The Cyberlaw Podcast

In this episode, Nick Weaver and I discuss new Internet regulations proposed in the UK. He’s mostly okay with its anti-nudge code for kids, but not with requiring proof of age to access adult material. I don’t see the problem; after all, who wouldn’t want to store their passport information with Pornhub?

Sri Lanka’s government has suspended social media access in the wake of the Easter attack. As Matthew Heiman notes, the reaction in the West is more or less a shrug—far different from the universal contempt and rejection displayed toward governments who did much the same during the 2011 Arab Spring rebellions. What made the difference? I argue that it’s Putin’s remarkably successful 2016 social media counterattack on Hilary Clinton as payback for her social media campaign against him in 2011.

DNS hijacking is just getting more brazen, according to a new Cisco Talos report. Nick and I talk about why that is and what could be done about it.

Paul Rosenzweig, back from hiatus and feisty as ever, mocks the EU Commission for its on-again, off-again criticism of Kaspersky’s security. Short version: The Commission wants badly to play in cybersecurity because it’s the Hot New Thing, but it has no institutional competence there, in either sense of the word. Speaking of Kaspersky, someone is doing a bad job of trying to compromise its critics with ham-handed private investigator-imposters.

Naked Kitten? Nick and I have a good laugh at the doxxing of Iranian government hackers.

Man bites dog: The Trump Administration is taking interagency processes seriously, and doing a better job than Obama’s team—at least when it comes to use of Cyber Command. Matthew dives into the repeal of PPD-20.

Paul brings us up to date on the Mar-a-Lago Thumb Drive Affair. Maybe it wasn’t malware after all.

Remember that face recognition software that the NGOs said was so crappy it had to be banned? Now, the New York Times reports that it’s so good it has to be banned. Not so fast, says Microsoft: Our face recognition software is still so crappy that it can’t be sold to law enforcement, and it ought to be export controlled so that China can sell—and keep improving—its face recognition tools.

Bet you thought we forgot the Mueller Report. Nope! In fact, I offer the one conclusion about the report that everyone across the political spectrum can agree on. Anti-climactically, Paul and I point out that the report throws sidelights on the "Going Dark" debate and Bitcoin anonymity. Nick points out that we already knew everything the Mueller Report tells us on those topics.

Finally, Nick and I wrangle over the lessons to be drawn from Facebook’s privacy travails.

 

Download the 260th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-260_1.mp3
Category:general -- posted at: 9:54pm EDT

Our News Roundup is hip deep in China stories. The inconclusive EU-China summit gives Matthew Heiman and me a chance to explain why France understands—and hates—China’s geopolitical trade strategy more than most.

Maury Shenk notes that the Pentagon’s reported plan to put a bunch of Chinese suppliers on a blacklist is a bit of a tribute to China’s own list of sectors not open to Western companies. In other China news, Matthew discloses that there’s reason to believe that China has finally begun to use all the U.S. personnel data it stole from OPM. I’m so worried it may yet turn my hair pink, at least for SF-86 purposes.

And in a sign that it really is better to be lucky than to be good, Matthew and I muse on how the Trump Administration’s China policy is coinciding with broader economic trends to force U.S. companies to reconsider their reliance on Chinese manufacturing.

It’s not all China, though. To kick things off, Nick Weaver and I schadenfreude our way through an otherwise serious take on the Julian Assange story and its strikingly narrow Computer Fraud and Abuse Act charge—and why extradition is likely to be a pain.

We also delve into the Google Sensorvault story. Nick and I agree that law enforcement access to location data, especially under the conditions set by Google, isn’t much of a privacy scandal, at least compared to private access to the same data. But that doesn’t mean it won’t raise endless legal problems for all concerned, partly because asking for a warrant out of the box isn’t quite the right legal or privacy framework.

Pete Jeydel notes two examples of CFIUS’s new toughness: It’s forcing a Russia-linked firm to sell stake in a cybersecurity company, and it has handed out a $1 million fine to a company that blew off its obligations under a mitigation agreement.

Maury covers the German data protection commissioner’s refusal to let German police store data in the Amazon cloud. The commissioner blames the CLOUD Act and the risk that US authorities may get cross-border access to the data. I flag the commissioner for hypocrisy and ignoring international law. Turns out that the Justice Department has a good new whitepaper out on the CLOUD Act, and it points out that remote access to offshore data has been an implicit part of the Budapest Convention since the ‘90s. 

Returning once more to China, Maury and I touch on the Chinese government’s use of AI to find Uighurs in crowds of Han Chinese. In my view, the only thing surprising about this story is that the New York Times thinks we should be surprised by it.

 

Download the 259th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-259.mp3
Category:general -- posted at: 5:05pm EDT

Our News Roundup leads with the long, slow death of Section 230 immunity. Nick Weaver explains why he thinks social media’s pursuit of engagement has led to a poisonous online environment, and Matthew Heiman replays the astonishing international consensus that Silicon Valley deserves the blame—and the regulation—for all that ails the Internet. The UK is considering holding social media execs liable for “harmful” content on their platforms. Australia has already passed a law to punish social media companies for failure to remove “abhorrent violent material.” And Singapore is not far behind. Even Mark Zuckerberg is reading the writing on the wall and asking for regulation. I note that lost in the hate directed at social media is any notion that other countries shouldn’t be able to tell Americans what they can and can’t read. I also wonder whether the consensus that platforms should be editors will add to conservative doubts about maintaining Section 230 at all—and in the process endanger the U.S.-Mexico-Canada Agreement that would enshrine Section 230 in U.S. treaty obligations.

Nate Jones and I summarize the latest Reuters piece on American hackers working for the UAE. The short version? This is more a victory lap combined with journalists’ special pleading than a major new story.

Nate also briefs us on the latest tale of woe from Silicon Valley, where taking Chinese money and tech means you’re likely to get burned—in a government-ordered fire sale.

Nick and I disagree about how flawed facial recognition is, but not on the fact that NGOs are working overtime to turn the technology toxic.

Nate gives Kaspersky’s lawyers high grades for imagination and effort but not for credibility in their claim that we can trust the company’s software because Russian law doesn’t authorize Putin to intercept its data feeds. 

And, with a hat tip to Gus Coldebella for the story, Matthew and I dig into the Washington attorney general’s $12 million settlement with Motel 6 for its cooperation with ICE. We think Motel 6 could have defended on federal preemption grounds and maybe gotten help from the Justice Department. But if the problem was bad publicity, that defense would have just made things worse.

Our interview is with Adam Segal, the Council on Foreign Relations’ expert on all things digital and China. Adam prognosticates on the likely fate of US-China trade talks, data localization in China, and on the future of China’s commercial cyberespionage plans.

Download the 258th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: TheCyberlawPodcast-258.mp3
Category:general -- posted at: 5:58pm EDT

In today’s News Roundup, Klon Kitchen adds to the North Korean Embassy invasion by an unknown group. Turns out some of the participants fled to the U.S. and lawyered up, but the real tipoff about attribution is that they’ve given some of the data they stole to the FBI. That rules out CIA involvement right there.

Nick Weaver talks about Hal Martin pleading guilty to unlawfully retaining massive amounts of classified NSA hacking data. It’s looking more and more as though Martin was just a packrat, making his sentence of nine years in prison about right. But as Nick points out, that leaves unexplained how the Russians got hold of so much NSA data themselves.

Paul Hughes explains the seamy Europolitics behind the new foreign investment regulations that will take effect this month.

Nick explains the deeply troubling compromise of update certs at ASUS and the company’s equally troubling response. I ask why the only agency with clear authority over an incident with important national security implications is the FTC.

Nick and I comment on the Federal Trade Commission’s pending investigation of the privacy practices of seven Internet service providers.

Speaking of sensitive data practices, Klon talks about the Committee on Foreign Investment in the United States’ belated recognition that maybe the Chinese government shouldn’t have access to the most intimate desires of a portion of the U.S. LGBTQ community. I try to explain the difference between Tik Tok and Yik Yak and mostly fail.

Meanwhile, in splinternet news, the EU Parliament has approved the controversial Copyright Directive. A bunch of MEPs, soon to be running for reelection, claim they meant to vote against it, really, but somehow ended up voting for it.

The Department of Housing and Urban Development is suing Facebook for violating the Fair Housing Act. I ask listeners for help in finding guests who can talk about whether it’s a good idea to bar ad targeting that lets companies look for more customers like the ones they already have, even if their customers already skew toward particular genders and ethnicities.

Finally, Nick and I break down Gavin de Becker’s claim that the real killer in the Bezos sexting flap was Saudi Arabia. Plenty of smoke there, but the lack of a reference to any forensic evidence raises doubts about de Becker’s version of events.

Download the 257th Episode (mp3). 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-257.mp3
Category:general -- posted at: 6:05pm EDT

In our interview, Elsa Kania and Sam Bendett explain what China and Russia have learned from the American way of warfighting—and from Russia’s success in Syria. The short answer: everything. But instead of leaving us smug, I argue it ought to leave us worried about surprise. Elsa and Sam both try to predict where the surprises might come from. Yogi Berra makes an appearance.

In the News Roundup, David Kris explains the Fourth Circuit’s decision to accept a lib/left invitation to screw up the law of stored electronic communications for a generation.

And in other litigation, a Trump-appointed judge dismisses a lawsuit against Silicon Valley’s censorship of the right. Nate Jones and I agree that, while the decision is broadly consistent with law, it may spell trouble for Silicon Valley in the long run. That’s because it depends on an idiosyncratic U.S. Court of Appeals for the D.C. Circuit interpretation of the District’s public accommodation law. I speculate that Alabama or Texas or Mississippi could easily draft a law prohibiting discrimination on the basis of viewpoint in public accommodations like the Internet. 

Nick Weaver and I note the UN report that North Korea has stolen $571 million, much of it in cryptocurrency. I ask whether the US Treasury could seize those ill-gotten bits. Maybe, says Nick, but it would really bollix up the world of cryptocurrency (not that he minds).

I explain why DHS will be rolling out facial scanning technology to a boatload of US airports—and why there’s no hidden privacy scandal in the initiative.

It kind of makes you wonder about their banks and their chocolate: Nick gloats as Switzerland’s proposed Internet voting system follows his predicted path from questionable to deep, smoking crater.

Elsa Kania and I touch on the Navy Secretary’s willingness to accept scathing criticism of the Navy’s cybersecurity. And Nick and I close with an effort to draw lessons from the disastrous software and human factor interactions at the heart of the Boeing 737 MAX crashes.

Download the 255th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-255.mp3
Category:general -- posted at: 9:33am EDT

On Episode 254 of The Cyberlaw Podcast, Stewart spends a few days off the grid, and David Kris, Maury Shenk and Brian Egan extol the virtues of data privacy and the European Union in his absence.

 

Maury interviews James Griffiths, a journalist based in Hong Kong and the author of the new book, “The Great Firewall of China: How to Build and Control an Alternative Version of the Internet.”

 

In the news, David and Brian discuss last week’s revelation that the NSA is considering whether it will continue to seek renewal of the of the Section 215 “call detail record” program authority when it expires in December. We plug last week’s Lawfare Podcast in which the national security advisor to House Minority Leader McCarthy made news when he reported that the NSA hasn’t been using this program for several months. David waxes poetic on the little-known and little-used “lone wolf” authority, which is also up for renewal this year.

 

We explore the long lineup of politicians and government officials who are lining up with new proposals to “get tough” on large technology companies. Leading the charge is Sen. Warren, who promises to roll out a plan to break up “platform utilities”—basically, large Internet companies that run their own marketplaces—if she is elected president. Not to be outdone, the current chair of the Federal Trade Commission has urged that Congress provide new authorities for the FTC to impose civil enforcement penalties on tech (and presumably other) companies that violate their data privacy commitments. And last—but never least—the French finance minister announced that he will propose a 3 percent tax on the revenue of the 30 largest Internet businesses in France, most of which are U.S. companies.

 

David discusses how one technology company is using a more familiar tool—litigation—to fight back against Chinese companies for creating and then selling fake Facebook and Instagram accounts.

 

In the “motherhood and apple pie” category, Maury explains French President Macron’s call for the creation of a “European Agency for the Protection of Democracies” to protect elections against cyberattacks. And Brian covers a recently re-introduced bill, the Cyber Deterrence and Response Act, which would impose sanctions on “all entities and persons responsible or complicit in malicious cyber activities aimed against the United States.”

 

 

If you are in London this week, you can see James Griffiths during his book tour. On March 13, he will be at the Frontline Club, and on March 14, he will be at Chatham House. You can also see him later this month at the Hong Kong Foreign Correspondents Club.

 

 

Download the 254th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-254.mp3
Category:general -- posted at: 4:55pm EDT

Our interview is with two men who overcame careers as lawyers and journalists to become serial entrepreneurs now trying to solve the “fake news” problem. Gordon Crovitz and Steve Brill co-founded NewsGuard to rate news sites on nine journalistic criteria—using, of all things, real people instead of algorithms. By the end of the interview, I’ve confessed myself a reluctant convert to the effort. This is despite NewsGuard’s treatment of Instapundit, which Gordon Crovitz and I both read regularly but which has not received a green check. 

In the news, Klon Kitchen talks about the latest on cyberconflict with Russia: CyberCom’s takedown of the Russian troll farm during 2018 midterms. The Russians are certainly feeling abused. They are using U.S. attacks to justify pursuing “autonomous Internet,” and they’ve sentenced two Kaspersky Lab experts to long jail terms for treason.

Gus Hurwitz, Klon, and Nick Weaver muse on the latest evidence that information intermediaries still haven’t settled on a business model. Amazon marketplace sellers will now have the ability to remove what they deem counterfeit listings. Amazon has let the FTC discipline fake paid Amazon reviews. And The Verge has a disturbing article on the human costs of using human beings to enforce Facebook’s content rules. (The failure of Silicon Valley to get a handle on this problem is, of course, the key to NewsGuard’s business model.) 

Finally, just to give me an excuse to link to this Dr. Strangelove clip, Gus tells us that not even our prosthetic arms are safe from IoT hacking

Download the 253rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-253.mp3
Category:general -- posted at: 7:45pm EDT

We interview Dmitri Alperovitch of CrowdStrike on the company’s 2019 Global Threat Report, which features a ranking of Western cyber adversaries based on how long it takes each of them to turn a modest foothold into code execution on a compromised network. The Russians put up truly frightening numbers—from foothold to execution in less than twenty minutes—but the real surprise is the North Koreans, who clock in at 2:20. The Chinese take the bronze at just over 4 hours. Dmitri also gives props to a newcomer—South Korea—whose skills are substantial.

In the News Roundup, I cheer the police for using “reverse location search warrants” to compel Google to hand over data on anyone near a crime scene. Nick Weaver agrees and puts the blame on Google and others who collect the data rather than the police who use it to solve crimes.

A committee of the U.K. House of Commons has issued a blistering final report on disinformation and fake news. I offer this TL;DR: that all right-thinking Brits must condemn Facebook because Leave won, just as all right-thinking Americans must condemn Facebook because Trump won. Maury Shenk takes a more nuanced view.

Nick and Dmitri explain just how scary the growth of DNSpionage has become. The only thing as scary seems to be the continuing effort to put voting systems on the Internet. Nick reacts to this in the typical way of his people.

The mysterious Facebook Title III case won’t be unsealed, so we really don’t know what the Justice Department was trying to get from Facebook.

The New York Times claims that India is proposing Internet censorship along China’s model. I think that’s just the New York Times’s bias showing and that India is mainly imitating Europe. Maury rides to the New York Times’s rescue.

In breaking news, The Cyberlaw Podcast has developed AI podcasting so good we don’t dare tell you about it.

This Week in Chutzpah: Alleged hacker Lauri Love has lost his bid to recover the data he stole. I want to know why we didn’t give it back to him with a couple of keyloggers installed. The temptation to decrypt—and give prosecutors new evidence—would be irresistible.

In closing, Nick and I dwell on YouTube’s pedophile comment problem and whether recommendation engines are more to blame than human nature.

Our colleagues Nate Jones and David Kris have launched the Culper Partners Rule of Law Series. Be sure to listen as episodes are released through Lawfare

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here.

 

Download the 252nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-252_1.mp3
Category:general -- posted at: 11:06am EDT

The backlash against Big Tech dominates this episode, with new regulatory initiatives in the U.S., EU, Israel, Russia and China. The misbegotten link tax and upload filter provisions of the EU copyright directive have survived the convoluted EU legislative gantlet. My prediction: The link tax will fail because Google wants it to fail, but the upload filter will succeed because Google wants YouTube’s competitors to fail.

Rumors are flying that the Federal Trade Commission and Facebook will agree on a $1+ billion fine on the company for failure to adhere to its consent decree. My guess? This is not so much about law as it is about the climate of hostility around the company since it took the blame for Trump’s election.

And, in yet another attack on Big Tech, the EU is targeting Google and Amazon for unfair practices as sales platforms.

Artificial intelligence is so overworked a tech theme that it has even attracted the attention of the White House and the Defense Department. We ask a new contributor, Jessica “Zhanna” Malekos Smith, to walk us through the president’s executive order on artificial intelligence. I complain that it’s a cookie-cutter order that could as easily be applied to alien abductions. The Pentagon’s AI strategy, in contrast, is somewhat more substantive.

If you can’t beat ‘em, ban ‘em. Instead of regulating Big Tech, Russia is looking to take its own internet offline in an emergency. The real question is whether Russia is planning to cause the emergency it’s protecting itself against. If so, we are profoundly unready.

The CFIUS model is contagious! Brian Egan tells us Israel is considering restrictions on Chinese investment as the world keeps choosing sides in the new cold war.

China’s Ministry of Public Security is now authorized to conduct no-notice penetration testing of internet businesses operating in China. I must say, it was nice of them to offer the service in beta to the Office of Personnel Management, Anthem and Equifax. Speaking of which, could this spell more trouble for Western firms doing business in China?

Brian touches on the Treasury Department’s new sanctions against Iranian organizations for supporting intelligence and cyber operations targeting U.S. persons. It turns out that the hackers had help—and that there is no ideology so loathsome it can’t win converts among Americans.

Nate Jones describes the EU’s plan to use “cyber sanctions” to fend off hackers during upcoming elections.

This Week in Old Guys You Shouldn’t Mess With: Nate reveals how 94-year-old William H. Webster helped take down a Jamaican scam artist.

Our colleagues Nate Jones and David Kris have launched the Culper Partners Rule of Law Series. Be sure to listen as episodes are released through Lawfare.

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here.

You can subscribe to The Cyberlaw Podcast using iTunesGoogle PlaySpotifyPocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-251.mp3
Category:general -- posted at: 5:02pm EDT

If you get SMS messages on your phone and think you have two-factor authentication, you’re kidding yourself. That’s the message Nick Weaver and David Kris extract from two stories we cover in this week’s episode of The Cyberlaw Podcast—the Justice Department’s indictment of a couple of kids whose hacker chops are modest but whose social engineering skills are remarkable. They used those skills to bribe or bamboozle phone companies into changing the phone numbers of their victims, allowing them to intercept all the two-factor authentication they needed to steal boatloads of cryptocurrency. For those with better hacking chops than social skills, there’s always exploitation of SS7 vulnerabilities, which allow interception of text messages without all the muss and fuss of changing SIM cards.

Okay, it ain’t “When Harry Met Sally,” but for a degraded age, “When Bezos Exposed Pecker” will have to do. David keeps us focused on the legal questions: Was the “Enquirer” letter really extortion? Would publication of the pics be actionable? And is there any way the “Enquirer” could get those text messages without someone committing a crime? And, of course, whether the best way to woo your new girlfriend is to send her brother to jail.

Social media—privacy law threat or competition law menace? That’s the question European (naturally) regulators are weighing. But Matthew Heiman and I have a pretty good idea what their answer will be: Both! We look at the Twitter-mobbing of Facebook by regulators and ask whether the competition charges make more sense than the privacy claims.

Looks like the net effect of the Obama-Xi agreement on not stealing commercial secrets is that a better class of Chinese officials is stealing our commercial secrets. President Xi kicked the People’s Liberation Army (PLA) to the curb and brought in the professionals from China’s Ministry of State Security (MSS). So now Chinese tradecraft is a little better, and the Justice Department is indicting MSS officials instead of PLA soldiers. David sums up.

NERC is proposing a $10 million fine for cybersecurity violations on a utility reported to be Duke Energy. Matthew and I are shocked. Not by the fine, which was negotiated, or by the violations, many of them self-reported, but by the cheese-paring, penny-ante nature of so-called cybersecurity enforcement at NERC and FERC. All this Sturm und Drang to make sure utilities use six-character passwords? When security guys complain about compliance trumping security, these NERC rules will be Exhibit A.

Finally, add another chapter to the Annals of Failed Civil Liberties Campaigns, as EFF and likeminded reporters try to get us outraged about the FBI using court orders to identify a North Korean botnet. Nick points out that academics have been conducting research that is more intrusive for years without unduly disturbing university lawyers.

Okay, one more: I celebrate HoyaSaxaSD for a podcast review that honors our own inimitable Nick Weaver:

“I got a fever, and the only cure is more Weaver. Love the show. I’m a lawyer but not in tech or security law, but it’s still fascinating. My teenage sons also like most episodes, especially the Nick Weaver segments. And I concur. There needs to be Weaver in every episode, and more of him. In fact, an hour of Weaver and Baker debating/discussing would be the perfect show.” 

I am moved to channel Peggy Lee. And if more good reviews don’t pour in, I may make that performance a weekly feature. David Kris, I’m sure, would consider that extortion, on the ground that no one has a right to butcher Peggy Lee’s oeuvre like that.

 

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here: https://www.thirdway.org/letter/2019-cyber-symposium-call-for-papers

 

Download the 250th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-250.mp3
Category:general -- posted at: 4:30pm EDT

In this episode, I interview Chris Bing and Joel Schectman about their remarkable stories covering the actions of what amount to U.S. cyber-mercenary hackers. We spare a moment of sympathy for one of those hackers, Lori Stroud, who managed to go from hiring Edward Snowden to hacking for the UAE in the space of a few years.

In the news, I ask my partner Phil Khinda whether the $29 million Yahoo breach settlement is a new front in breach derivative litigation or a black swan. He says it’s more of a red herring—and explains why.

This week in black ops: I ask Nate Jones to comment on the tradecraft used in an apparent effort to smear Citizen Lab for its reports on NSO. My take: This feels a lot like what BlackCube did for Harvey Weinstein, except that this was the budget version.

The Russians are so far from being shamed for their hacking that now they’re faking it. Dr. Megan Reiss notes Special Counsel Mueller’s recent claim that Russians are leaking discovery materials and pretending they came from a hack of the counsel’s office. We are reminded of the Russians’ recent unveiling of a remarkably adroit robot that turned out to be a man in a robot suit.

Maury Shenk and I discuss Google’s latest imitation of Apple’s “law enforcement lockout” feature and its claim that hurting law enforcement was “unintended side effect.”

Maury also notes the flap over a flaw in Apple’s FaceTime that allows for eavesdropping. Predictably, New York State is investigating.

And in possibly related news, Apple went out of its way to publicly embarrass Facebook and Google over their use of corporate certificates to sideload apps that recorded the browsing habits of paid volunteers.

Quick hits:

This week in dogs biting men: Ukraine says Russia is trying to disrupt its upcoming election, and the Pentagon is reportedly failing to stay ahead of cyber threats. Megan covers the first and Nate the second.

I offer one and a half cheers for Japan’s pioneering and mildly intrusive survey of bot-vulnerable IoT devices

Finally, EPIC et al. are calling on FTC to impose a $2 billion fine, structural changes and more on Facebook, claiming that “the algorithmic bias of the [Facebook] news feed reflects a predominantly Anglo, male world view.” If you still need evidence that privacy law is the legal equivalent of a Twitter mob—an always-ready tool for punishing unpopular views—EPIC’s filing should be all you need.

 

Download the 249th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-249.mp3
Category:general -- posted at: 5:26pm EDT

If the surgeon about to operate on you has been disciplined for neglecting patients, wouldn’t you like to know? Well, the mandarins of the European Union privacy lobby beg to differ. Google has been told by a Dutch court not to index that story, and there seems to have been a six-month lag in disclosing even the court ruling. That’s part of this week’s News Roundup. Gus Hurwitz and I are appalled. I tout my long-standing view that in the end, privacy law just protects the privileged. Gus agrees.

The interview is with John Carlin, author of “Dawn of the Code War.” It’s a great inside story of how we came to indict China’s hacker-spies for attacking US companies.

In other news, the Illinois Supreme Court has demonstrated how bad Illinois’ biometric privacy law is—by the simple expedient of applying it the way it’s written.

Dr. Megan Reiss and I air our ambivalence about the latest site hosting collections of doxed messages. We lack enthusiasm for indiscriminate doxing of the kind highlighted on Distributed Denial of Secrets, but if it’s got to happen, it couldn’t happen to a nicer Russian dictator.

Nick Weaver explains the DHS emergency order telling civilian agencies to protect themselves against DNS hijacking, and why the shutdown may have made those agencies more vulnerable.

Nick and I debate YouTube’s latest algorithmic tweak to avoid recommending “borderline” material. He notes that the algorithm used to push people to extremes. I note that this is a suspiciously good way for YouTube Social Justice Warriors to suppress videos they don’t like but can’t actually show to be violating YouTube’s terms of service.

Speaking of which, maybe the real singularity is when Silicon Valley joins forces with Beijing to produce new technology that will suppress the peasants once and for all. If so, the singularity is nigh, as a Chinese app allows you to identify people around you who deserve to be shamed.

 

Download the 248th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-248.mp3
Category:general -- posted at: 11:46am EDT

So says the remarkable Jeff Jonas, CEO of Senzing. And he’s got a claim to be doing just that. A data scientist before data science was cool, Jeff has used his technical skills and an intuitive grasp of complex data problems to stop card counters in Las Vegas and terrorists targeting the U.S., and then to launch an initiative making voter registration more accurate and widespread. Most recently, in the course of an effort to improve maritime security around Singapore, he also found a key to identifying asteroids due to collide with each other so they can be watched. Because when this happens, who knows where their new course will take them?

The media has been hyping a strikingly bad magistrate judge’s opinion giving 5th Amendment protection to biometric phone security. This leads Gus Hurwitz and me to question why Congress ever promoted U.S. magistrates to “magistrate judges” in the first place. We suggest striking the word “judge” from the title given to these Article I judicial aides; call it the Truth in Judging Act.

Congress and the president can’t even agree on a compromise that would end the partial government shutdown. So what genius decided that our security from terrorist attacks should depend on Congress and the president agreeing every couple of years on yet another part of our counterterrorism legislation? Like it or not, though, 2019 will feature another cliffhanger, as several national security provisions of FISA come to an end unless renewed. Jamil Jaffer and David Kris talk about the provisions and possible outcomes. I plead for a compromise that takes seriously the Trumpist concern about partisan abuse of the law.

If the SEC didn't own EDGAR, I suspect the government would have imposed serious fines on the owner of EDGAR for enabling a new form of insider trading. Jamil and Gus debate the real question: How can hackers with access to guaranteed market moving info manage to make only $4 million in six months of trading?

The Department of Justice’s Office of Legal Counsel has reversed an Obama-era interpretation limiting the scope of federal criminal laws governing online gambling. David provides the background; I introduce our listeners to the Baptist-bootlegger coalition. 

If you would like to hear more from Jeff Jonas and you’ll be in London on January 29, be sure to attend his talk, “AI for Entity Resolution,” at the SAGE Ocean speaker series. Event details can be found here.

 

Download the 247th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-247.mp3
Category:general -- posted at: 11:12am EDT

Brazen Russian intrusions into the U.S. electricity grid lead our episode. I ask Matthew Heiman and Nick Weaver whether Russia intended for us to know about their intrusions (duh, yes!) and how we should respond to the implicit threat to leave Americans freezing in the dark. Their answers and mine show creativity if not exactly sobriety.

In what may be good news about emerging European sobriety, Google gets a favorable opinion from the advocate general to the European Court of Justice (ECJ) on the question of whether to extend Europe’s “right to be forgotten” censorship regime to benighted Americans, and Turks, and Russians and Chinese. Most of those countries would be glad to impose their censorship regime on Europeans, consideration of which may be enough to overcome the America Derangement Syndrome the ECJ has displayed in earlier tech privacy cases.

DHS was right, and EFF was wrong. That’s the lesson Maury Shenk, Nick and I derive from the latest drone crisis at Gatwick Airport. In response, the UK is seeking police powers that DHS recently obtained—over EFF’s bitter opposition.

Matthew unpacks the Fourth Circuit ruling that a politician cannot block constituents on her official Facebook page because it has become a public forum.

Nick explains how the Hal Martin Saga keeps getting weirder—and we try on the full aluminum foil hat to explain how the whole thing could have been orchestrated by the GRU to turn Kaspersky Lab into a hero.

Ron Wyden and Motherboard combined to get mobile phone companies to stop selling location data to third parties. I wonder whether we’ll regret the result. Nobody else does.

Happy New Year from Big Brother: Vietnam takes a leaf from the EU and Chinese playbooks, threatening Facebook with fines for allowing prohibited posts and failing to localize data.

For comic relief, we cover the cybersecurity misadventures of “El Chapo.” Nick Weaver sums up the lesson: Bespoke security is almost always bad security. Oh, and never take a phone from a paranoid boss.

We close with a quick review of how China has misused the Great Firewall to launch cyberattacks and what Silicon Valley (or the rest of us) can do in response. 

 

 

Download the 246th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-246.mp3
Category:general -- posted at: 10:44am EDT

Nate Jones, David Kris and I kick off 2019 with a roundup of the month of news since we took our Christmas break. First, we break down the utterly predictable but undismissable Silicon Valley claim that the administration’s new export control strategy will hurt the emerging AI industry.

Then we draw on our guests’ expertise in counterintelligence prosecutions to review the APT10 indictment – and the claim by Jack Goldsmith and Robert Williams that the strategy is a failure. We conclude that it isn’t a magic bullet, but that’s not quite the same as a failure. I tease my plan to introduce two dozen more or less unthinkable retaliatory responses the U.S. could deploy if and when it decides to get more serious about deterring adversarial cyber operations.

We quickly cover three new hacks that once looked as though they might be government sponsored. Now it looks as though two were less strategic than that. The denial of service attack on newspaper printing may have been a profit-motivated ransomware attack, and the guy who doxxed the German political establishment may have been a lone hacker (hopefully not one weighing 400 pounds or we’ll never hear the end of it).

We quickly review the bidding on the U.S.-China “quantum arms race,” which may be a bit less critical than the press suggests.

David and Nate also review the mixed bag of rulings on three motions to suppress in Hal Martin’s NSA theft case, which just gets weirder and weirder. David and I are in surprising agreement (along with the judge) that the FBI overreached in using handcuffs, a flashbang and a SWAT team to conduct “noncustodial” questioning of Martin.

Today’s forecast: Windy with a high probability of litigation as Los Angeles sues The Weather Company for collecting and sharing location information in its apps. We suspect that, in claiming a lack of adequate disclosure about location collection, Los Angeles is relying on the ancient legal maxim, “Damned if you do and damned if you don’t.”

In other litigation news, Illinois’s biometric privacy law continues to encounter judicial skepticism. But the Illinois state courts, unburdened by federal standing law, may yet give teeth to this seriously dumb law as Rosenbach v. Six Flags lives on in the Illinois Supreme Court.

In Quick Hits, I am intrigued by the idea that a clever generative adversarial AI “cheated” at a mapping task. In fact, the lesson is both less exciting and more troubling: If you don’t understand how your AI is accomplishing the task you’ve set for it, you need to expect some rude surprises.

Despite all the talk of stasis and crisis in Washington, Congress is still passing modestly useful legislation on cyber issues. Nate describes the SECURE Technology Act, which sets vulnerability disclosure policy and calls for bug bounties at DHS.

And, finally, I recommend a fascinating and deeply ambivalating report on the many ways third-party sellers game Amazon’s Marketplace rules.

 

Download the 245th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-245.mp3
Category:general -- posted at: 9:56am EDT

1