the Events page of our website at steptoe.com.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 187th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-187.mp3
Category:general -- posted at: 7:56am EST

Our interview is another in our series on Section 702 reform, featuring Mieke Eoyang of the National Security Program at Third Way and Jamil Jaffer of George Mason University and IronNet Security. They begin with the history of the program but quickly focus on proposals to require warrants for FBI criminal searches of already collected 702 data, which Mieke broadly supports and Jamil broadly opposes. The Las Vegas shooter's case raises the question—are we really going to make the FBI wait for a warrant before checking its own 702 database to see whether Paddock has been in communication with terror groups and what he's been saying? 

In the news roundup, Jim Lewis of the Center for Strategic and International Studies and Brian Egan nerd out with me on the DOD's objections to section 1621(f) of the National Defense Authorization Act. Neither Jim nor Brian finds them persuasive.                 

I give a preview of my plans to celebrate Halloween as a Russian Twitter troll, and Jim predicts that the main fallout from the entirely predictable Russian use of Twitter will be on Silicon Valley, as what I call the Magaziner Consensus, already dying abroad starts to look a little peaked here at home.  

Meanwhile, the North Korean hackers are still robbing banks, semi-successfully. And, remarkably, they're also finding studios even more willing to cave to cyber blackmail than Sony, as it turns out the hackers apparently killed a BBC show they found objectionable. Jim insists that these kinds of attacks tell us more about the calculating rationality of Kim Jong Un than his craziness. And, since Kim's getting away with both, maybe Jim is right.

I riff on the latest in sex toy security, introducing our audience to an entirely new internet vocabulary.

Also, the medical profession seems to be putting its collective head in the sand about medical device security. Jim is sure that liability for producers—and for doctors—will solve that problem before Congress. Knowing the FDA's shaky grasp of the issue, I’m not so sure. 

Finally, Brian reports that the EU's first Privacy Shield report found US data protection practices "adequate" under EU law. He thinks it's because the administration is taking the EU process seriously; I think it's because the EU is taking President Trump seriously—and has decided he's not someone whose adequacy you want to question lightly.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 186th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-186.mp3
Category:general -- posted at: 11:23pm EST

This episode features an interview with Mårten Mickos, the CEO of HackerOne. HackerOne administers bug bounty and vulnerability disclosure programs for a host of private companies as well as DOD’s “Hack the Pentagon” program. He explains how such programs work, how companies and agencies typically get started (with “vulnerability disclosure” programs), the legal and other assurances that companies need to provide to ensure participation, and the role that bounty administration firms play – from hacker reputation management to providing a kind of midnight basketball tournament for otherwise at-risk fourteen-year-old boys. (And they are boys, at least 98% of them, an issue we also explore.) Along the way, there’s even unexpected praise for the Justice Department’s Computer Crime Section, which has produced a valuable framework for vulnerability disclosure programs.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 185th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-185.mp3
Category:general -- posted at: 8:04pm EST

Today’s news roundup features Shane Harris of the Wall Street Journal, Brian Egan, and Alan Cohn discussing stories that Shane wrote last week. Out of the box, we work through the hall of mirrors that the Kaspersky hacking story has become.

The Russian hacking story is biting more companies than just Kaspersky. Turns out that Twitter deleted all the Russian trolling accounts and tweets when the Russians asked them to. Because privacy! I put in a plug for the rule that privacy always somehow ends up protecting the powerful – in this case Vladimir Putin and, of course, Twitter itself.

We also cover another Wall Street Journal story detailing North Korea’s use of (another) antivirus product to hack South Korea’s military – and US war plans. 

Alan unpacks the Trump Administration’s most detailed statement to date on law enforcement and technology -- Deputy AG Rosenstein’s far-ranging speech on the topic.

Alan and I also touch on the emerging fight over 702 – and the media’s evergreen and credulous “discovery” that the far left and far right are surprisingly close on surveillance issues.

Alan spells out the case for Kirstjen Nielsen as Homeland Security Secretary, along with what some of her detractors are saying.

While Brian lays out the explosive theory behind the latest effort to tag Google and other social media giants with liability for assisting ISIS.

We close with two short hits.

I ask why, if Pornhub’s technology is that good, they’re starting with facial recognition.

And I can’t help noting that, for a while at least, security icon Apple thought that the best password hint was … the password itself! Thanks, Tim Cook! We’ll keep that in mind the next time you argue that the ability to hack every iPhone on the planet should be left with you and not the FBI.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 184th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-184.mp3
Category:general -- posted at: 11:49am EST

Richard Danzig, former Navy Secretary and a serious defense and technology thinker, speaks to us about the technology tsunami and what it means for the Pentagon.  Among the risks:  lots more accidents, some of them catastrophic, and “emergent” interactions among systems that no one predicts or prepares for.  He calls for the Department of Defense to spend more time thinking about ways in which our weapons might kill us without any enemy action.  Along the way, we ask the hard questions, including whether Kim Jung Un will use gene therapy to make his people smarter, dumber, or better basketball players.

In our news roundup, the House Judiciary Committee has struck the first blow in the 702 renewal debate. Paul Rosenzweig and I assess its bill and end up concluding that it does less damage to national security than expected, except for the unfortunate decision to sacrifice the possibility of conducting “about” collection.

Meanwhile, a turf fight inside Treasury has gotten vicious, with FinCEN lobbing (and leaking) “intelligence scandal” epithets at its sister Office of Intelligence and Analysis.  Brian Egan doesn’t seem surprised about the fighting, while expressing skepticism about the likelihood of a real scandal. In the words of our President, “Sad!”

Irish courts have unsurprisingly punted on the use of standard contracts clauses to export data to the US, Michael Vatis tells us.  The court has referred the hard issues to the European Court of Justice.

Speaking of sad, a third (or maybe a fourth) NSA staffer has taken Top Secret material home with disastrous results.  Kaspersky’s software seems to have been great at spotting the classified malware on the staffer’s machine. The result, Paul notes, is that the malware ended up in Russian government hands, and Kaspersky’s reputation is toast in the West.  Maybe it’s just a coincidence or maybe Kaspersky has given up wooing the West, but its latest report outs an unknown power that has been “piggybacking” on intrusions aimed at or run by Russian and Chinese hackers.

Finally, Brian discusses USTR’s use of the WTO to put a shot across China’s bow on that nation’s cybersecurity law.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 183rd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-183.mp3
Category:general -- posted at: 6:11pm EST

Episode 182 features a panel of experts on attribution of cyberattacks. I moderated the panel at the Georgia Tech 15th Annual Cyber Security Summit in Atlanta on September 27, 2017.  Panel members included Cristin Goodwin of Microsoft, Rob Knake of the Council on Foreign Relations, Hannah Kuchler of the Financial Times, and Kim Zetter, author of a 2014 book on the Stuxnet attack.

It’s a wide-ranging and compelling discussion of how we’re doing in attributing cyber intrusions and what more is needed in the field. Special thanks to Michael Farrell, Co-Director of Georgia Tech’s Institute for Information Security & Privacy (IISP) and the organizer of the Summit, for all the work and assistance that made this episode possible.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 182nd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-182.mp3
Category:general -- posted at: 5:38pm EST

Episode 181: Equifax and the Upside of Nation-State Cyberattacks

Was the Equifax breach a nation-state attack? Nick Weaver parses the data, and I explore the surprising upside for Equifax if it was.

Twitter comes to Capitol Hill to talk Russian election interference; it goes home with a flea in its ear and plenty of homework to do. Stephen Heifetz and I ask why the Foreign Agent Registration Act could not be used to discipline nation states' use of social media.

Twitter isn't alone in getting sideways with the government. The Justice Department says that Google is defying court orders on disclosure of data -- while building a system to make compliance impossible.  Nick gives the company a chutzpah award.

Jim Comey is still taking hits from the Hill, months after his departure from public life. Sens. Wyden and Lee are hoping to call him a liar, and they'd like the DNI's help. The good news for Jim Comey is bad news for Section 702, since the attack on Comey is really a way of paving the ground for a major reduction in the kinds of intelligence collection the government can conduct using section 702.

Bet you never thought you'd hear the phrase "Bush-Obama Consensus," but the Trump administration's CFIUS policies are turning "BushObama" into a single word summary of the ancien regime. Stephen Heifetz makes these and other observations in laying out the latest from CFIUS's (2015!) annual report. What can we tell from it?

Finally, Nick and I explore his latest essay viewing the vulnerability equities process through a Vault7 and ShadowBrokers lens: What should the government do when it's pretty sure its critical hacking tools have fallen into enemy hands?

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 181st Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-181.mp3
Category:general -- posted at: 4:49pm EST

In a delightfully iconoclastic new book, Jeremy Rabkin and John Yoo take the air out of 75 years of inflated claims about the law of war. They do it, not for its own sake, though God knows that would be enough, but as a prelude to discussing how to use the new weapons–robots, space, and cyber–that technology makes possible. Brian Egan and I interview Jeremy Rabkin about these and other aspects of “Striking Power: How Cyber, Robots, and Space Weapons Change the Rules for War."

In the news roundup, cell tower simulators, aka stingrays, take another hit as a divided DC Court of Appeals says warrants are required before they can be used.

Maury Shenk sees good news for industry in the recent meetings between Commissioner Jourova and Secretary Ross; the European Commission is giving every sign of wanting to avoid yet another fight over Privacy Shield, though hotter heads in Europe may yet prevail.

Brian Egan opines on Robert Strayer’s appointment as deputy assistant secretary of state for cyber and international communications and information policy–and the reorganization that his appointment cements for now.

Stewart and Jeremy unpack the implications of the CCleaner attack, and its lessons for advocates of hacking back.

The FTC took a hit–but not a fatal one–from Judge Donato in the D-Link case.

And the OPM breach suits have been dismissed; I conclude that the grounds for dismissal raise questions, but it was, in the end, a mercy killing, since maintaining a class was likely to be impossible.

Julian Assange’s effort to rebrand himself as something other than a Russian stooge spurs skepticism from the panel. As Maury points out, the (only) Russian data leak Wikileaks has posted is more marketing release than a blown whistle.

Embarrassingly, the SEC admits that it was hacked and that the stolen data was likely used for insider trading.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 180th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe partner Stewart Baker (right) with Jeremy Rabkin.

Direct download: SteptoeCyberlawPodcast-180.mp3
Category:general -- posted at: 8:46am EST

Our interview is with Jeanette Manfra, DHS’s Assistant Secretary for Cyber Security and Communications. We cover her agency’s binding directive to other civilian agencies to purge Kaspersky software from their systems, and her advice to victims of the Equifax breach (and to doctors who think that Abbott Labs’ heart implants don’t need a security patch because no one has been killed by hackers yet). I also ask how she’s doing at expanding civilian agency security from intrusion prevention to monitoring inside networks – and the future of her agency at DHS.

CFIUS is back in the news as President Trump kills his first deal on national security grounds. Stephen Heifetz explains what he did and what it means for roughly 15 more deals caught in CFIUS’s toils.

For those who are following the 702 Upstream issue from last week’s episode, a bipartisan group of House Judiciary members have come down on Liza Goitein’s side of the debate, saying they’ll abolish upstream collection “about” terrorists. Whether they can sell the moderates of both parties on that, especially in the Senate, remains to be seen.

Jennifer Quinn-Barabanov explains how bad things have gotten for Equifax: a delayed patching process that will be cast as negligent, dozens of class actions, an FTC investigation, multiple Congressional committee hearings, possible SEC inquiries, and the state attorneys general too. I point out that no one has suffered harm from the breach yet and question whether this disaster will look quite so bad in three or four months.

The Trump administration imposes its first cyber attack sanctions, against Iranian hackers. Stephen and I note that three astonishingly different Presidents have managed to pursue cyber policies that are more or less indistinguishable from each other.

I suggest a surprising likely victim of the Russian probe: the effort to enshrine in law the requirement that electronic provider content only be provided in response to a search warrant, not a subpoena. The social media companies that dealt with Russian advertisers have provided less information to the Senate intelligence committee than to Robert Mueller. Why? Because the Senate doesn’t issue search warrants. So if Congress adopts a statutory warrant requirement to get electronic content, it will doom Congressional committees to perennial second-class status in future investigations. I doubt Congress is going to want to do that.

In fact, I predict, Silicon Valley is in for a bad half decade in Washington, as left and right grow increasingly suspicious of the power of social media companies.

Finally, to close out the news on a legal note, Jennifer unpacks two recent and, ahem, “divergent” opinions of the Eighth Circuit on breach lawsuit standing.

Download the 179th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-179.mp3
Category:general -- posted at: 8:03am EST

The Cyberlaw Podcast kicks off a series exploring section 702 – the half-US/half-foreign collection program that has proven effective against terrorists while also proving controversial with civil liberties groups.  With the program due to expire on December 31, we’ll examine the surveillance controversies spawned by the program. Today, we look at the “upstream” collection program under section 702.  We talk to Becky Richards, NSA’s Civil Liberties and Privacy and (whew!) Transparency Officer as well as Liza Goitein of the Brennan Center for Justice.

In the news, Equifax is taking a beating both for a massive and serious data breach and for a series of missteps in its mitigation effort.  Michael Vatis lays out the gory details.

Speaking of ugly, the climate for the online ad business is getting a lot worse, or so I predict, as Russia's use of social media ads and trolls gets attention in Washington.

Had enough?  Nope.  Now the European Court of Human Rights is piling on, limiting employers' right to monitor employees.  Maury Shenk explains the law; and I marvel at the court’s ability to take an obligation imposed on governments and turn it into a code of conduct for private employers.

But wait, it gets worse.  Symantec says that a hacker who looks a lot like the Russian government has installed sophisticated hacking tools on the networks that directly control US electric grid systems.  I predict that the Trump administration will do, well, nothing, following an Obama administration tradition in grid hacking cases.

OK, it’s not the power grid, but would you really want hackers to be able to tell your Echo, “Alexa, send me two metric tons of garbanzo beans overnight?”  Now, thanks to what I call the Evil Dolphin attack, they can do exactly that – with you in the room.  Quick, get all the Echos out of Marine World!

OK, here’s a bit of good news, or at least man-bites-dog news.  Maury reports that the European Court of Justice has sent Intel's $1.26 billion monopolization fine back to the European General Court.  Any time a European court doesn’t reach out to arbitrarily smack a US tech company, it’s cause for wonder.

In other news, Michael reports that Lenovo has settled (and pretty cheaply) with the FTC and a batch of states for installing spyware on its laptops.

To follow up on last week’s podcast, Best Buy has dumped Kaspersky software, so the mistrust virus is spreading from government to the private sector.

Finally, Uber, not content with God mode, also invented Hell, a program that fooled Lyft drivers into chasing fake customers.  Now Hell seems to have come for Uber, as it turns out the now-abandoned escapade might have violated the Computer Fraud and Abuse Act and is the subject of an SDNY/FBI probe.

Download the 178th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-178_1.mp3
Category:general -- posted at: 9:51am EST

In Episode 177, fresh from hiatus, we try to summarize the most interesting cyber stories to break in August. Paul Rosenzweig kicks things off with the Shunning of Kaspersky. I argue that the most significant–though unsupported–claim about Kaspersky is Sen. Shaheen’s assertion that all of the company’s servers are in Russia. If true, that’s certainly an objective reason not to let Kaspersky install sensors in non-Russian computers. The question that remains is how much due process companies like Kaspersky should get. That’s a question unlikely to go away, as DOD is now comprehensively shunning DJI drones, issuing guidance that sounds a lot like Edward Snowden demanding that users uninstall all DJI apps and remove all batteries and storage media.

Speaking of companies the US government can’t trust, Paul and I note that Apple has lost control of its secure enclave software. At the same time, Apple has pulled VPN apps from the Apple store at the direction of the Chinese government. Tim Cook explains that this makes perfect sense because Chinese law is on the Chinese government’s side but US law was not on the US government’s side. Right. Sounds like Tim is as good at lawyering as he is at coding, or at finding new breakthrough products for that matter.

Alan Cohn offers a potentially groundbreaking IOT security act.

Maury Shenk lays out the future of UK data protection law after Brexit.

And Paul and I look for ways in which DNA malware could be used.

To everyone’s surprise, election hacking is still making news. I use the item to tease our latest plan–an open house Election Day special where a panel of experts debates election security in front of a live Steptoe audience.

Finally, in our long interview, Alan and Maury talk Bitcoin, blockchain, and distributed ledgers with Michael Mainelli, Co-Founder and Chairman of Z/Yen, a think-tank and venture firm in the City of London; Emeritus Professor and Chairman at Gresham College; an alderman of the City of London; and a founder of Long Finance.

Download the 177th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-177.mp3
Category:general -- posted at: 5:30pm EST

Everybody’s a critic, and everybody’s a censor, at least if you judge by today’s episode: Maury Shenk tells us the European Court of Justice will soon rule on its authority to censor what Americans read. Markham Erickson discusses the Ninth Circuit decision upholding national security letter gag orders. And Maury says that China is getting impressively good at deleting images it doesn’t like from citizens’ phones in real time.

In other news, Congressional sanctions on Russia look like a done deal; Anthony Rapa explains (contra the NYT) that the sanctions weren’t watered down in the House – and the fuss they’re likely to cause among our European trading partners.

Speaking of sanctions, how long before Putin decides to sanction the extended Trump family by going after their property, either with legal decrees or illegal hacks? The Trump hotels are already prime targets for credit card hacks; adding doxing and bricking to the mix wouldn’t be hard.

In fact, that’s a lesson Hollywood seems to have absorbed. To keep from getting hacked a la Sony, it looks as though other studios are airbrushing Vladimir Putin from their upcoming films.

Meanwhile, Reuters and others report that Silicon Valley’s Big Tech seems to be AWOL in the fight over section 702 renewal. Not necessarily out of patriotism but possibly also because the EU has tried to tie the fate of 702 with the Privacy Shield, which is the agreement that allows for free data flows between the regions.

As antidote, Stephanie Roy describes one profile in corporate courage – Microsoft’s lawsuit against Russia’s GRU (though they don’t of course name the intelligence agency). Microsoft is using trademark rights to take back some of the GRU’s command and control infrastructure.  It may not change the world, but it’s the best use of trademark enforcement in years.

Finally, our guest for the episode is Dave Aitel, Founder and CEO of Immunity, Inc. Dave combines deep cyber security expertise with a willingness to weigh in on policy issues.  A VEP expert (and contrarian), Dave thinks the recent Belfer Center paper on the topic is embarrassingly wrong and will have to be withdrawn. We cover other issues as well, from when a cyberweapon should be condemned as an indiscriminate violation of international humanitarian law to Kaspersky’s defenestration and the wisdom and proper regulation of private sector hacking back.  It’s a great tour of current issues in cybersecurity.

As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 176th Episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-176.mp3
Category:general -- posted at: 6:34pm EST

This episode is dominated by IT procurement news.  And it’s as irresistible as a twelve-car pileup on the Beltway.  We open the news with an exploration of the federal de-listing of Kaspersky Labs, and how seriously government contracts lawyers take such an action (h/t to Michael Mutek for that).

Then, in the interview, Eric Hysen, formerly of the DHS Digital Service, lays out his view of how DHS’s effort to bring agility and speed to big IT contracts came a cropper, with plenty of color commentary from procurement law guru, Michael Mutek.  If you care about reforming federal IT purchasing (and you should), this interview is a cautionary tale.

In other news, as Steptoe summer associate Quentin Johnson lays out, the Knight First Amendment Institute has brought a lawsuit to declare @realDonaldTrump a public forum from which trolls and griefers may never be excluded.  Gus Hurwitz overcomes his inclination to snark and instead treats the claim seriously, which only makes it sound more ridiculous.  Still, I’m looking forward to seeing White House press briefings moved to the Rose Bowl.

Alan Cohn and I note that Booz Allen has come up with the best explanation yet for NotPetya’s weirdly self-defeating ransomware pose.  The purpose wasn’t to cause Shamoon-style destruction or to collect ransom; the goal was to cover tracks left in earlier intrusions.

Meanwhile, Alan Cohn describes a remarkably functional homeland and cyber security White House and DHS process, including Jeanette Manfra’s swift appointment and Rob Joyce’s sober assessment of the value of norms talk.

China continues to crack down on its citizens, and to get cooperation from at least some US tech companies.   You want cyber norms as the tech sector would write them?  It’s easy:  the norm is whatever the government in the companies’ biggest markets wants.  That, at least, goes a long way to explain Apple’s conduct.

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-175.mp3
Category:general -- posted at: 7:06pm EST

In this episode, we interview Jim Miller, co-chair of a Defense Science Board panel that reported on how the US is postured for cyberconflict and the importance of deterrence. The short answer: deterring cyberconflict is important because our strategic cyberconflict posture sucks. The DSB report is thoughtful, detailed, and troubling. Jim Miller manages to convey its message with grace, good humor, and clarity.

In the news, Brian Egan and I find ourselves unable to turn away from the Trump-Putin meeting in Warsaw. Bottom line: by raising concerns with election hacking, Trump did and said more or less what any President would have said and done – except he failed to stick the landing with a self-serving debrief. Or if the President’s short-lived establishment of a “joint computer security unit” was self-serving, we missed it.

File this under dog bites man: Europeans are beating up on Google. The UK data protection commissioner says it was unlawful for the National Health Service to share medical data with Google’s DeepMind subsidiary, even if the goal was to provide new medical insights.

And the EU’s massive fine for Google’s abuse of its dominant position leads to musings on the regulatory foundations of some competition law doctrines – plus an enthusiastic book recommendation.

Speaking of regulating cyberspace, China’s regulatory association is demanding “core socialist values” and in-house auditors for internet content sites.

Finally, in a first, we invite Steptoe summer associate Josh Holtzman on the podcast. Josh does a fine job breaking down the issues in a court fight over warrants-and-gag-orders served on Facebook, probably as part of an investigation into violence accompanying Donald Trump’s inauguration.

As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-174.mp3
Category:general -- posted at: 8:48pm EST

Today we deliver the second half of our bifurcated holiday podcast with an interview of Richard Ledgett, recently retired from his tour as NSA’s deputy director. We cover much recent history, from Putin’s election adventurism to questions about whether NSA can keep control of the cyberweapons it develops.  Along the way, Rick talks about the difference between CIA and NSA approaches to hacking, the rise of NSA as an intelligence analysis force, the growing effort to keep Kaspersky products out of sensitive systems, and the divergence among intelligence agencies about whether Putin’s attack on the American election was intended mainly to hurt Hillary Clinton or to help Donald Trump.

As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Subscribe to the Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-173.mp3
Category:general -- posted at: 2:55pm EST

In this news-only episode, we cover the irresistible story of the week: Trump, Russia, and the Media.  It’s especially irresistible for us because we’ve had two of the protagonists on as guests.  I make the bold prediction that Shane Harris’s stories on Russia collusion and the Trump campaign will be seen as the moment when the media OCD fascination with Russia collusion finally jumped the shark.  Though in this case, the shark had already consumed at least one Pulitzer-prize winning journalist, Eric Lichtblau.  (And for the record, CNN, I am not advocating that more journalists should be eaten by sharks, and I refuse to accept the blame when they are.)

Unfortunately, journalists chasing nonstories can’t devote any attention to some very real stories involving government and IT.  So we do it for them.  Stephen Heifetz reports on the CFIUS logjam that is blocking close to a dozen transactions because the administration has not filled the subcabinet positions that could sort through the filings with a coherent policy in mind.

In other cyberwar logjam news, the UN Government Group of Experts (GGE) has failed to produce a consensus report following up on earlier reports endorsing some application of the law of war to cyberattacks.  Brian Egan explains what that means for the UN, the Trump administration, and the future of international cooperation on cyber norms.

Finally, Stephanie Roy explains the significance of the latest spat between Ajit Pai and Mignon Clyburn over online privacy regulation.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-172.mp3
Category:general -- posted at: 5:13pm EST

Our guest, Ellen Nakashima, was coauthor of a Washington Post article that truly is a first draft of history, though not a chapter the Obama administration is likely to be proud of.  She and Greg Miller and Adam Entous chronicle the story of Russia’s information operations attack on the 2016 presidential election.

Want to know how it feels to have Donald Trump tweeting your article and taunting the last administration?  Don’t worry, we ask.  Also why was the NSA only moderately confident that Putin was trying to help Trump win, and how did the Obama administration manage to “choke” at every turn.  Jim Comey makes a cameo appearance, ironically refusing to go public with his agency’s assessment of the hack because it might look like he was trying to influence the election — whew! – that’s a bullet dodged!

We dwell on the Obama administration’s bad luck in announcing its judgment on Putin’s hack half an hour before the Access Hollywood story broke and an hour before Podesta’s emails were released.  Sometimes you win the news cycle; sometimes the news cycle wins you.

Finally, Ellen talks about the plan to implant cyberweapons in Russian infrastructure and where it stands.  What infrastructure, you ask?  Infrastructure so serious it was approved by a phalanx of Obama administration lawyers, of course.  It’s an echt-Obama moment, the kind of thing that is bound to be in history’s second draft as well.

We begin the news roundup, as our fans demand, with the latest in sex toy cybersecurity law.  On a more serious note, Jennifer Quinn-Barabanov asks whether the Seventh Circuit has stuck a fork in the data breach class action tactic of offering full damages to the named plaintiff.

Jon Sallet reviews the remarkable success of the Obama Justice Department in challenging mergers in court and argues that it’s likely to continue, if not with the same frequency.

Michael Vatis and I pan Justice Kennedy’s gassy ode to the “Cyber Age” in Packingham v. North Carolina, an opinion that is sure to be cited far more often for its overblown dicta than for its unsurprising holding.

Speaking of the Court, the Solicitor General is seeking review of the Microsoft Ireland case.  Michael and I assess the odds of an affirmance.

Meanwhile, Maury Shenk reports, European angst over the internet continues to force the pace of government action.  Despite a leak revealing its spying on the US Government, Germany is doubling down, expanding law enforcement’s authority to hack suspects’ phones.   And the European Council is calling on Member States to prepare to impose sanctions in response to cyberattacks.

And where will those attacks come from?  Ask the Western IT companies that have recently been forced to disclose their source code to Russian intelligence agencies.  Strictly for cybersecurity purposes, naturally.

And LabMD has at last had a judicial hearing for its objections to the FTC’s handling of its data security case.  Michael and I agree:  it was such a bad day for the FTC that the Commission’s decision to override its own ALJ opinion now looks like hubris of the first order.

And, finally, we cover the equally hubristic decision of some CIA staff to demonstrate their hacker cred by spoofing the Agency’s snack machines.  It may be some consolation to them in unemployment that their exploit was pretty clever.  Or, who knows, maybe they’ve been brought back to help the agency implant the Kremlin’s snack machines.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-171.mp3
Category:general -- posted at: 7:22pm EST

This week’s episode is a news roundup without interview.  We lead with the Senate’s overwhelming adoption of unexpectedly tough Russia sanctions along with the Iran sanctions bill.  The mainstream press has emphasized that the bill will lock the Obama sanctions into legislation, but Anthony Rapa explains that the bigger story is just how tough the bill will be on investors in Russia’s energy sector, including European and other third-country firms.  This is going to put heavy pressure on the House and its Republican majority, where enthusiasm for punishing Russia has been more tepid.

In other legislative news, the Freedom Caucus has announced that it doesn’t know what it wants from 702 renewal, but it wants something.  At least that’s how I read the Caucus’s two sentence press release on Section 702 renewal.  In its entirety, the release says, “Government surveillance activities under the FISA Amendments Act have violated Americans’ constitutionally protected rights.  We oppose any reauthorization of the FISA Amendments Act that does not include substantial reforms to the government’s collection and use of Americans’ data.” In a rare show of Cyberlaw podcast consensus, Michael Vatis agrees.

Meanwhile, NSA and GCHQ are now linking WannaCry to North Korea.  The bad news is that North Korea is bringing the same spirit to cyberattacks that it has brought to nukes and missiles.  The good news is that the North Koreans are still bad at cyberattacks.  But they were bad at nukes and missiles once as well.

And we circle back to put the boot in on Reality Winner – the self-proclaimed “pretty, white, and cute” dingbat who leaked an NSA memo on Russia’s election hacking to the Intercept, which then managed to match her opsec cluelessness with its own.  

The export of exploits for internal security purposes is getting plenty of press, as the BBC goes after exports from Denmark to the Arab world while the New York Times exposes misuse of exploits to compromise critics of the Mexican government

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-170.mp3
Category:general -- posted at: 4:47pm EST

In the news roundup, Benjamin Wittes makes a cameo appearance, defending Jim Comey (but not the FBI) from my suggestion that leaking has a long and unattractive history at the FBI.  Brian Egan takes us deep on federal records law.

Next, Ben actually finds himself to my right as we try to negotiate a quick resolution to the growing impasse over section 702.

I will never live it down. Nor will Ben.

Maury Shenk explains what the UK election means for tech.  Who knew?  The Unionists actually have a tech platform.

Maury and Brian muse on what the Qatar crisis tells us about cyberattacks – they may turn out to be much more effective as short-term one-offs than as sustained campaigns.

China has found a way to use its new cybersecurity law — to investigate Apple, naturally.  A better target would be the Chinese company Rafotech, which has installed something that looks a lot like spyware on 250 million machines.  I’ll be at the Irish government’s Data Protection Summit later this week, and I’ll be asking why the EU is wasting its human rights capital on fights with the US instead of China.

Finally, we cover Ukraine’s unusual new sanctions aimed at Russian social media companies, which are also Ukraine’s main social media companies?  No doubt there are censorship issues lurking in that program, but I can’t help wondering why human rights groups are riding the first amendment to the rescue of companies that dance to Vladimir Putin’s tune.

To close the episode, I interview Ben Buchanan, Fellow of the Cyber Security Project at the Harvard Kennedy School of Government.  I challenge the thesis of his book, The Cyber Security Dilemma: Hacking, Trust and Fear, and he holds up under the challenge pretty well.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-169.mp3
Category:general -- posted at: 6:05pm EST

Episode 168 features the Tinkers-to-Evers-to-Chance of global censorship, as Filipino contractors earning minimum wage delete posts in order to satisfy US tech companies who are trying to satisfy European governments.  In addition to Maury Shenk, our panel of interlocutors includes David Sanger, Chief Washington Correspondent for The New York Times, and Karen Eltis, Professor of Law at the University of Ottawa. Even if you think that reducing Islamic extremist proselytizing online is a good idea, I conclude, that’s not likely to be where the debate over online content ends up.  Indeed, even today, controls on hate speech are aimed more at tweets that sound like President Trump than at extremist recruiting.  Bottom line:  no matter how you slice it, the first amendment is in deep trouble.

In other news, I criticize the right half of the blogosphere for not reading the FISA court decision they cite to show that President Obama was spying illegally at the end of his term. Glenn Reynolds, I’m talking about you!

The EU, in a bow to diplomatic reality, will not bother trying to improve the Safe Harbor deal it got from President Obama.  Instead, it will try to get President Trump to honor President Obama’s privacy promises. Good luck with that, guys!

Wikimedia’s lawsuit over NSA surveillance has been revived by the court of appeals, and I find myself unable to criticize the ruling.  If standing means anything, it seems as though Wikimedia ought to have standing to sue over surveillance; whether Wikimedia should be wasting our contributions on such a misconceived cause is a different question.

China’s cybersecurity law has mostly taken effect Maury explains how little we know about what it means.

Finally, David Sanger, in his characteristic broad-gauge fashion, is able to illuminate a host of cyber statecraft topics: whether the North Koreans are getting better at stopping cyberattacks on their rocket program; how good a job did Macron really did in responding to Russian doxing attempt; and what North Korean hackers are up to in Thailand.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-168.mp3
Category:general -- posted at: 2:02pm EST

 

Episode 167 sees blockchain take over the podcast again.  With Stewart traveling, Alan Cohn hosts another of the podcast’s periodic deep dives into all things blockchain and digital currency.  Our guest is Meltem Demirors, Director of Development at Digital Currency Group.  Podcast regular Maury Shenk joins members of Steptoe’s Blockchain and Digital Currency Practice, including financial regulation practitioner Matt Kulkin, tax guru Cameron Arterton, and author of several recent smart contracts blog posts Jared Butcher, in breaking down the current state of affairs in the blockchain world.

Our episode begins by looking at the brewing controversy in the tax world.  Cameron skillfully takes us through IRS Notice 2014-21, which provided initial guidance for how virtual currencies would be treated for tax purposes, as well as the charmingly-named TIGTA Virtual Currency Report, released in September 2016, which told the IRS that it hadn’t done much beyond issuing this guidance to flesh out what it actually meant to consumers and businesses.  The IRS responded with the notorious Coinbase Summons, a John Doe summons that requested records of over 500,000 Coinbase subcribers.  Needless to say, this led to Coinbase users challenging the summons in court and moving to quash, while Congressional leaders question the wisdom of the IRS summons.  Cameron and Alan consider this an opportune moment for the IRS to work with the industry to develop additional guidance.

We then take on the emerging phenomenon of token sales, nicknamed Initial Coin Offerings or ICOs.  Matt and Alan tell us what in the world this is, how token sales work, and some of the legal challenges, including whether ICOs constitute sales of securities under the Howey test and the question of fiduciary duties.  Matt and Alan conclude that ICOs can vary significantly from each other and that ultimately virtual currencies and tokens may simply be a new asset class.

Steptoe has done a lot of writing lately on smart contracts, and Jared takes us through several recent Steptoe Blockchain Blog posts on reasons to put an arbitration clause in your company’s smart contracts, tips for drafting arbitration clauses in smart contracts, and best practices for limiting liability arising from smart contract vulnerabilities. Jared and Alan discuss the new approach companies need to take in considering issues like dispute resolution and liability limitations in the context of smart contracts.

We then go across the pond to Europe, where Maury gives us the status of the delayed EU proposal to extend AML regulation to virtual currencies.  Maury predicts that the legislation will pass this year forcing companies that provide virtual currency related services, such as exchanges and wallets, to comply with very burdensome requirements.

Finally, in the lightning round, Alan tells us about the recent surge in the price of bitcoin and other cryptocurrencies; Matt tell us about the future of leadership at the Commodity Futures Trading Commission and gives us an update on the Office of the Comptroller of the Currency’s proposed Fintech Charter, including a lawsuit by state regulators to head off this initiative.

In our interview, Meltem takes us through the current landscape of virtual currencies, including DCG’s recent launch of blockchain accelerator DCG Connect.  Meltem tells us about the current state of play for blockchain use cases and blockchain companies, and gives her thoughts on the ICO craze.  Meltem shares her thoughts on what she thinks are the most interesting things that she sees coming in the future, and she tells us what we should be looking for as signals that we’ve moved to the next stage of technical adoption of blockchain technology.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-167.mp3
Category:general -- posted at: 11:37am EST

In episode 166, we interview Kevin Mandia, the CEO and Board Director of FireEye, an intelligence-led security company.  FireEye recently outed a new cyberespionage actor associated with the Vietnamese government.  Kevin tells us how FireEye does attribution and just how good the Vietnamese are (short answer:  surprisingly good but apparently small in scale).  Along the way, we also cover questions such as whether China has its own set of forensic cybersecurity firms, how confident we should be about the attribution of WannaCry to North Korea, and whether PLA Unit 61398 should treat its designation as APT1 as a prestige designation, sort of like having “bob@microsoft” as your email address.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: SteptoeCyberlawPodcast-166.mp3
Category:general -- posted at: 10:09am EST

Episode 165 is a WannaCry Festivus celebration, as The Airing of Grievances overtakes The Patching of Old Machines. Michael Vatis joins me in identifying all the entities who’ve been blamed for WannaCry, starting with Microsoft for not patching Windows XP until after the damage was done.  (We exonerate Microsoft on that count.)

Another candidate for WannaCry Goat of the Year is (of course) NSA for allegedly letting a powerful hacking tool fall into the hands of the Shadow Brokers, who released it in time for WannaCry’s authors to drop it into their worm. Private industry’s fingerpointing at NSA has led to introduction of the PATCH Act, which tries to institutionalize (and tilt) the vulnerability equities process.  I raise a caution flag about trying to prevent harmful vulnerability leaks by spreading information about the vulnerabilities to a new batch of civilian agencies.  I also ask whether a rational equities process should require that companies  get the benefit of the process only if they agree to patch their products promptly and if they cooperate to the extent possible with law enforcement rather than forcing agencies to hack their products just to carry out lawful searches.  Somehow I’m guessing that will cool Silicon Valley’s enthusiasm for the whole idea.

Meanwhile, Shadow Brokers, widely thought to be Russian intelligence, may be having an equally awkward Festivus celebration with their masters, since the exploit they released seems to be causing more widespread discomfort in Russia than in the West, probably because of Russia’s high usage of unpatched pirate software.

The North Koreans should be on the carpet as well, since there is increasing reason to believe that WannaCry was a mostly failed effort by Kim Jong Un to raise money through cybercrime. The worm seems to have collected only $100 thousand in bitcoin for its authors, and the worst of its impact was likely felt in China, the world capital of pirated unpatched software.  Since North Korea seems to rely on China’s internet infrastructure to launch and control its cyberattacks, launching one that mainly hurts its host is typically shortsighted.

Finally, the victims don’t escape blame. The SEC unveiled its latest criticism of private sector security practices in the financial industry as the WannaCry publicity reached a peak.

Meanwhile, our own Jon Sallet joins the Oliver-Pai debate on net neutrality, and through the magic of radio, he is able to coffee-cup-shame both of them.  (Sound effects credit to www.zapsplat.com.)  As an encore, Jon explains why the European Commission fined Facebook $122 million over its acquisition of WhatsApp – without undoing the deal.

As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: Episode_165.mp3
Category:general -- posted at: 10:48am EST

With our sound system back online, episode 163 is already a big step up from Lost Episode 162.  (Transcripts of 162 are available for those who wish by sending email to CyberlawPodcast@steptoe.com.)

Our interview is with Susan Munro, of Steptoe’s Beijing office.  Susan unwinds the complex spool of cyberlaw measures promulgated by the Chinese government.

In the news, Maury Shenk and I note that Putin reran his U.S. playbook in the French election, but the French were ready for him.  Indeed, what we originally thought to be crude Russian forgeries may actually be Macron “honey docs” meant to look like crude Russian forgeries. If so, my hat is off to Macron’s I.T. team. 

Meanwhile, Jennifer Quinn-Barabanov spots a new trend in cybersecurity litigation.  It’s nuts, but that’s not the new part.

The intelligence community’s latest transparency report reveals a shocking stat about “backdoor” FBI searches of 702 for criminal cases.  The bureau did that all of … one time.  Those who want to clog our security services with ever more burdensome processes are going to have to find a bigger scandal.  

The Republicans complaining about Susan Rice and “unmasking” can find more to work with in the report. Turns out that Americans were identified in masked or unmasked form in about 4000 reports last year, but by the time the report writers and the intelligence consumers were done, about 3000 reports had seen their Americans unmasked. With numbers like that, if the issue hadn’t been raised first by Republicans, every newspaper in America would be calling for an investigation of unmasking standards.

Okay, this is getting embarrassing.  The White House has now spent more time drafting a cyber EO calling for urgent reports from the departments than it’s giving the departments to write the urgent reports.  And so far, as Alan Cohn points out, all we have to show for it is … another leaked draft.

Jennifer explains why the latest Home Depot settlement is both good and bad for the plaintiffs’ bar. 

Alan dives deep for substance in the White House’s EO creating an American Tech Council.  He comes up empty.  The EO is purely procedural.

Maury explains the UK’s draft surveillance obligations, concluding there’s not much new in them.  And Germany’s intelligence service is complaining both about Russian hacking and about its lack of authority to, uh, hack back to destroy third party servers.  Chris Painter, call your office!

Alan tells us that DHS cybersecurity did pretty well in budget deal, but only if your point of comparison is EPA’s budget. 

At least DHS is making the right enemies.  Jennifer explains DHS backpedaling on the privacy rights of non-Americans.  And Alan and I flag the ABA’s interest in border searches of lawyers’ electronics.

Finally, in cybersecurity news, the Guardian plays the world’s smallest violin for billionaire superyacht owners, and the recent defeat of a common form of two-factor authentication will put new cybersecurity pressure on SS7.   

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-163.mp3
Category:general -- posted at: 4:52pm EST

In this episode, I debate Michael Schmitt, a prime mover in two Talinn Manuals on international law and cyber operations. We are joined by an expert on the topic and a new Steptoe partner, Brian Egan, who was formerly the State Department legal adviser, among other accomplishments. And among the hypotheticals is indeed a DDOS attack on the United States by internet-enabled vibrators with unchangeable default passwords. Because, as the news roundup covers, the FTC may soon be wrestling with the question of how to regulate such security violations.

Meanwhile, Michael Vatis and I clash over the meaning of the NSA’s decision to abandon productive intelligence collection. I think it’s risk aversion and a return to September 10. Michael thinks it’s too early to make that judgment.

Stephanie Roy gives an overview of Ajit Pai’s plan to undo the last two Federal Communications Commissions’ net neutrality strategies.

Michael reports on two Silicon Valley giants who fell prey to $100 million (each) cyberscams. I wonder if this means that technologists will stop gloating that Snowden and Shadowbrokers show that only private companies can be trusted to do security right.

This week in news that isn’t news at all: The Russians who hacked Clinton are going after Emmanuel Macron in France, says Trend Micro.  

Finally, vigilante justice seems to be sweeping the internet, as the spousal spyware firm, Flexispy, is doxed, and Brickerbot starts securing insecure IOT devices the hard way—by bricking them.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-162.mp3
Category:general -- posted at: 4:55pm EST

In this episode, Alan Cohn and Maury Shenk look at questions in Europe and elsewhere in Stewart’s absence. Maury delves into why Google was ordered to turn over foreign data accessible from U.S., a decision that seems at odds with the Microsoft Ireland case. Alan considers claims made by David Sanger and William Broad in The New York Times that U.S. blew up North Korea’s most recent missile test, and Jeffrey Lewis’s rebuttal in Foreign Policy.  Alan and Maury both remain skeptical.

Leaving the Korean peninsula, Maury discusses the current effort by EU data protection regulators to enact e-privacy regulations that would, among other things, put in place detailed standards for location tracking and content associated with metadata.  No surprises, but potentially more headaches for US industry.   And back on U.S. soil, Alan comments on the U.S. Justice Department’s apparent decisions to reconsider criminal charges against Wikileaks for the CIA cyber-tools leak.  Maury provides some color on the Trump Administration’s (lack of) views on Privacy Shield.

Finally, Alan reviews the bidding on dual-use export controls and cyber technologies, explaining both the most recent negotiations under the Wassenaar Arrangement and the EU’s efforts to amend its dual-use export controls to include cyber-surveillance technologies. 

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-161.mp3
Category:general -- posted at: 2:16pm EST

This week the podcast features an extended news roundup with two guest commentators—Julian Sanchez of the Cato Institute and Gus Hurwitz of Nebraska Law School.  

We talk about the latest, mostly overhyped, Shadowbrokers dump, and whether Google Translate can be taught to render plain text into Shadowbrokerese as well as Klingon.

Stephanie Roy kicks off speculation about the future of net neutrality in the Pai FCC. The future looks bright for litigators.

Abbott Labs takes a short but brutal session in the woodshed from the FDA. Looks like Abbott’s now-subsidiary, St. Jude Medical, knew for years that its backdoor could be found by outsiders, but it stuck to the view that hardcoded access was a feature not a bug. Too bad Uber has already trademarked the name, because if ever there were a feature that deserved to be called “God mode,” this is it.

Burger King triggers a technical battle with Google and an editing war with Wikipedia with a commercial that begins, “Okay, Google, what’s a Whopper burger?” But, law nerds that we are, all we can talk about is whether Burger King is liable under the Computer Fraud and Abuse Act.  

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-160.mp3
Category:general -- posted at: 12:00pm EST

Our guest interview is with Nick Weaver, of Berkeley’s International Computer Science Institute.  It covers the latest dumps of hacker tools, the vulnerability equities process, the so-bad-you-want-to-cover-your-eyes story of Juniper and the Dual_EC hacks, and ends with a tour of recent computer security disasters, from the capture of a bank’s entire online presence, to the pwning of Dallas’s emergency sirens and a successful campaign to compromise the outsourcing firms that supply IT to small and medium sized businesses.

In the news roundup, Maury Shenk, and Jamil Jaffer, of George Mason’s National Security Law & Policy Program, talk with me about the likely outcome of the European movement to regulate encryption.  The bad news for Silicon Valley is that the US isn’t likely to play much of a moderating role when the Europeans tighten the screws.

In other news, Jennifer Quinn-Barabanov explains the two-front battle that Wendy’s is facing (and mostly losing) over data breach liability.

I acknowledge the latest Silicon Valley fad:  filing lawsuits on behalf of their customers’ privacy.  So far, Twitter has chalked up a win, and Facebook a loss. 

LabMD has also chalked up another win, this time in a Bivens action to hold FTC officials personally liable for aggressively enforcing the law against the company as punishment for its outspoken critique of the Commission.  The case has mostly survived a motion to dismiss.  

Meanwhile in Massachusetts, outmoded privacy laws continue to burden would-be undercover journalists, and Jennifer reports that the prospects for invalidating a law banning recordings of oral conversations on first amendment grounds took a hit last week, at least as it relates to public officials.

Finally, in other computer security news around the globe, Germany’s security services are claiming a lack of authority to take needed action in response to cyber threats.  In India, in contrast, enthusiasts for better attribution of India’s populace are forcing everyone to register in a detailed identity database – despite the efforts of India’s top court to ensure that the system remains voluntary.  The death of anonymity will be a prolonged affair, but the outcome seems inevitable.
As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-159.mp3
Category:general -- posted at: 10:04am EST

Episode 157 digs into the security of the medical internet of things.  Which, we discover, could be described more often than we’d like as an internet of things that want to kill us.  Joshua Corman of the Atlantic Council and Justine Bone, CEO of MedSec, talk about the culture clash that has made medical cybersecurity such a treacherous landscape for security researchers, manufacturers, regulators, and, unfortunately, a lot of patients who remain in the dark about the security of devices they carry around inside them.  

In the news roundup, Phil Khinda takes us through the likely trend in SEC cybersecurity enforcement in the new administration.  Stephen Heifetz does the same for the Committee on Foreign Investment in the United States, or CFIUS.

I claim that Eli Lake’s Bloomberg story finally explains why Republicans think that Obama administration surveillance and unmasking of Trump team members needs to be investigated.  Stephen calls it a distraction.

In other news, Buzzfeed gets taken down by a lawyer with a sense of humor, big claims are made for the impact of the third Wikileaks Vault7 document dump, and Donald Trump may have forgiven Apple.  Finally, Jim Comey’s twitter account may have been outed; that’s the story, because the tweets themselves are anodyne in the extreme.

For those wanting to dig deeper into medical device cybersecurity, Joshua Corman recommends the following links, all referenced in the interview:

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-157.mp3
Category:general -- posted at: 10:02am EST

Our interview is with Michael Daniel, former Special Assistant to the President and Cybersecurity Coordinator at the White House and current President of the Cyber Threat Alliance. We ask Michael how the new guys are doing in his job, what he most regrets not getting done, why we didn’t float thumb drives filled with “The Interview” into North Korea on balloons, and any number of other politically incorrect questions. His answers are considerably more nuanced.

In the news roundup, we note that the second Wikileaks release is a damp squib, full of outmoded Apple exploits.

Michael Vatis and I unpack the Third Circuit ruling upholding imposition of contempt penalties on a defendant who has “forgotten” the password to his child porn trove.  It turns out that the case offers a road map for prosecutors and police who want to make sure no one ever forgets a password in their jurisdiction.

Stephanie Roy notes that Congress has begun the process of repealing the ISP privacy and security regulations adopted under Chairman Wheeler.  What, if anything, will replace them, and when, is a matter for lengthy speculation.

I note that the privacy zealots of Silicon Valley have fatally miscalculated the kind of support they’ll get in Europe for end-to-end encryption. Face it, guys, Europe hates you no matter what you do, and they’ll happily impose massive fines both for violating user privacy and for protecting it too well.

Does GCHQ spy on Americans for NSA? Nope. The real question is whether Rick Ledgett, number two at NSA, has already stopped sounding like a government employee when he talks to the press.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-156.mp3
Category:general -- posted at: 4:10pm EST

Episode 155 of the podcast offers something new: equal time for opposing views. Well, sort of, anyway.  In place of our usual interview, we’re running a debate over hacking back that CSIS sponsored last week.  I argue that U.S. companies should be allowed to hack back; I’m opposed by Greg Nojeim, Senior Counsel at the Center for Democracy & Technology and Jamil Jaffer, Vice President for Strategy & Business Development of IronNet Cybersecurity.  (Jeremy Rabkin, who was supposed to join me in arguing the affirmative, was trapped in Boston by a snowstorm.)

In the news, we can’t avoid the unedifying—and cynical—spat between press and White House over wiretapping. Turning to legal news, I note the D.C. Circuit’s adoption of a cursory and unpersuasive reading of the Foreign Sovereign Immunities Act in the context of state-sponsored hacking of activists in the United States. Maury Shenk unpacks the latest ECJ opinion refusing to apply the “right to be forgotten” across the board to government databases. So far, the only clear application is to American tech giants. That’s also true of the latest German proposal to make the internet safe for censors, government and nongovernment alike. As Maury explains, the German Justice Minister is proposing fines up to $50 million for tech giants that don’t censor online speech fast enough or hire enough European private censors to keep up with the workload.

The Justice Department’s indictments in the Yahoo! hack show just how remarkably intertwined Russian intelligence and Russian cybercrime have become.

Alan Cohn and I chew over the latest developments in the new administration’s approach to cybersecurity—a determination to cripple botnets more effectively, and a willingness to exempt SHS cyber programs from what looks like a drastic set of budget cuts for nondefense agencies. Whether the administration can make progress on botnets while sticking to voluntary measures is uncertain; equally uncertain is whether the plus-ups for DHS cyber reflects satisfaction with the agency’s performance on that mission in recent years. 

Finally, Maury and I ask whether the German government is surrendering to reality in pursuing more effective video surveillance of possible criminals and terrorists.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-155.mp3
Category:general -- posted at: 5:40am EST

In this week’s episode, we ask two acknowledged NSA cybersecurity experts, Curtis Dukes and Tony Sager, both from the Center for Internet Security, what they tell their family members about how to keep their computers, phones, and doorbells safe from hackers.

Joining us for the news round-up is Carrie Cordero, a Washington lawyer who focuses on national security law, homeland security law, cybersecurity and data protection issues.  She is also an adjunct professor of Law at Georgetown University.

Topping the news is the Wikileaks Vault7 release, including Assange’s mischievous offer to work with Silicon Valley to fix vulnerabilities before they’re disclosed.  Carrie, Markham Erickson, and I comment.

Stephanie Roy reports that the FCC is investigating a 911 outage at AT&T; so far the agency has been tight-lipped about the details.

Home Depot is nearing the finish line in its data breach ordeal, Jennifer Quinn-Barabanov reports. The banks that had to reissue credit cards were among the last holdouts; they’re getting $25 million, which sounds like a lot until you do the math and realize it’s two bucks a card.

Jennifer tells us that another defense effort to moot a TCPA class action by picking off a named plaintiff has been thwarted—this time by the Second Circuit.

Tom Graves (R-GA) has introduced a hackback defense to CFAA liability. Markham and I trade barbs over the wisdom of allowing hackback defenses, but we reach agreement on the depth of Uber’s greyballing problems—and the risk that more companies will use big data to disfavor some customers without telling them.

Carrie reports on developments in the FBI-Geek Squad imbroglio, and I mock the reporters who have bought the deeply unappealing defendant’s claim to be a civil liberties victim.

Last, and well worth the wait, Jennifer and I update our listeners on the latest in CyberSexToy privacy.  Turns out the records of interactions with your internet-enabled vibrator can be compromised for a surprisingly low settlement price. Maybe now we really ought to call the time of death for internet privacy.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-154.mp3
Category:general -- posted at: 1:57pm EST

In this episode, Matt Tait, aka @PwnAllTheThings, takes us on a tour of Russia’s cyberoperations. Ever wonder why there are three big Russian intel agencies but only two that have nicknames in cybersecurity research? Matt has the answer to this and all your other Russian cyberespionage questions.

In the news, we mourn the loss of Howard Schmidt, the first cyber czar and one of the most decent men in government. Then we descend into the depths of the Trump wiretap story. I reprise some of my views from Lawfare. Michael Vatis is not persuaded.

After Microsoft’s refusal to provide data stored in the cloud outside the U.S. was upheld in the Second Circuit, things looked rosy for its position. But now two magistrates in a row have rejected that position.  Michael and I discuss the latest ruling.

Maury Shenk is now our official commentator on the legal consequences of Internet-enabled toys. This time it’s teddy bears, whose interactions with children and parents were exposed by hackers.

More seriously, Maury praises an impressive new analysis of China’s 50c army of tweeters. It turns out that everything we thought we knew about the 50c army is wrong. 

Just in time for an early spring, we have harbingers of the coming fight over reauthorization of the 702 intercept program. Director of National Intelligence candidate Dan Coats promises to put a number on the US persons whose communications are caught up in the program, the Electronic Frontier Foundation (EFF) and other NGOs turn on both the US government and Silicon Valley to urge that Privacy Shield be held hostage to changes in the program. And the incoming Commerce Secretary, Wilbur Ross, endorses Privacy Shield, a move that may validate EFF’s tactics.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785

Direct download: SteptoeCyberlawPodcast-153.mp3
Category:general -- posted at: 11:52am EST

Our guest for episode 152 is Paul Rosenzweig, and we tour the horizon with him.

In the news roundup, Stephanie Roy outlines the deregulatory tangle around ISPs, privacy, security, and the FCC. Maury Shenk briefs us on the European legislation authorizing the quashing of terrorist advocacy on line. Jennifer Quinn-Barabanov explains when standing is a defense against privacy claims and when it isn’t. Together, we remark on the latest example of formerly stodgy banks embracing their inner plaintiffness.

Maury explains why the Germans have banned Cayla the talking (and listening!) doll. I ask whether the Germans next plan to ban speakerphones. (Likely answer: only if they come from America.)

Paul and I dig into the Amazon claim that the first amendment prevents enforcement of a criminal discovery order seeking Amazon Echo recordings. Hey, the suspect might have been ordering books, and that’s a First Amendment activity, says Amazon; and anyway, what Alexa said back to the suspect was an exercise of Amazon’s First Amendment rights. These arguments cry out for the command most frequently heard by my music-playing Echo: “Alexa, that’s enough.”

Almost as unpersuasive to Paul and me is magistrate judge David Weisman’s refusal to issue an order allowing the police to search a home and make anyone on the premises put their fingers on their iPhones to unlock them. That act is testimonial in Weisman’s opinion because, well, because he says it is. (His Fourth Amendment analysis is better, but hardly compelling.)

Paul explains the dramatic clash of cultures hidden in the otherwise esoteric battle between the GSA’s inspector general and “18F,” an Obama-meets-Silicon-Valley effort to streamline government IT development. Like any good tragedy, you knew from the start that this trainwreck was coming, but you still can’t look away.

The draft cyber executive order still isn’t out, despite what looks like a much more disciplined vetting process than other EOs went through. What’s the reward for running a good interagency process in a White House not noted for such discipline? The Homeland Security Council may get folded under the National Security Council.

No one has heard of the National Association of Secretaries of State in 50 years. And if you want to know why, we say, look no further than NASS’s foolish resolution objecting to the designation of electoral systems as "critical infrastructure."

Finally, Paul and I noodle over DHS’s request that Chinese visitors to the US voluntarily disclose their social media handles. I predict that this puts the frog in the pot and the stove on simmer. Meanwhile, Paul finds one border security measure that even I wouldn’t adopt.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 
Direct download: SteptoeCyberlawPodcast-152.mp3
Category:general -- posted at: 3:20pm EST

In this episode, Stewart Baker goes to RSA and interviews the people that everyone at RSA is hoping to sell to—CISOs. In particular, John “Four” Flynn of Uber, Heather Adkins of Google, and Troels Oerting of Barclays Bank. We ask them what trends at RSA give them hope for the future, which make them weep, what’s truly new in cybersecurity, and what kind of help they would like from government. 

While Stewart’s traveling, Alan Cohn takes over the news roundup. We start with some news from the RSA Conference keynotes. Brad Smith, President of Microsoft, called for a cyber “Geneva Convention” on behalf of the sovereign nation of Microsoft. And Rep. Michael McCaul (R-TX), chair of the House Committee on Homeland Security, announced his opposition to backdoors in encryption, lining up with former Secretary of Homeland Security Michael Chertoff and former NSA and CIA Director Michael Hayden, but against current Attorney General Jeff Sessions and current FBI Director Jim Comey.

In news from across the pond, Maury takes us through the EU’s efforts to take on robots.  We coin the term #EURobotHammer in the process (it’s complicated). Maury also tells us whether the Russians are hacking the French elections (it’s complicated).

Back stateside, Alan asks what the cyber implications are of "out like Flynn, in with McMaster" at the National Security Council. Alan also confides in us about White House staffers’ use of confidential messaging apps like Confide (see what I did there?). 

Finally, Alan takes us through a few quick hits on CrowdStrike vs NSS Labs, the SASC’s new Cyber subcommittee, and Yahoo!’s $350M haircut.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-151.mp3
Category:general -- posted at: 5:48pm EST

In our interview this week, we explore multiple worthwhile Canadian initiatives with Dominic Rochon, deputy chief of policy and communications for CSE, Canada’s version of the NSA and with Patricia Kosseim, general counsel and director general for policy at the Office of Canada’s Privacy Commissioner. Among other things, we take a close look at Canada’s oversight regime for intelligence, in which a retired judge gets to exercise executive authority over the CSE—in contrast to the US system where active judges do the same but pretend they’re carrying out a judicial function.

In the news roundup, Judge Robart is doing his best to hog the judicial headlines, not only blocking the Trump administration’s immigration policy but giving support to Microsoft’s suit to overturn discovery gag orders en masse. His opinion allows Microsoft to proceed with a lawsuit claiming that gag orders violated the First Amendment.

The Trump Administration could soon begin asking foreigners coming to the United States—particularly from some Muslim-majority countries—to turn over their social media accounts and passwords. This is a policy begun under the Obama administration and supported by bipartisan homeland security groups.  I predict that it will nonetheless soon be trashed by the press as an Evil Trump Initiative.

Tallinn 2.0 is out. It applies international law to cyber activity at and below the threshold of armed conflict. Color me skeptical.

The cybersecurity Executive Order that’s been hanging fire for weeks is still hanging fire. A new draft has been leaked, though, and it’s better.

Hal Martin is indicted for stealing massive amounts of data from NSA and perhaps others. According to a Washington Post report, US officials think Martin may have stolen 75%of the NSA’s hacking tools. Ouch.

In other news, Rick Ledgett, the No. 2 official at the NSA is leaving but not because of TrumpAnd Google has told several prominent journalists that state-sponsored hackers are trying to break into their inboxes.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-150.mp3
Category:general -- posted at: 2:38pm EST

Our guest for episode 149 of the podcast is Jason Healey, whose Atlantic Council paper, “A Nonstate Strategy for Saving Cyberspace,” advocates for an explicit bias toward cyber defense and the private sector.  He responds well to my skeptical questioning, and even my suggestion that his vision of “defense dominance” would be more marketable if paired with thigh-high leather boots and a bull whip. #50ShadesofCyber.

In the news roundup, we experiment with, uh, actual legal discussion.  The Microsoft Ireland case has company; Google recently lost a similar argument before a magistrate judge – maybe because it couldn’t say where the data it wanted to protect from disclosure actually was.  Michael Vatis explains.

Meredith Rathbone and I take a victory lap over CNN and its reporters, noting that if they’d listened to the podcast, they’d have known a month early that US sanctions had unexpectedly prevented US companies from filing license applications with Russian intelligence agencies – and that allowing companies to make such filings wasn’t an opportunity for hyperventilating about President Trump’s bromance with Putin.

Michael and I also deconstruct Supreme Court nominee Neil Gorsuch’s opinion in US v. Ackerman.  The opinion calmly and clearly puts a hole below the waterline in a longstanding approach to collecting evidence in child porn cases.  If this case gives a clue to his jurisprudence, it seems unlikely that a Justice Gorsuch will be a pushover for government arguments.

Can American companies sue governments that hack them in the US?  I hope so, but that depends on whether the Foreign Sovereign Immunities Act provides protection for malware sent from abroad that does its damage here.  In an unlikely-bedfellows moment, I’m depending on EFF to make that argument to the DC Circuit.

And, to follow up on two stories we covered earlier, Brexit authority slips quickly through the House of Commons, while Google’s penny-pinching settlement of a massive “wiretapping” class action is approved over objections to the cy pres payments to the usual NGOs.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-149.mp3
Category:general -- posted at: 5:13pm EST

Our guest for episode 148 of the podcast is Corin Stone, the Executive Director of the National Security Agency.  Corin handles some tough questions – should the new team dump PPD-28, how is morale at the agency after the Snowden and Shadowbroker leaks, and will fully separating Cyber Command from NSA mean new turf fights?  I give Corin plenty of free advice and, more usefully, our first in-person award of the coveted Steptoe Cyberlaw Podcast coffee mug.

In the news, Alan Cohn and I cover the Second Circuit’s much-ado-about-nothing package of opinions on rehearing the Microsoft-Ireland case.

Maury and I discuss what the new White House executive order on the privacy rights of foreigners means – as well as Donald Trump’s meeting with Theresa May (including whether they talked about Russia sanctions).  Also on the agenda:  Has Donald Trump already surpassed Barack Obama’s lifetime record for holding hands with prominent White House visitors?

Speaking of Peter Thiel, Jennifer Quinn-Barabanov and I speculate about whether FTC commissioner Maureen Ohlhausen will pull the FTC back from the ledge on suing companies for security flaws that don’t cause demonstrable consumer harm.  And whether Peter Thiel is looking for someone else to chair the FTC.

In other news, no new executive order on cybersecurity yet, despite (or because of) the leaks China disses attribution.  And ADT settles an early IOT security class action.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: Episode_148.mp3
Category:general -- posted at: 12:37pm EST

Our guest interview is with Jack Goldsmith, Shattuck Professor of Law at Harvard and co-founder of Lawfare. We explore his contrarian view of how to deal with Russian hacking, which leads to me praising (or defaming, take your pick) him as a Herman Kahn for cyberconflict. Except what’s unthinkable in this case are his ideas for negotiating, not fighting, with the Russians.

In the news roundup, I ask Michael Vatis whether the wheels are coming off the FTC’s business model, as yet another company refuses to succumb to the commission’s genteel extortion. 

The Obama Administration came to an end last week, and its officials left behind a lot of paper to remind us why we’ll miss them—and why we won’t. A basically sympathetic review of the administration’s cyber policies ends with a harsh judgment on President Obama: “He did almost everything right and it still turned out wrong.”

Among the leftovers served up last week: a farewell statement on privacy that seems unlikely to prove relevant in the new administration, a workman-like report on cyber incident responsea wistful FCC public safety bureau report on the commission’s cybersecurity initiatives, and a zombie notice that showed up in the Federal Register three days into the Trump administration, implementing the Umbrella Agreement on data protection with the EU. Maury Shenk evaluates the agreement and its prospects.

And just to make sure we haven’t forgotten the new team’s rather different approach, it posted a policy statement on how good its cyber policy will be. It reads, in its entirety, “Cyberwarfare is an emerging battlefield, and we must take every measure to safeguard our national security secrets and systems. We will make it a priority to develop defensive and offensive cyber capabilities at our U.S. Cyber Command, and recruit the best and brightest Americans to serve in this crucial area.”

I try a quick explanation of the flap between security researchers and the Guardian over an alleged “back door” in WhatsApp messaging. Somehow, the Iran-Iraq war makes an appearance.

And, in a first for the Steptoe Cyberlaw Podcast, Alan Cohn reports as our roving foreign correspondent from, where else, Davos. Want to know what the global 1% are worried about—other than you? Alan has the answers.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-147.mp3
Category:general -- posted at: 1:15pm EST

Would it violate the Posse Comitatus Act to give DOD a bigger role in cybersecurity? Michael Vatis and I call BS on the idea, which I ascribe to Trump Derangement Syndrome and Michael more charitably ascribes to a DOD-DHS turf fight.

Should the FDA allow implants of defibrillators with known security flaws—without telling the patients who are undergoing the surgery?  That’s the question raised by the latest security flaw announcement from the FDA, DHS, and St. Jude Medical (now Abbot Labs).

Repealing the FCC’s internet privacy regulations is well within Congress’s power if it acts soon, says Stephanie Roy, who stresses how rare it is for a Republican president to control both houses of Congress.  (And who says President Obama didn’t leave a legacy?)

The European Commission isn’t done complaining about U.S. security programs, Maury Shenk tells us. Vera Jourova wants to know more about the U.S. request that Yahoo! screen for certain identifiers and hand over what it finds. That’s apparently too useful for finding terrorists to satisfy delicate European sensibilities  Speaking of which, Angela Merkel is in the bulls-eye for Russian doxing.  And to hear Maury tell it, Russia has probably been collecting raw material for years.

Should we start treating Best Buy computer support as though its geeks work for the FBI? And would that be a defense if they find bad stuff on our computers without a warrant? Michael thinks it’s more complicated than that.

Speaking of overhyped stories, Michael and I unpack the claim that President Obama’s team is handing out access to raw NSA product with unseemly haste and enthusiasm. In fact, this proposal has been kicking around the interagency for years, and the access is heavily circumscribed. As for the haste, it could be the outgoing team is afraid its proposal will be unduly delayed—or that all its circumscribing will be second-guessed. You make the call!

And for something truly new, we offer “call-in corrections,” as Nebraska law professor Gus Hurwitz tells us about the one time the FTC discussed the NIST Cyber Security Framework.  It’s safe to say that this correction won’t leave the FTC any happier than my original charge that the agency can’t get past “Hey! I was here first!”

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-146.mp3
Category:general -- posted at: 10:29am EST

Steptoe Cyberlaw Podcast – Interview with Davis Hake and Nico Sell

Episode 145:  What Donald Trump and “Occupy Wall Street” have in common

We interview two contributors to CSIS’s Cybersecurity Agenda for the 45th President.  Considering the track record of the last three Presidents, it’s hard to be optimistic, but Davis Hake and Nico Sell offer a timely look at some of the most pressing policy issues in cybersecurity.

In the news roundup, it’s more or less wall to wall President-elect Trump. Michael Vatis, Alan Cohn, and I talk about Russian hacking, the American election, Putin’s longtime enthusiasm for insurgent movements from “Occupy Wall Street” to “Make America Great Again,” and the President-elect’s relationship with the intelligence community.

In other news, I’m forced to choose between dissing the New York Times and dissing Apple’s surrender to Chinese censorship. Tough call, but I make it. Speaking of censorship, Russia is rapidly following China’s innovation in app store regulation.  For legal antiquarians, I suggest that the Foreign Agent Registration Act deserves a comeback.

It seems to be solidarity week.  Lots of amici have leapt to support LabMD in court now that it looks like a winner Meanwhile I stick up for Mike Masnick, the man who puts the dirt in Techdirt. He may be an colorfully opinionated jerk, but he doesn’t deserve to be a defendant.  And I congratulate Lawfare for joining the Europocrisy campaign on Schrems and China.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

 

Direct download: SteptoeCyberlawPodcast-145.mp3
Category:general -- posted at: 4:07pm EST

We start 2017 the way we ended 2016, mocking the left/lib bias of stories about intercept law.  Remember the European Court of Justice decision that undermined the UK’s new Investigatory Powers Act and struck down bulk data retention laws around Europe?  Yeah, well, not so much.  Maury Shenk walks us through the decision and explains that it allows bulk data retention to continue for "serious" crime, which is really the heart of the matter.

We can’t, of course, resist an analysis of the whole Russian election interference sanctions brouhaha.  The FBI/DHS report on Russian indicators in the DNC hack is taking on water, and its ambiguities have not been helped by a Washington Post article on alleged Russian intrusion into Vermont Yankee’s network.  That story had to be walked way back, from an implicit attack on the electric grid to an apparently opportunistic infection of one company laptop.  No one is surprised that there’s an increasingly partisan split over who’s going to answer the phone now that the 1980s really have called to get their foreign policy back. 

Meredith Rathbone walks us through the revamp of the Obama Administration’s cyber sanctions in an attempt to address election meddling.  And we manage to find a legal twist to the new sanctions on the FSB.  Turns out that large numbers of U.S. tech firms have to deal with the FSB, not as a buyer of services but as a regulator, both of encryption and intercepts inside Russia.  If the sanctions prohibit dealing with FSB as a regulator, Maury reports, they could end up imposing unintentionally broad restrictions on a lot of US companies doing business in Russia.

Meredith also updates us on the Wassenaar effort to control exports of “intrusion software”—which some European governments seem to want to regulate in a way that does maximum damage to cybersecurity.  The overreaching was blunted in a recent Wassenaar meeting, but not nearly as much as the U.S. government—and industry—had hoped.  The issue won’t go away, but it will soon become an appropriate job for the author of “The Art of the Deal.”

Finally, Jennifer Quinn-Barabanov takes us on a tour of the dirtier back streets ofprivacy class action practice—otherwise known as cy pres awards and their challengers.  It sounds like “genteel corruption” to me, but you be the judge.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-144.mp3
Category:general -- posted at: 11:01am EST

1