The Cyberlaw Podcast

The backlash against Big Tech dominates this episode, with new regulatory initiatives in the U.S., EU, Israel, Russia and China. The misbegotten link tax and upload filter provisions of the EU copyright directive have survived the convoluted EU legislative gantlet. My prediction: The link tax will fail because Google wants it to fail, but the upload filter will succeed because Google wants YouTube’s competitors to fail.

Rumors are flying that the Federal Trade Commission and Facebook will agree on a $1+ billion fine on the company for failure to adhere to its consent decree. My guess? This is not so much about law as it is about the climate of hostility around the company since it took the blame for Trump’s election.

And, in yet another attack on Big Tech, the EU is targeting Google and Amazon for unfair practices as sales platforms.

Artificial intelligence is so overworked a tech theme that it has even attracted the attention of the White House and the Defense Department. We ask a new contributor, Jessica “Zhanna” Malekos Smith, to walk us through the president’s executive order on artificial intelligence. I complain that it’s a cookie-cutter order that could as easily be applied to alien abductions. The Pentagon’s AI strategy, in contrast, is somewhat more substantive.

If you can’t beat ‘em, ban ‘em. Instead of regulating Big Tech, Russia is looking to take its own internet offline in an emergency. The real question is whether Russia is planning to cause the emergency it’s protecting itself against. If so, we are profoundly unready.

The CFIUS model is contagious! Brian Egan tells us Israel is considering restrictions on Chinese investment as the world keeps choosing sides in the new cold war.

China’s Ministry of Public Security is now authorized to conduct no-notice penetration testing of internet businesses operating in China. I must say, it was nice of them to offer the service in beta to the Office of Personnel Management, Anthem and Equifax. Speaking of which, could this spell more trouble for Western firms doing business in China?

Brian touches on the Treasury Department’s new sanctions against Iranian organizations for supporting intelligence and cyber operations targeting U.S. persons. It turns out that the hackers had help—and that there is no ideology so loathsome it can’t win converts among Americans.

Nate Jones describes the EU’s plan to use “cyber sanctions” to fend off hackers during upcoming elections.

This Week in Old Guys You Shouldn’t Mess With: Nate reveals how 94-year-old William H. Webster helped take down a Jamaican scam artist.

Our colleagues Nate Jones and David Kris have launched the Culper Partners Rule of Law Series. Be sure to listen as episodes are released through Lawfare.

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here.

You can subscribe to The Cyberlaw Podcast using iTunesGoogle PlaySpotifyPocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-251.mp3
Category:general -- posted at: 5:02pm EST

If you get SMS messages on your phone and think you have two-factor authentication, you’re kidding yourself. That’s the message Nick Weaver and David Kris extract from two stories we cover in this week’s episode of The Cyberlaw Podcast—the Justice Department’s indictment of a couple of kids whose hacker chops are modest but whose social engineering skills are remarkable. They used those skills to bribe or bamboozle phone companies into changing the phone numbers of their victims, allowing them to intercept all the two-factor authentication they needed to steal boatloads of cryptocurrency. For those with better hacking chops than social skills, there’s always exploitation of SS7 vulnerabilities, which allow interception of text messages without all the muss and fuss of changing SIM cards.

Okay, it ain’t “When Harry Met Sally,” but for a degraded age, “When Bezos Exposed Pecker” will have to do. David keeps us focused on the legal questions: Was the “Enquirer” letter really extortion? Would publication of the pics be actionable? And is there any way the “Enquirer” could get those text messages without someone committing a crime? And, of course, whether the best way to woo your new girlfriend is to send her brother to jail.

Social media—privacy law threat or competition law menace? That’s the question European (naturally) regulators are weighing. But Matthew Heiman and I have a pretty good idea what their answer will be: Both! We look at the Twitter-mobbing of Facebook by regulators and ask whether the competition charges make more sense than the privacy claims.

Looks like the net effect of the Obama-Xi agreement on not stealing commercial secrets is that a better class of Chinese officials is stealing our commercial secrets. President Xi kicked the People’s Liberation Army (PLA) to the curb and brought in the professionals from China’s Ministry of State Security (MSS). So now Chinese tradecraft is a little better, and the Justice Department is indicting MSS officials instead of PLA soldiers. David sums up.

NERC is proposing a $10 million fine for cybersecurity violations on a utility reported to be Duke Energy. Matthew and I are shocked. Not by the fine, which was negotiated, or by the violations, many of them self-reported, but by the cheese-paring, penny-ante nature of so-called cybersecurity enforcement at NERC and FERC. All this Sturm und Drang to make sure utilities use six-character passwords? When security guys complain about compliance trumping security, these NERC rules will be Exhibit A.

Finally, add another chapter to the Annals of Failed Civil Liberties Campaigns, as EFF and likeminded reporters try to get us outraged about the FBI using court orders to identify a North Korean botnet. Nick points out that academics have been conducting research that is more intrusive for years without unduly disturbing university lawyers.

Okay, one more: I celebrate HoyaSaxaSD for a podcast review that honors our own inimitable Nick Weaver:

“I got a fever, and the only cure is more Weaver. Love the show. I’m a lawyer but not in tech or security law, but it’s still fascinating. My teenage sons also like most episodes, especially the Nick Weaver segments. And I concur. There needs to be Weaver in every episode, and more of him. In fact, an hour of Weaver and Baker debating/discussing would be the perfect show.” 

I am moved to channel Peggy Lee. And if more good reviews don’t pour in, I may make that performance a weekly feature. David Kris, I’m sure, would consider that extortion, on the ground that no one has a right to butcher Peggy Lee’s oeuvre like that.

 

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here: https://www.thirdway.org/letter/2019-cyber-symposium-call-for-papers

 

Download the 250th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-250.mp3
Category:general -- posted at: 4:30pm EST

In this episode, I interview Chris Bing and Joel Schectman about their remarkable stories covering the actions of what amount to U.S. cyber-mercenary hackers. We spare a moment of sympathy for one of those hackers, Lori Stroud, who managed to go from hiring Edward Snowden to hacking for the UAE in the space of a few years.

In the news, I ask my partner Phil Khinda whether the $29 million Yahoo breach settlement is a new front in breach derivative litigation or a black swan. He says it’s more of a red herring—and explains why.

This week in black ops: I ask Nate Jones to comment on the tradecraft used in an apparent effort to smear Citizen Lab for its reports on NSO. My take: This feels a lot like what BlackCube did for Harvey Weinstein, except that this was the budget version.

The Russians are so far from being shamed for their hacking that now they’re faking it. Dr. Megan Reiss notes Special Counsel Mueller’s recent claim that Russians are leaking discovery materials and pretending they came from a hack of the counsel’s office. We are reminded of the Russians’ recent unveiling of a remarkably adroit robot that turned out to be a man in a robot suit.

Maury Shenk and I discuss Google’s latest imitation of Apple’s “law enforcement lockout” feature and its claim that hurting law enforcement was “unintended side effect.”

Maury also notes the flap over a flaw in Apple’s FaceTime that allows for eavesdropping. Predictably, New York State is investigating.

And in possibly related news, Apple went out of its way to publicly embarrass Facebook and Google over their use of corporate certificates to sideload apps that recorded the browsing habits of paid volunteers.

Quick hits:

This week in dogs biting men: Ukraine says Russia is trying to disrupt its upcoming election, and the Pentagon is reportedly failing to stay ahead of cyber threats. Megan covers the first and Nate the second.

I offer one and a half cheers for Japan’s pioneering and mildly intrusive survey of bot-vulnerable IoT devices

Finally, EPIC et al. are calling on FTC to impose a $2 billion fine, structural changes and more on Facebook, claiming that “the algorithmic bias of the [Facebook] news feed reflects a predominantly Anglo, male world view.” If you still need evidence that privacy law is the legal equivalent of a Twitter mob—an always-ready tool for punishing unpopular views—EPIC’s filing should be all you need.

 

Download the 249th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-249.mp3
Category:general -- posted at: 5:26pm EST

If the surgeon about to operate on you has been disciplined for neglecting patients, wouldn’t you like to know? Well, the mandarins of the European Union privacy lobby beg to differ. Google has been told by a Dutch court not to index that story, and there seems to have been a six-month lag in disclosing even the court ruling. That’s part of this week’s News Roundup. Gus Hurwitz and I are appalled. I tout my long-standing view that in the end, privacy law just protects the privileged. Gus agrees.

The interview is with John Carlin, author of “Dawn of the Code War.” It’s a great inside story of how we came to indict China’s hacker-spies for attacking US companies.

In other news, the Illinois Supreme Court has demonstrated how bad Illinois’ biometric privacy law is—by the simple expedient of applying it the way it’s written.

Dr. Megan Reiss and I air our ambivalence about the latest site hosting collections of doxed messages. We lack enthusiasm for indiscriminate doxing of the kind highlighted on Distributed Denial of Secrets, but if it’s got to happen, it couldn’t happen to a nicer Russian dictator.

Nick Weaver explains the DHS emergency order telling civilian agencies to protect themselves against DNS hijacking, and why the shutdown may have made those agencies more vulnerable.

Nick and I debate YouTube’s latest algorithmic tweak to avoid recommending “borderline” material. He notes that the algorithm used to push people to extremes. I note that this is a suspiciously good way for YouTube Social Justice Warriors to suppress videos they don’t like but can’t actually show to be violating YouTube’s terms of service.

Speaking of which, maybe the real singularity is when Silicon Valley joins forces with Beijing to produce new technology that will suppress the peasants once and for all. If so, the singularity is nigh, as a Chinese app allows you to identify people around you who deserve to be shamed.

 

Download the 248th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-248.mp3
Category:general -- posted at: 11:46am EST

So says the remarkable Jeff Jonas, CEO of Senzing. And he’s got a claim to be doing just that. A data scientist before data science was cool, Jeff has used his technical skills and an intuitive grasp of complex data problems to stop card counters in Las Vegas and terrorists targeting the U.S., and then to launch an initiative making voter registration more accurate and widespread. Most recently, in the course of an effort to improve maritime security around Singapore, he also found a key to identifying asteroids due to collide with each other so they can be watched. Because when this happens, who knows where their new course will take them?

The media has been hyping a strikingly bad magistrate judge’s opinion giving 5th Amendment protection to biometric phone security. This leads Gus Hurwitz and me to question why Congress ever promoted U.S. magistrates to “magistrate judges” in the first place. We suggest striking the word “judge” from the title given to these Article I judicial aides; call it the Truth in Judging Act.

Congress and the president can’t even agree on a compromise that would end the partial government shutdown. So what genius decided that our security from terrorist attacks should depend on Congress and the president agreeing every couple of years on yet another part of our counterterrorism legislation? Like it or not, though, 2019 will feature another cliffhanger, as several national security provisions of FISA come to an end unless renewed. Jamil Jaffer and David Kris talk about the provisions and possible outcomes. I plead for a compromise that takes seriously the Trumpist concern about partisan abuse of the law.

If the SEC didn't own EDGAR, I suspect the government would have imposed serious fines on the owner of EDGAR for enabling a new form of insider trading. Jamil and Gus debate the real question: How can hackers with access to guaranteed market moving info manage to make only $4 million in six months of trading?

The Department of Justice’s Office of Legal Counsel has reversed an Obama-era interpretation limiting the scope of federal criminal laws governing online gambling. David provides the background; I introduce our listeners to the Baptist-bootlegger coalition. 

If you would like to hear more from Jeff Jonas and you’ll be in London on January 29, be sure to attend his talk, “AI for Entity Resolution,” at the SAGE Ocean speaker series. Event details can be found here.

 

Download the 247th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-247.mp3
Category:general -- posted at: 11:12am EST

Brazen Russian intrusions into the U.S. electricity grid lead our episode. I ask Matthew Heiman and Nick Weaver whether Russia intended for us to know about their intrusions (duh, yes!) and how we should respond to the implicit threat to leave Americans freezing in the dark. Their answers and mine show creativity if not exactly sobriety.

In what may be good news about emerging European sobriety, Google gets a favorable opinion from the advocate general to the European Court of Justice (ECJ) on the question of whether to extend Europe’s “right to be forgotten” censorship regime to benighted Americans, and Turks, and Russians and Chinese. Most of those countries would be glad to impose their censorship regime on Europeans, consideration of which may be enough to overcome the America Derangement Syndrome the ECJ has displayed in earlier tech privacy cases.

DHS was right, and EFF was wrong. That’s the lesson Maury Shenk, Nick and I derive from the latest drone crisis at Gatwick Airport. In response, the UK is seeking police powers that DHS recently obtained—over EFF’s bitter opposition.

Matthew unpacks the Fourth Circuit ruling that a politician cannot block constituents on her official Facebook page because it has become a public forum.

Nick explains how the Hal Martin Saga keeps getting weirder—and we try on the full aluminum foil hat to explain how the whole thing could have been orchestrated by the GRU to turn Kaspersky Lab into a hero.

Ron Wyden and Motherboard combined to get mobile phone companies to stop selling location data to third parties. I wonder whether we’ll regret the result. Nobody else does.

Happy New Year from Big Brother: Vietnam takes a leaf from the EU and Chinese playbooks, threatening Facebook with fines for allowing prohibited posts and failing to localize data.

For comic relief, we cover the cybersecurity misadventures of “El Chapo.” Nick Weaver sums up the lesson: Bespoke security is almost always bad security. Oh, and never take a phone from a paranoid boss.

We close with a quick review of how China has misused the Great Firewall to launch cyberattacks and what Silicon Valley (or the rest of us) can do in response. 

 

 

Download the 246th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-246.mp3
Category:general -- posted at: 10:44am EST

Nate Jones, David Kris and I kick off 2019 with a roundup of the month of news since we took our Christmas break. First, we break down the utterly predictable but undismissable Silicon Valley claim that the administration’s new export control strategy will hurt the emerging AI industry.

Then we draw on our guests’ expertise in counterintelligence prosecutions to review the APT10 indictment – and the claim by Jack Goldsmith and Robert Williams that the strategy is a failure. We conclude that it isn’t a magic bullet, but that’s not quite the same as a failure. I tease my plan to introduce two dozen more or less unthinkable retaliatory responses the U.S. could deploy if and when it decides to get more serious about deterring adversarial cyber operations.

We quickly cover three new hacks that once looked as though they might be government sponsored. Now it looks as though two were less strategic than that. The denial of service attack on newspaper printing may have been a profit-motivated ransomware attack, and the guy who doxxed the German political establishment may have been a lone hacker (hopefully not one weighing 400 pounds or we’ll never hear the end of it).

We quickly review the bidding on the U.S.-China “quantum arms race,” which may be a bit less critical than the press suggests.

David and Nate also review the mixed bag of rulings on three motions to suppress in Hal Martin’s NSA theft case, which just gets weirder and weirder. David and I are in surprising agreement (along with the judge) that the FBI overreached in using handcuffs, a flashbang and a SWAT team to conduct “noncustodial” questioning of Martin.

Today’s forecast: Windy with a high probability of litigation as Los Angeles sues The Weather Company for collecting and sharing location information in its apps. We suspect that, in claiming a lack of adequate disclosure about location collection, Los Angeles is relying on the ancient legal maxim, “Damned if you do and damned if you don’t.”

In other litigation news, Illinois’s biometric privacy law continues to encounter judicial skepticism. But the Illinois state courts, unburdened by federal standing law, may yet give teeth to this seriously dumb law as Rosenbach v. Six Flags lives on in the Illinois Supreme Court.

In Quick Hits, I am intrigued by the idea that a clever generative adversarial AI “cheated” at a mapping task. In fact, the lesson is both less exciting and more troubling: If you don’t understand how your AI is accomplishing the task you’ve set for it, you need to expect some rude surprises.

Despite all the talk of stasis and crisis in Washington, Congress is still passing modestly useful legislation on cyber issues. Nate describes the SECURE Technology Act, which sets vulnerability disclosure policy and calls for bug bounties at DHS.

And, finally, I recommend a fascinating and deeply ambivalating report on the many ways third-party sellers game Amazon’s Marketplace rules.

 

Download the 245th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-245.mp3
Category:general -- posted at: 9:56am EST

1