The Cyberlaw Podcast

Our guest for the interview is Noah Phillips, recently appointed FTC Commissioner and former colleague of Stewart Baker at Steptoe. Noah fields questions about the European Union, privacy, and LabMD, about whether Silicon Valley suppression of conservative speech should be a competition law issue, about how foreign governments’ abuse of merger approvals can be disciplined, and much more.

The imminent passage of the must-pass National Defense Authorization Act yields a deep dive on the bill. Most important for business lawyers, the bill will include a transformative rewrite of CFIUS’s investment-review procedures and policies.

Gus Hurwitz lays out many of the cyber issues addressed by the NDAA, while Dr. Megan Reiss explains the act’s creation of a “Solarium” commission designed to force serious strategic thinking about cybersecurity and cyberweapons. I offer my contribution to that debate—an effort to think the unthinkable and come up with tougher options for responding to serious cyberattacks. Since we’re trying to think the unthinkable, I argue, we’re really rooting for the itheberg, so I’ve dubbed it the Itheberg Project. (There must be a Robert Frost reference in there somewhere—about the world ending in solarium or in ithe—but I can’t find it.) I do, however, make an unusual double-barreled offer to those who might want to participate in the Itheberg Project.

 

All that pales next to a surprisingly lively discussion of circuits splitting over insurance coverage of cyber-related fraud losses. Gus and Matthew Heiman predict that the Supreme Court (or an insurance contract rewrite) will be necessary to resolve the issue – and both of them think the issue is well worth the Court’s time. No one tell Judge Kavanaugh or he may just decide to stay on the DC Circuit!

In a “lightning” round that the FTC may soon investigate for deceptive labeling:

Download the 228th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-228.mp3
Category:general -- posted at: 7:45am EST

In our 227th episode of The Cyberlaw Podcast, Stewart Baker interviews Bobby Chesney (@BobbyChesney), who recently co-authored a paper with Danielle Citron (@DanielleCitron) titled, “Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security.” Stewart and Bobby are joined by Maury Shenk, Nick Weaver (@ncweaver), and Patt Cannaday to discuss:

  • Is the EU’s $5 billion fine on Google a bad idea grounded in anti-Americanism? President Trump seems to think so;
  • The DOJ cyber digital report (PDF) sets sensible new standards for avoiding partisanship while naming foreign states trying to influence US opinion – but if DOJ gives Big Tech special access to intelligence, will Big Tech use the intel in a nonpartisan way?
  • Recent speculative execution attacks on Intel and ARM processors (Spectre et al.);
  • Overdoing it wrong? Senate doesn’t just cave on ZTE penalties for violating export control law – it also caves on US supply chain worries;
  • The FISA document dump on Carter Page – sure, it undercuts Devin Nunes, but what are the ramifications for FISA applications that rely heavily on news media articles?
  • All 50 states have taken federal funds (PDF) to improve election cybersecurity – now it’s up to them to deliver a secure election in November;
  • EU and Japan agree on mutual adequacy findings allowing personal data transfers – but will the findings meet the European Court of Justice’s absurdly solipsistic requirements?

You can also find Bobby Chesney on the National Security Law Podcast(@NSLpodcast), which he co-hosts with Steve Vladeck (@steve_vladeck). If you want to learn more about deep fakes, check out the Heritage Foundation’s recent discussion in which Bobby participated.

Download the 227th Episode (mp3).

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-227.mp3
Category:general -- posted at: 3:08pm EST

In Episode 226 of the Cyberlaw Podcast, Stewart departs for the wilderness, and the news-roundup team (Brian Egan with Matthew Heiman, Jim Lewis, and Megan Reiss) muddles through without him.

Matthew and Jim discuss Friday’s indictment of 12 Russian GRU personnel by the Department of Justice and Special Counsel Robert Mueller. Matthew explains that, while we shouldn’t expect extradition proceedings to take place any time soon (or ever), the Justice Department has a theory for pursuing these types of indictments in selected cases. Stewart weighs in by Twitter, bemoaning somewhat surprisingly (given the source) that the indictments reflect a poor interagency coordination process and a lack of appreciation for diplomacy. From Jim’s perspective, these indictments are about as good as diplomacy is going to get on this issue…

Matthew walks through the continued bipartisan work in the Senate on the Secure Elections Act, which would facilitate information sharing amongst the states on election threats and take other steps in an attempt to improve election cybersecurity. Matthew explains that federalism may well end up limiting what can be done (or what Congress will agree to do) on this issue.

Megan weighs in on Commerce’s announcement on Friday that it lifted the Denial Order against ZTE after ZTE paid an additional $1.4 billion in penalties and took other steps pursuant to the new settlement agreement reached in June. Megan forecasts continued pressure on ZTE from Capitol Hill, even if the additional penalties against ZTE are generally seen as significant. Jim thinks that the U.S. government’s approach to ZTE is shortsighted and may end up harming national security interests down the road.  

Megan and Jim also discuss the efforts of another Chinese company – the video surveillance camera company Hikvision—to fight back against U.S. government concerns related to espionage. We ask ourselves: Is there anything that a Chinese company can do to rebut US espionage and related concerns? And Jim weighs in on the “state of the state” of the 2015 "no commercial cyberespionage" handshake agreement between the U.S. and China, which the State Department confirms is the rare international deal entered into under President Obama that has not yet been ripped up by President Trump.

Elsewhere, Matthew explains why Twitter follower numbers dropped precipitously last week after Twitter’s latest attempts to clean up suspicious accounts. (Justin Bieber and Katy Perry were hit hard, but Stewart’s account may be down to zero.) Luckily, Jim has some practical tips for maintaining one’s Twitter follower numbers.

And finally, Jim weighs in on a workmanlike Government Accountability Office report on the Committee on Foreign Investment in the United States, the Department of Defense, and national security concerns—which concludes, among other things, that (1) technology transfers should be an area of concern for the U.S. government and (2) the U.S. government is poorly situated to identify the areas of technology transfer that should be of concern. Over to you, Congress!

Stewart takes over for the interview of Woody Hartzog, author of “Privacy’s Blueprint: The Battle to Control the Design of New Technologies,” and a professor of law and computer science at Northeastern. Woody’s thesis is that traditional privacy law has focused unduly on notice and consent, yielding unreadable privacy notices and consents that mean nothing but have great legal impact. Instead, he suggests a focus on how platforms design their user interfaces, borrowing from consumer protection and products liability law. Stewart’s skeptical of the open-ended nature of the obligations Woody would like Silicon Valley to undertake, but they both at least agree that designers and government are surprisingly well-matched bedfellows.

Download the 226th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: 176084.mp3
Category:general -- posted at: 4:41pm EST

Our interview is with Gen. Michael Hayden, author of "The Assault on Intelligence: American National Security in an Age of Lies." Gen. Hayden is a former head of the CIA and NSA, and a harsh critic of the Trump Administration. We don’t agree on some of his criticisms, but we have a productive talk about how intelligence should function in a time of polarization and foreign intervention in our national debates.

In the news, David Kris reports that ZTE has gotten a limited life-support order from the Commerce Department. Meanwhile, Nate Jones tells us that China Mobile’s application to provide telecom service to Americans is also likely to bite the dust – after nearly seven years of dithering. On Facebook, Tony Rutkowski suggests we call this the revenge of the “neocoms.” So we do.

Remarkably, the European Parliament fails to live down to my expectations, showing second thoughts about self-destructive copyright maximalism. Nick Weaver thinks this outbreak of common sense may only be a temporary respite.

Paul Rosenzweig confesses to unaccustomed envy of EU security hardheadedness. Turns out that Europe has been rifling through immigrants’ digital data in a fashion the Trump Administration probably wouldn’t dare to try. More predictably, the Israelis are digging deep into social media to combat the stabbing attacks that afflicted the country until recently.

The DNC is trying to improve security, and it has trained 80% of its staff not to click on bad links. But as Nick Weaver and Paul Rosenzweig point out, that’s not good enough – even though there are few institutions that can get much above the DNC’s 80%. The answer? Nick says it’s two-factor authentication. We join forces to nudge Firefox toward offering the same level of support for 2FA as Google Chrome.

The feds are getting wise to the Dark Web, Nick tells us. They’re focusing on compromising the money launderers – and then their customers. This looks like a strategy that could work for the long haul.

Finally, David Kris revisits NSA’s still-troubled metadata program, asking whether “the juice is worth the squeeze.”

We’re going to keep tweeting and posting some of the week’s stories that look like candidates for the News Roundup. Please reply to or retweet those you think we should cover. Relevant feeds: @stewartbaker on Twitter, Stewart Baker on LinkedIn, and stewart.a.baker on Facebook. 

Download the 225th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-225.mp3
Category:general -- posted at: 12:14pm EST

I interview Duncan Hollis, another Steptoe alumnus patrolling the intersection of international law and cybersecurity. With Matt Waxman, Duncan has written an essay on why the U.S. should make the Proliferation Security Initiative a model for international rulemaking for cybersecurity. Since “coalition of the willing” was already taken, we settle on “potluck policy” as shorthand for the proposal. To no one’s surprise, Duncan and I disagree about the value of international law in the field, but we agree on the value of informal, agile, and “potluck” actions on the world stage. In support, I introduce Baker’s Law of International Institutions: “The secretariat always sees the United States as its natural enemy.” 

At the end, Duncan mentions in passing his work with Microsoft on international rulemaking, and I throw down on “Brad Smith’s godforsaken proposal.” Brad, if you are willing to come on the podcast to defend that proposal, I’ve promised Duncan a highly coveted Cyberlaw Podcast mug. 

California has a new privacy law, Laura Hillsman explains—though what it will look like when it finally takes effect in 2020 remains to be seen. (Laura is a Steptoe Summer Associate.)

Chris Conte reports that the SEC has charged a second Equifax manager with insider trading. I ask whether he shouldn’t have been charged with lousy site design too.

 The White House draws a line in the sand over ZTE in a letter to the Hill—but Maury and I suspect the real message is in the lack of a veto threat. Maury thinks President Trump’s “go big, then go deal” negotiating strategy is also at work in his decision only to beat up Chinese investments once rather than twice over trade tensions. 

NSA’s metadata program was restructured to rely on telecom companies rather than NSA’s own programmers. The ideologues who insisted on the formalism of leaving the metadata with the companies rather than in NSA’s computers predictably produced a private-sector meltdown. Which they’ll probably blame on NSA as well. Jamil Jaffer and I discuss. 

What do you know? Reality does win in the end, and Reality Winner finally got the hint (as well as a pretty good plea deal). 

Nextgov reveals an unimpressive showing for the Cybersecurity Information Sharing Act’s (CISA) information-sharing provisions, at least as far as sharing with the Department of Homeland Security goes. Jamil and I agree, though, that private-sector information sharing may be a better measure of CISA’s value.

In other news, the Intercept continues to pioneer relevance-free journalism. And trust in social media is collapsing, especially among Republicans, who (remarkably) also think tech companies need more regulation. 

Finally, in an experiment we may abandon at any moment, I’m going to start tweeting and posting some of this week’s stories that look like candidates for the News Roundup. Please reply to or retweet those you think we should cover. Relevant feeds: @stewartbaker on Twitter, Stewart Baker on LinkedIn, and stewart.a.baker on Facebook.

Download the 224th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: PC_224.mp3
Category:general -- posted at: 9:50am EST

1