The Cyberlaw Podcast

Joel Trachtman thinks it’s a near certainty that the World Trade Organization agreements will complicate U.S. efforts to head off an Internet of Things cybersecurity meltdown, and there’s a real possibility that a U.S. cybersecurity regime could be held to violate our international trade obligations. Claire Schachter and I dig into the details of the looming disaster and how to avoid it.

In the news, Paul Rosenzweig analyzes the Ninth Circuit holding that scraping publicly available information doesn’t violate the CFAA.

The California legislature has adjourned, leaving behind a smoking ruin where Silicon Valley’s business models used to be. Mark MacCarthy elaborates: One new law would force companies like Uber and Lyft (and a boatload more) to treat workers as employees, not contractors. Another set of votes has left the California Consumer Privacy Act more or less unscathed as its 2020 effective date looms. Really, it’s beginning to look as though even California hates Silicon Valley. 

Klon Kitchen and I discuss the latest round of U.S. sanctions on North Korean hacking groups. The sanctions won’t hit anyone in North Korea, but they might affect a few of their enablers on the Internet. The real question, though, is this: Since sanctions violations are punishable even when they aren’t intentional, will U.S. companies whose money is stolen by the Lazarus Group be penalized for having engaged in a prohibited transaction with a sanctioned party? Maybe the Lazarus Group should steal a license too, just to be sure. 

Klon also lays out in chilling detail what the Russians were really trying to do to Ukraine’s grid—and the growing risk that someone is going to launch a destructive cyberattack that leads to a cycle of serious real-world violence. The drone attack on Saudi oil facilities shows how big that risk can be. 

Paul examines reports that Israel planted spy devices near the White House. He thinks it says more about the White House than about Israel.

Paul also reports on one of the unlikelier escapades of students from his alma mater: Trading 15 minutes at the keyboard for a lifetime of trouble on their permanent records. The lesson? If you try to access the president’s tax data online, you’re going to jail, prank or not.

I walk back the deepfake voice scam story, but Klon points out that it reflects a future that is coming for U.S. soon, if not today.

Proving the old adage about a fool for a lawyer, the Mar-a-Lago trespasser has been found guilty after an ineffective pro se defense.

Klon digs into the long and thoughtful op-ed by NSA’s Glenn Gerstell about the effects of the “digital revolution” on national security.

I note the recent Carnegie report trying to move the encryption debate forward. I also plug my upcoming speech in Israel on the topic. 

 

Download the 278th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-278.mp3
Category:general -- posted at: 9:52pm EST

Camille Stewart talks about a little-known national security risk: China’s propensity to acquire U.S. technology through the bankruptcy courts and the many ways in which the bankruptcy system isn’t set up to combat improper tech transfers. Published by the Journal of National Security Law & Policy, Camille’s paper is available here. Camille has enjoyed great success in her young career working with the Transformative Cyber Innovation Lab at the Foundation for Defense of Democracies, as a Cybersecurity Policy Fellow at New America, and as a 2019 Cyber Security Woman of the Year, among other achievements. We talk at the end of the session about life and advancement as an African American woman in cybersecurity.

Want to hear more from Camille on this topic? She’ll be speaking Friday, Sept. 13, at a lunch event hosted by the Foundation for Defense of Democracies (FDD). She’ll be joined by fellow panelists Giovanna Cinelli, Jamil Jaffer and Harvey Rishikof, along with moderator Dr. Samantha Ravich. The event will be livestreamed at www.fdd.org/events. If you would like to learn more about the event, please contact Abigail Barnes at FDD. If you are a member of the press, please direct your inquiries to press@fdd.org.

In the News Roundup, Maury Shenk tells us that UK courts have so far resisted a sustained media narrative that all facial recognition tech is inherently evil. Americans seem to agree, Matthew Heiman notes, since a majority trust law enforcement to use it responsibly. Which is more than you can say for Silicon Valley, which only 36 percent of Americans trust with the technology.

Mieke Eoyang and I talk about the Department of Homeland Security’s plan to use fake identities to view publicly available social media postings and the conflict with social media sites’ terms of service. I am unsympathetic, given the need for operational security in conducting such reviews, but we agree that DHS is biting off more than it can chew, especially in languages other than English. But really, DHS, how clueless can you be when your list of social media to be scrutinized includes three-years-dead Vine but not TikTok, which Mieke notes ironically is “what all the kids are using these days.”

Maury brings us up to speed on EU plans for the tech sector, which will be familiar to Brits contemplating the EU’s plan for them. And speaking of EU hypocrisy and incoherence (we were, weren’t we?), Erin Egan of Facebook has written a paper on data portability that deserves more attention, since it’s impossible to square the EU’s snit over Cambridge Analytica with its sanctifying of the principle of “data portability.” The paper also calls out the Federal Trade Commission for slamming Facebook for Cambridge Analytica while Commissioner Noah Phillips is warning that restrictions on data transfers can be anticompetitive. I promise to invite the commissioner on the podcast again to explore that issue.

Well, that was quick: Fraudsters used AI to mimic a CEO’s voice—accent, “melody” and all—in an unusual cybercrime case. Anyone can do this now, Maury explains. I tell listeners how to tell whether my voice has been AI-napped in future episodes.

In short hits, Mieke and I mock Denmark’s appointment of an “ambassador” to Silicon Valley. Way to cut the Valley down to size, Denmark! Maury notes that FinFisher is under investigation for violating EU export control law by selling spyware. Mieke does her best to rebut my suggestion that Silicon Valley’s bias is showing in the latest actuarial stat: It turns out that 10 percent of the accounts that President Trump has retweeted have been deplatformed. Matthew and I note that China has been caught hacking several Asian telecomm companies to spy on Uighurs. Of course, if the U.S. had 5,000 citizens fighting for the Islamic State and al-Qaeda, as China claims to have, we’d probably be hacking all the same companies. State attorneys general will launch sweeping and apparently bipartisan antitrust probes into Facebook and Google this week. Good to see Silicon Valley bringing Rs and Ds together at last; who says its business model is social division? Finally, Mieke leaves us uneasy about the online security of our pensions, as hackers steal $4.2 million from one fund via compromised email.

 

Download the 277th Episode (mp3). 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-277.mp3
Category:general -- posted at: 5:58pm EST

In this bonus episode of the Cyberlaw Podcast, Alex Stamos of Stanford’s Freeman Spogli Institute talks about the Institute’s recent paper on the risk of Chinese social media interference with Taiwan’s upcoming presidential election. It’s a wide-ranging discussion of everything from a century of Chinese history to the reasons why WeChat lost a social media competition in Taiwan to a Japanese company. Along the way, Alex notes that efforts to identify foreign government election interference have been seriously degraded by (what else?) privacy law, mixed with fear of commercial consequences when China is the attacker. If companies make data about foreign government and “inauthentic” users public, the risk of liability under GDPR as well as Chinese retaliation is real, and the benefits go more to the nation as a whole rather than to the companies taking the risk.

During the interview, Alex references a paper co-authored by his colleague, Jennifer Pan, regarding the “50c party.” You can find that paper here. He also mentions his recent op-ed in Lawfare, which you can find here.

Download the 276th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-276.mp3
Category:general -- posted at: 11:28pm EST

And we’re back with an episode that tries to pick out some of the events of August that will mean the most for technology law and policy this year. Dave Aitel opens, telling us that Cyber Command gave the world a hint of what “defending forward” looks like with an operation that is claimed to have knocked the Iranian Revolutionary Guard’s tanker attacks for a long-lasting loop. 

David Kris lifts the curtain on China’s approach to information warfare, driven by the Hong Kong protests and its regional hegemonic ambitions. 

Speaking of China, it looks as though that government’s determination to bring the Uighur population to heel led it to create a website devoted to compromising iPhones, in the process disclosing a few zero-days and compromising anybody who viewed the site. Dave Aitel teases out some of the less obvious lessons. He criticizes Apple for not giving security-minded users the tools they need to protect themselves. But he resists my suggestion that the FBI, which first flagged the site for Google’s Project Zero, went to Google because Apple wasn’t responsive to the Bureau’s concerns. (Alternative explanation: If you embarrass the FBI in court, don’t be surprised if they embarrass you a few years later.)

The lesson of the fight over Chinese disinformation about Hong Kong on Twitter and Facebook and the awkwardness of Apple’s situation when faced with Chinese hacking is that the U.S.-China trade war is a lot more than a trade war. It’s a grinding, continental decoupling drift that the trade war is driving but which the Trump Administration probably couldn’t stop now if the president wanted to. We puzzle over exactly what the president does want. Then I shift to mocking CNN for Trump derangement and inaccuracy (yes, it’s an easy target, but give me a break, I’ve been away for a month): Claims that the president couldn’t “hereby order” U.S. companies to speed their decoupling from China are just wrong as a matter of law. In fact, the relevant law, still in effect with modest changes, used to be called the Trading with the Enemy Act. And it’s been used to “hereby order” the decoupling of the U.S. economy from countries like Nazi Germany, among others. Whether such an order in the case of China would be “lawful but stupid” is another question.

August saw more flareups over alleged Silicon Valley censorship of conservative speech. Facebook has hired former Sen. Kyl to investigate claims of anti-conservative bias in its content moderation, and the White House is reportedly drafting an executive order to tackle Silicon Valley bias. I ask whether either the FTC or FCC will take up their regulatory cudgels on this issue and suggest that Bill Barr’s Justice Department might have enough tools to enforce strictures against political bias in platform censorship. 

We close with the most mocked piece of tech-world litigation in recent weeks – Crown Sterling’s lawsuit against BlackHat for not enforcing its code of conduct while the company was delivering a widely disparaged sponsored talk about its new crypto system. Dave Aitel, who runs a cybersecurity conference of his own, lays out the difficulties of writing and enforcing a conference code of conduct. I play Devil’s Advocate on behalf of Crown Sterling, and by the end, Dave finds himself surprised to feel just a bit of Sympathy for the Devil.

Download the 275th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-275.mp3
Category:general -- posted at: 11:36am EST

1