The Cyberlaw Podcast

We interview Ben Buchanan about his new book, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. This is Ben’s second book and second interview on the podcast about international conflict and cyber weapons. It’s safe to say that America’s strategic posture hasn’t improved since his first appearance. We face more adversaries with more tools and a considerably greater appetite for cyber adventurism. Ben recaps some of the stories that were undercovered in the US press when they occurred. The second large attack on Ukraine’s grid, for example, was little noticed during the US election of 2016, but it appears more ominous after a recent analysis of the tools used, and perhaps most importantly, those available to the GRU but not used. 

In the news, Nick Weaver, Gus Hurwitz, and I take a quick pass at the Internet content regulation problem and Section 230 of the Communications Decency Act. I’ve written that Section 230 needs to be reconsidered, and I predict that the Justice Department, which held a workshop on Section 230 last week, will propose reforms. Gus and I offer two different takes on Facebook’s recent white paper about content moderation. Gus is more a fan of Twitter’s approach. And Nick reminds us that there are some communities on the Internet whose content causes real harm, including to innocent children.

The debate in the US is taking a distinctly European turn, I suggest, which makes Europe’s determination to regulate its way to digital innovation a little less implausible than usual. Maury Shenk outlines the very tentative (and almost certainly out of date before it’s launched) plan for building a European data lake to foster a European AI and digital economy.

Speaking of AI regulation, Elon Musk hasn’t given up on his concerns about the technology’s risks. But the real action in media circles is attacking fairly simple machine learning tools as used by law enforcement and the justice system. I think the attack is wrongheaded and will either result in abandoning tools that can discipline true outliers. Nick thinks the institutionalization of bias is bad enough that giving up such tools may be the better course.

In quick hits, Nick explains how Google’s effort to stamp out ad click fraud can generate a secondary form of criminal extortion. Maury explains the latest flap over Australia’s encryption law; the tl;dr is that nothing is likely to change soon. Gus makes a down payment on an emerging issue: Whether ISPs can defeat Internet privacy laws that affect them by pleading their First Amendment rights. Nick calls BS on the simplest forms of “anonymization” for credit card data now being sold. I highlight a ransomware attack on a US natural gas operator that actually affected operations and is thus a forerunner of future attacks. Nick reminds us that Julian Assange is in court to stop a US extradition bid. And Europe’s data protection advisor is questioning Google’s acquisition of Fitbit.

Download the 301st Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-301.mp3
Category:general -- posted at: 6:28pm EST

In breaking news from 1995, the Washington Post takes advantage of a leaked CIA history paper to retell the remarkable tale of Crypto AG, a purveyor of encryption products to dozens of governments – and allegedly a wholly controlled subsidiary of US and German intelligence. Nick Weaver, Paul Rosenzweig, and I are astonished at the derring-do and unapologetic enthusiasm for intelligence collection. I mean, really: The Pope?

This week’s interview is with Jonathan Reiber, a writer and strategist in Oakland, California, and former Chief Strategy Officer for Cyber Policy and Speechwriter at the Department of Defense, currently senior advisor at Technology for Global Security and visiting scholar at the UC Berkeley Center for Long-Term Cybersecurity. His recent report offers a candid view of strained relations between Silicon Valley and the Pentagon. The interview explores the reasons for that strain, the importance of bridging the gap and how that can best be done.

Nick reports that four PLA members have been indicted over the Equifax breach. He speculates that the US government is sending a message by disclosing a photo of one soldier that appears to have been taken by his own webcam. Paul and I note that China’s motivation for the hack was very likely the assembly of records on Americans not dissimilar to the records we know the Chinese keep on Uighurs – which are extraordinarily detailed and surprisingly artisanal

The arrest of a Bitcoin mixer allows Nick to explain how Bitcoin mixing services work and why they’re illegal.

Paul lays out the potentially serious impact of Amazon’s lawsuit to stop a $10 billion Microsoft-DOD cloud contract. We note that Amazon wants to take testimony from President Trump. Thanks to his Twitter habit, we conclude, that’s not out of the question.

I preview my remarks at a February 19 Justice Department workshops on Section 230. I will reprise my article in Lawfare and the encryption debate with Nick Weaver that inspired it. And I hope to dig as well into the question whether Section 230 provides too much protection for Silicon Valley’s censors. Speaking of which, Jeff Bezos’s company has joined the censors but won’t tell us which books it’s suppressing.

Nick and I give a favorable review to CISA’s new #Protect2020 election strategy. We search for deeper meaning in the Internet Assigned Numbers Authority’s (IANA’s) failure to complete its Domain Name System Security Extensions (DNSSEC) root key signing ceremony because of… a physical safe. And we all take a moment to mock the latest vote-by-phone snake-oil app seller, Voatz.

Download the 300th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-300.mp3
Category:general -- posted at: 11:48am EST

The next trade war will be over transatlantic data flows, and it will make the fight with China look like a picnic. That’s the subject of this episode’s interview. The European Court of Justice is poised to go nuclear – to cut off US companies’ access to European customer data unless the US lets European courts and data protection agencies refashion its intelligence capabilities according to standards no European government has ever been required to meet. Maury Shenk and I interview Peter Swire on the Schrems cases that look nearly certain to provoke a transatlantic trade and intelligence crisis. Actually, Maury interviews Peter, and I throw bombs into the conversation. But if ever there were a cyberlaw topic that deserves more bomb-throwing, this is it.

In the News Roundup, David Kris tells us that the trial of alleged Vault7 leaker Joshua Schulte is under way. And the star of the first day is our very own podcast regular, Paul Rosenzweig

If you’re wondering whether more cybersecurity regulation is what the country needs, you should be paying attention to the Pentagon, which has embraced cybersecurity regulation for its contractors. Matthew Heiman reports that DOD isn’t finding the path easy. DOD has released its final cybersecurity plan for contractors, but the audit process needed to enforce it remains a mystery.

That’s SNAKE spelled backwards: David tells us about a new strain of ransomware; ominously, it is targeting industrial control systems. I manage to find a very modest silver lining.

Nate Jones sums up the cybersecurity lessons from the voting debacle in Iowa

Nate also reports on the FCC’s latest half-step toward suing one or more telcos for selling phone-location data.

Matthew covers the Maze ransomware that has ravaged law firms in recent weeks. He argues that it’s only a matter of time before such attacks become dog-bites-man stories.

Matthew also notes that Google and Facebook have apparently dropped plans to terminate their transpacific cable in Hong Kong. US national security concerns seem to have driven the decision. Looks like the Great Decoupling could be spurring a very real physical decoupling.

Nate makes the best of the 2020 version of a Worthwhile Canadian Initiative: The Senate Intel Committee’s third volume of its Russian electoral interference report. It’s sober and responsible and bipartisan – and disappeared from the news cycle overnight.

And to bring you up to speed on past stories: 

  • A Brazilian judge has declined to accept charges against Glenn Greenwald, “for now.” 
  • The poster child for the facial recognition moral panic can’t catch a break: Clearview AI has been hit with cease-and-desist from Google and Facebook.
  • Tag-teaming with Bill Barr, child-welfare activists are attacking Facebook over its encryption plans and what that means for exploited kids. 
  • One of the first CCPA lawsuits has been filed, against Salesforce.
  • And This Week in Silicon Valley content moderation:
    • Letterboxd banned a black libertarian film critic’s reviews.
    • James O’Keefe’s Twitter account was suspended after he named a Bernie Sanders staffer who spoke fondly of gulags and electoral violence.
    • And Twitter banned the widely popular Zero Hedge account after it named a Chinese researcher who it thought might have a role in coronavirus.

Download the 299th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-299.mp3
Category:general -- posted at: 11:36am EST

Nick Weaver and I debate Sens. Graham and Blumenthal’s EARN IT Act, a proposal to require that social media firms follow best practices on preventing child abuse. If they don’t, they won’t get full Section 230 immunity from liability for recklessly allowing the abuse. Nick thinks the idea is ill-conceived and doomed to fail. I think there’s a core of sense to the proposal, which simply asks that Silicon Valley firms who are reckless about child abuse on their networks pay for the social costs they’re imposing. Since the bill gives the attorney general authority to modify the best practices submitted by a commission of industry, academic, and civic representatives, critics are sure that the final product will reduce corporate incentives to offer end-to-end encryption. 

But before we get to that debate, Gus Hurwitz and I unpack the law and tactics behind Facebook’s decision to pay $550 million to settle a facial recognition class action. And Klon Kitchen and Nick ponder the shocking corruption and coverup alleged in the case of a Harvard chemistry chairman being prosecuted for hiding the large sums he was getting from the Chinese government to boost its research into nanomaterials. 

Klon gives us a feel for just how hard it can be to enforce Iranian sanctions, and the creativity that went into one app developer’s evasion scheme. 

Gus and Nick offer real hope that robocalling will start to get harder, and soon: DOJ has requested restraining orders to stop telephone companies from facilitating fraudulent robocalls; the FTC has put 19 VoIP providers on notice for facilitating robocalls; and SHAKEN/STIR is slowly making it harder to spoof a phone number.

Gus asks a question that had never occurred to me, and certainly not to millions of homeowners who may have committed inadvertent felonies by installing Ring doorbell cameras. It turns out that Ring recordings may be illegal intercepts in states with all-party consent laws. At least that’s what one enterprising New Hampshire defense lawyer is arguing.

First they cock a snook at Brussels, and now this: The UK government is on a roll. It’s proposing an IoT security law that Nick endorses with enthusiasm.

Maryland, not so much: Klon critiques a proposed state law that would make ransomware illegal – and maybe ransomware research, too.

In dog-bites-man news, the United Nations has suffered a breach – probably by a semi-competent government. Which doesn’t narrow things down much, since as Nick observes, everyone but the Germans has probably pwned the UN. And the Germans are just being polite.

A lot of old stories have come back for one more turn on stage: The Russian hacker that the Russian government was afraid would sing if extradited to the US has pleaded guilty here and is probably singing already. Avast has killed Jumpshot, its much-criticized data collection operation. The Bezosphone Saga continues, as Sen. Chris Murphy calls on the DNI and FBI to investigate the hacking allegations, and Bezos’s girlfriend’s brother is suing for defamation. Charges against the Iowa courthouse penetration testers have finally been dropped. LabMD’s Mike Daugherty should probably hang up his cleats. He won a great victory over the FTC, but his racketeering suit against Tiversa and lawyers is officially time-barred. Finally, it turns out that the FBI has been investigating NSO Group since 2017, though without bringing charges, so far. 

Download the 298th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-298.mp3
Category:general -- posted at: 11:59am EST

This episode features an interview on the Bezos phone flap with David Kaye and Alex Stamos. David is a UN Special Rapporteur and clinical professor of law at UC Irvine who first drew attention to an FTI Consulting report concluding that the Saudis did hack Bezos’ phone. Alex is director of the Stanford Internet Observatory and was the CSO at Facebook; he thinks the technical case against the Saudis needs work, and he calls for a supplemental forensic review of the phone. 

In the news, Nate Jones unpacks the US-China “phase one” trade deal and what it means for the tech divide.

Nick Weaver and I agree that the King County (Seattle) Conservation District’s notion of saving postage by having everyone vote by phone is nuts. Nick in particular reacts as you’d expect him to. 

Nate talks about the profound hit the credibility of the FISA process has taken as a result of the Justice Department admitting that two of four Carter Page warrants were invalid. Among other things, it opens FISA to a kitchen sink full of proposals for handcuffing national security wiretaps. Like this one from Sen. Ron Wyden and Sen. Steve Daines.

Brazil has charged Glenn Greenwald with “cybercrimes” on evidence that would be thin at best in the US, Nate argues. Nick agrees and is only sad that the Bolsonaro government has put him in the position of defending Greenwald.

Google is redesigning its search results again, blurring even further the line between ads and organic results. Living up to its new motto (“Don’t be caught being evil”), Google announces that it’s just testing its design, and everyone should chill. Nick and I are skeptical that A/B testing will tell Google anything other than which redesign fools consumers most effectively and thus makes more protection money for Google.

And speaking of protection money, this episode was not brought to you by Avast, the company that probably would have paid the most not to be mentioned on the Cyberlaw Podcast this week. Because they’ve been caught getting largely uninformed consent to the monitoring of their customers’ Web activities. 

Download the 297th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-297.mp3
Category:general -- posted at: 3:01pm EST

This week’s episode includes an interview with Bruce Schneier about his recent op-ed on privacy. Bruce and I are both dubious about the current media trope that facial recognition technology was spawned by the Antichrist. He notes that what we are really worried about is a lot bigger than facial recognition and offers ways in which the law could address our deeper worry. I’m less optimistic about our ability to write or enforce laws designed to restrict use of information that gets cheaper to collect, to correlate, and to store every year. It’s a good, civilized exchange.

The News Roundup is a little truncated due to a technical failure. (It was a glitch in Zencastr for those of you keeping score, and I definitely am). As a result, we lost Nick Weaver’s audio for about half the program, including a hammer and tongs debate over Apple’s fight with the FBI. (But never fear, opportunities for that fight come by about as often as the Red Line comes to Dupont Circle.)

That said, it’s still a feisty episode. It begins with Michael Vatis teeing off on the California Consumer Privacy Act, the worst-drafted law he’s worked with in over 30 years of practice—and not much better on policy grounds.

We then return to Illinois’s recent law regulating AI hiring interviews systems like HireVue, and sparks fly again as Mark MacCarthy and I mix it up over allegations of AI “bias.” (I’m a skeptic, to put it mildly.)

Matthew Heiman covers the surprisingly thin claim that the GRU has phished its way into Burisma Holdings. And Nick comments on (yet another!) Italian surveillance tech firm getting into trouble by misusing its capabilities.

Not-so-Big Tech has begun asking Congress for antitrust help against Big Tech. Mark is skeptical; I’m a little less so.

Matthew and I compliment frequent contributor David Kris on his speed in delivering an amicus report on the FBI’s Horowitz reforms between one episode and the next – and before his Congressional critics can finish a letter questioning his appointment. One lingering, and possibly salutary, effect of the kerfuffle is that questions are being directed at the FISA Court itself, asking why it didn’t do a better job of policing the Carter Page excesses.

Mark reports on an unusual effort by Europe’s chief privacy officer to exempt academic researchers from strict compliance with data protections laws.

In quick hits, Matthew notes that Erdogan has bowed to the Turkish Supreme Court and has reinstated access to Wikipedia. He also reports on the Department of the Interior permanently grounding its drone fleet over spying concerns. Nick chuckles over China’s APT 40 getting doxed, and we both give credit to NSA’s Anne Neuberger for disclosing and enabling the patch by Microsoft of a major vulnerability in the Crypt32 library. And I note the likelihood that Clearview will be sued for violating terms of service to obtain the facial recognition data it uses to provide identification services to law enforcement.

 

Download the 296th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-296.mp3
Category:general -- posted at: 3:48pm EST

There’s a fine line between legislation addressing deepfakes and legislation that is itself a deep fake. Nate Jones reports on the only federal legislation addressing the problem so far. I claim that it is well short of a serious regulatory effort—and pretty close to a fake law.

In contrast, India seems serious about imposing liability on companies whose unbreakable end-to-end crypto causes harm, at least to judge from the howls of the usual defenders of such crypto. David Kris explains how the law will work. I ask why Silicon Valley gets to impose the externalities of encryption-facilitated crime on society without consequence when we’d never allow tech companies to say that society should pick up the tab for their pollution because their products are so cool. In related news, the FBI may be turning the Pensacola military terrorism attack into a slow-motion replay of the San Bernardino fight with Apple, this time with more top cover.

Poor Nate seems to draw all the fake legislation in this episode. He explains a 2020 appropriations rider requiring the State Department to report on how it issues export licenses for cyber espionage capabilities; this is a follow-up to investigative reporting on the way such capabilities in the UAE ended up being used against human rights activists. As we agree, it’s an interesting and likely unsolvable policy problem, so the legislation opts for the most meaningless of remedies, requiring the Directorate of Defense Trade Control to report “on cybertools and capabilities licensing, including licensing screening and approval procedures as well as compliance and enforcement mechanisms” within 90 days.

Nate also gets to cover some decidedly un-fake requirements in the 2019 NDAA, limiting how defense contractors can use Chinese technology. The other shoe is about to drop, and if the first one was a baby shoe, the second is a Clydesdale’s horseshoe.

It’s hard to call it fake, but the latest export control rule restricting sales of AI could hardly be narrower. Maury Shenk and I speculate that this is because a long-term turf war has broken out again in export control policy circles. Maury’s money is on the business side of that fight, and the narrowness of the AI rule gives weight to his views.

And here’s some Christmas cheer for DOJ and national security officials: A federal district court presented Edward Snowden with a lump of coal—the only royalties it thought he deserved from a book that violated his nondisclosure agreement. Nate thinks it’s time for me to buy one, but I’m waiting for appellate confirmation.

Less festive news comes from the European Court of Justice’s advocate general opinion in Schrems II, a case that could greatly complicate EU-US data transfers by purporting to put Europeans in charge of how the US defends itself from terrorism. Maury explains; I complain.

David unpacks with clarity a complex Second Circuit decision on the constitutionality of FISA 702 collection. On the whole, Judge Lynch did a creditable job with a messy and unprecedented set of claims, though I question the wisdom of erecting a baroque mansion of judge-made procedures on a slippery foundation like the Fourth Amendment’s requirement that searches be “reasonable.”

And in short hits, Maury tells us that Italy has imposed a French-style revenue tax on Internet companies, and Russia claims that it has successfully tested the ability to disconnect from the Internet. Now if we could only get them to stay that way. Illinois has a new, mostly fake law imposing modest regulations on the use of AI in video job interviews. The TRACED Act rises above fakeness in attacking robocalls but just barely. And the FAA released an NPRM calling for a pretty serious requirement for remote ID of drones.

And to put everyone back in the Christmas spirit, LabMD won nearly a million dollars in fees from the Federal Trade Commission for the FTC’s bullheaded pursuit of the company despite the many flaws in its case. The master’s opinion makes clear just how badly the FTC erred in hounding LabMD.

 

Download the 295th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-295.mp3
Category:general -- posted at: 2:19pm EST

1