The Cyberlaw Podcast

In a news-only episode, we get a cook’s tour of the RSA conference from attendees Paul Rosenzweig, Jim Lewis, and Stewart Baker. Top trends we saw at RSA: more nations attacking cybersecurity firms over attribution, more companies defending themselves outside their own networks ("hacking back"), and growing (if still modest) respect for the Department of Homeland Security's role in cybersecurity. Oh, and Microsoft’s Digital Geneva Convention is still a mashup of profound naïveté and deep cynicism, but Microsoft’s Cyber Tech Accord may do better—at least until the Federal Trade Commission gets hold of it.

In other news, ZTE is going to be hammered for showing contempt for U.S. export control enforcement. But the back-splatter on U.S. suppliers will be severe as well. The United States is picking a big, big fight with China on the future of technology, and it’s going to need a strategy. Xi Jinping reads the writing on the wall.

Speaking of big fights, Telegram is in a doozy with Russia over its refusal to supply crypto keys to the government. It looks as though Telegram’s use of Google and other domains as proxies (“domain fronting”) is making it hard for Russia to work its will without harming other internet companies. So far, it looks as though Russia is willing to bring the pain, but the ban isn’t completely effective.

In what may be related news, Google is engineering domain fronting out of its products. The press whining about the civil liberties implications of Google’s moves triggers a classic Baker rant about how privacy zealots don’t really care about security—since domain fronting is a principal method by which network security is defeated and crime facilitated.

And while my rant is rolling, why not include the EU’s shameful drive-by execution of the WHOIS database. I call on the Obama NTIA officials who killed off our last leverage over ICANN to apologize to Ted Cruz for the debacle.

Maury lays out the remarkable parallelism between the U.S. Cloud Act and a new EU regulation on cross-border data sharing for law enforcement.

Finally, or nearly so, Paul unpacks the way in which liability for the SWIFT hacks may drive cybersecurity standards for banks.

And in closing, I note that China is now the clear leader in face recognition, having found a single suspect in a crowd of 60,000 concertgoers. It’s the leader not because of China’s technical strength, though that’s impressive, but because of Silicon Valley political correctness. Remember that when law enforcement agencies end up buying Chinese tech and paying the cybersecurity price.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices. If you are interested, click here.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 213th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-213.mp3
Category:general -- posted at: 11:19am EST

In episode 212 of the podcast, Stewart Baker is at RSA, and Brian Egan, Maury Shenk, and Pete Jeydel of Steptoe are joined by David Kris and Nate Jones of Culper Partners LLC to cover the good, the bad and the ugly of the week that was.

In U.K. cyber issues: Brian, Maury, David and Nate discuss the U.S.-U.K.-France weekend airstrikes against Syria’s chemical weapons program, and reported threats of Russian “cyber retaliation” against the British. We also note the continued trends of intelligence disclosures reflected in last week’s speech by the GCHQ director condemning Russia over the Skripal attack and disclosing U.K. offensive cyber operations against the Islamic State.

David provides insights into the government’s proposed use of a U.S. government “taint team” to conduct a privilege review of the materials seized during the FBI’s raid of Michael Cohen’s offices. Bottom line: (1) Warrants to seize evidence from attorneys are relatively rare but not unprecedented, (2) President Trump and Michael Cohen’s requests to conduct their own screening of the materials probably won’t fly, and (3) a scenario in which an independent special master oversees the review is quite possible (but has been delayed for the moment).

Maury discusses the latest in the Schrems data protection litigation against Facebook: last week’s unsurprising decision by the Irish high court to refer questions related to the EU Standard Contractual Clauses to the European Court of Justice. Maury explains why he remains skeptical that the EU court will invalidate the use of these clauses.

Pete explains why Treasury is probably considering its (very broad) options under the International Emergency Economic Powers Act in answering President Trump’s call for more restrictions on Chinese investments.

And David and Nate discuss the latest in the encryption debates, including a Justice Department inspector general's report criticizing the FBI’s mishandled attempts to break the encryption of the San Bernadino shooter’s iPhone, and the latest in encryption-decryption litigation before the lower courts.

Steptoe Partner Brian Egan (right) with Nate Jones

The Cyberlaw Podcast is hiring a part-time intern for our Washington, D.C. offices. If you are interested, click here.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 212th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-212.mp3
Category:general -- posted at: 11:14pm EST

Our interview is with Chris Bing and Patrick Howell O’Neill of Cyberscoop. They’ve broken two cyberscoops in the last week or so. First, an in-depth look at Kaspersky’s outing of a U.S. cyberespionage program aimed at foreign terrorists. Hint to Kaspersky: Bringing out a brass band to warn terrorists that they’re being tracked by the US government is not likely to help you win your PR and legal battles in the United States. Chris Bing also covers his other scoop—the surprisingly advanced talks among the leaders of the Senate judiciary committee on a bill to address the FBI’s “going dark” problem.

In the news, Jennifer Quinn-Barabanov and I debate the impact of two recent incidents on the future of self-driving cars. She thinks they’ll weather these events and that the lives such cars save will outweigh the deaths. I’m less sure, mainly because the mistakes that lead to autonomous vehicle deaths are so different from the usual human-driver error and therefore inherently compelling and disquieting.

Nick Weaver and I cover the Grindr security flap and the company's transmission of HIV status without complete encryption protection. I think there’s less to the story than meets the eye and that Grindr is getting more heat than it deserves.

Sens. Ed Markey (D.-Mass.) and Blumenthal (D.-Conn.), on the other hand, deserve a lot more heat than they’ve gotten so far. How clueless can they be to send thirteen “when did you stop beating your husband” questions to Grindr’s CEO and not notice that he’s based in Hong Kong? In fact, Grindr was bought last year by a Chinese company. Neither senator, though, bothers to ask where the database of gay Americans is stored and what access the Chinese government has to it? Or how that deal got through CFIUS. Sad! To coin a phrase.

Nick covers the big new internet-of-things botnet’s tryout and asks why it was the banks that got attacked. I’ve got some theories, as does Nick. Along the way, he dispenses advice for people who have just realized that their router is probably the weakest link in their home network’s security.

When does the first amendment allow researchers to violate websites’ terms of service? Judge John Bates has some preliminary answers in the Sandvik case, says Brian Egan, who thinks the case may turn into an important and perhaps unhappy ruling for websites in the future.

In other topics, Softbank is getting a CFIUS workout. YouTube’s demonetization policy leads to a mass shooting and suicide at company headquarters. Stingrays blanket the District of Columbia. And Keeper can’t even get through a news cycle about its lame lawsuit without another story about its lame security.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, D.C. offices.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 211th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: TheCyberlawPodcast-211_1.mp3
Category:general -- posted at: 11:48am EST

In the news roundup, Nick Weaver, Ben Wittes and I talk about the mild reheating of the encryption debate, sparked not just by renewed FBI pleading but by the collapse of the left-lib claim that building in access is impossible because math. The National Academy report on encryption access has demonstrated that access is practicable, with support from a group of prominent tech experts, such as Ray Ozzie, all of whom know math.

Speaking of law enforcement, it was a good week for cybercrime enforcement. Nick and I touch on two victories for the good guys, with the Carbanak mastermind busted in Spain and Yevgeny Nikulin extradited to the U.S. over Russian objections.

Meanwhile, the Department of Homeland Security is moving forward on one of the more significant efforts to prevent terrorist travel across borders by using social media data effectively. The agency will be requiring social media names (but not passwords) from visa applicants, according to a proposed rule now gathering comments. Maury Shenk, Ben, Nick, and I talk about the privacy and first amendment issues implicated by the policy. We don’t agree on most of those issues.

But we find surprising unanimity in mocking Julian Assange for deservedly losing his internet access at the Ecuador embassy. The panel even endorses Matt Green’s wicked suggestion for trolling Assange from the sidewalk outside Assange’s Ecuadoran squat.

We close with a quick sack dance over the prone form of Keeper Security, which has dropped its libel suit against Dan Goodin and Ars Technica, probably because it was going to lose; the defendants’ coverage of Keeper’s serious security problems was straight and fair. Bottom line: there are plenty of good password managers; why use one whose management sues to suppress news of its product’s security holes? When that sinks in, Keeper won’t just be a loser; here’s hoping it will be a weeper too.

Our interview with David Sanger covers the vulnerability of the US grid, the psychic income and electoral popularity that Vladimir Putin gets from crossing the West’s red lines, and whether we’d be better off sparking an escalating set of cyberattacks now or later.

If the last question reminds you that John Bolton will soon be the national security adviser, you’re not alone. We take a few minutes off from plumbing cyberlaw to exploring just what kind of national security adviser Bolton will be. My bottom line: better than his reputation, and maybe much better.

 

Maury Shenk, Ben Wittes and Stewart Baker (left to right)

 

Steptoe partner Stewart Baker with David Sanger

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices. If you are interested, visit our website at Steptoe.com/careers.

Download the 210th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-210.mp3
Category:general -- posted at: 9:33am EST

1