The Cyberlaw Podcast discusses issues at the intersection of technology and the law.

Download the 359th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview is with Mark Montgomery and John Costello, both staff to the Cyberspace Solarium Commission. The commission, which issued its main report more than a year ago, is swinging through the pitch, following up with new white papers, draft legislative language and enthusiastic advocacy for its recommendations in Congress, many of which were adopted last year. That makes it the most successful of the many cybersecurity commissions that have come and gone in Washington. And it’s not done yet. Mark and John review several of the most important legislative proposals the commission will be following this year. I don’t agree with all of them, but they are all serious ideas and it’s a good bet that a dozen or more could be adopted in this Congress.

In the news roundup, David Kris and I cover the FBI’s use of a single search warrant to remove a large number of web shells from computers infected by China’s irresponsible use of its access to Microsoft Exchange. The use of a search (or, more accurately, a seizure warrant)  is a surprisingly far-reaching interpretation of Federal Criminal Rule 41. But despite valiant efforts, David is unable to disagree with my earlier expressed view that the tactic is lawful.

Brian Egan outlines what’s new in the Biden administration’s sanctions on Russia for its SolarWinds exploits. The short version: While some of the sanctions break new ground, as with Russian bonds, they do so cautiously.

Paul Rosenzweig, back from Costa Rica, unpacks a hacking story that has everything—terrorism, the FBI, Apple, private sector hacking and litigation. Short version: we now know the private firm that saved Apple from the possibility of an order to hack its own phone. It’s an Australian firm named Azimuth that apparently only works for democratic governments but that is nonetheless caught up in Apple’s bully-the-cybersecurity-researchers litigation campaign.

Gus Hurwitz talks to us about the seamy side of content moderation (or at least on seamy side) – the fight against “coordinated inauthentic behaviour.”

In quicker takes, Paul gives us a master class in how to read the intel community’s Annual Threat Assessment.  David highlights what may be the next Chinese  telecom manufacturing target, at least for the GOP, after Huawei and ZTE. I highlight the groundbreaking financial industry breach notification rule that has finished and is moving toward adoption. And Gus summarizes the state of Silicon Valley antitrust legislation—everyone has a bill—so no one is likely to get a bill.

Download the 358th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

They used to say that a conservative was a liberal who’d been mugged. Today’s version is that a conservative who’s comfortable with business regulation is a conservative who’s been muzzled by Silicon Valley. David Kris kicks off this topic by introducing Justice Thomas’s opinion in a case over Trump’s authority to block users he didn’t like. The case was made thoroughly moot by both the election and Twitter’s blocking of Trump, but Justice Thomas wrote separately to muse on the ways in which Twitter’s authority to block users could be regulated by treating the company as a common carrier or public accommodation. David sees a trend among conservative jurists to embrace limits on Big Social’s authority to suppress speech.

I recount my experience being muzzled by LinkedIn, which would not let me link to a new Daily Mail story about the Hunter Biden laptop and say, “The social media giants that won’t let you say the 2020 election was rigged are the people who did their best to rig it: The Hunter Biden laptop was genuine and scandalous according to the Daily Mail.” To my mind, this is Big Social protecting its own business interests by suppressing a story that could convince people that the industry has too much power over our national dialogue and our elections. (I mocked LinkedIn by posting 5 variants of my original post, all making the same point in slightly different ways. You can see this on my LinkedIn account result.)

But my view that we should not let five or six Silicon Valley owners take over our national dialogue is challenged by Jamil Jaffer, a friend and conservative who is appalled at my deviation from Republican antiregulatory orthodoxy and first amendment doctrine. It’s a great conservative catfight that mirrors the much greater catfight now under way in the Republican party.

Elsewhere in the news roundup, Jordan Schneider and David dig into the claims that China has built advanced weapons systems with the help of American chip designers and Taiwanese fabs.

The accusation has led the Biden administration to slap export controls on several Chinese firms. Whether this will work without more aggressive U.S. controls on, say, foreign fabs serving those firms is open to question.

More to the point, it raises questions about long term U.S. industrial policy. David notes that one answer, the bipartisan “Endless Frontier Act,” is gaining some momentum. (I understand the motivation but question the execution.) We also touch on the sad story of Intel’s recent missteps, and the opportunity that industrial policy has created for GlobalFoundries’ IPO.

Meanwhile Jamil takes on AdTech espionage, while U.S. senators ask Digital-Ad auctioneers to name foreign clients amid national-security concerns.

We all weigh in on the administration’s cyber picks, announced over the weekend. The unanimous judgment is that Chris Inglis, Jen Easterly and Rob Silvers are good picks—and, remarkably, ended up in the right jobs.

In shorter hits, David and I ponder Twitch’s unusual decision to start punishing people on line for misdeeds offline—misdeeds that Twitch will investigate itself. While neither of us are comfortable with the decision, including the effort to do privately what we pay cops and courts to do publicly, but there is more justification for the policy in some cases (think child sexual abuse) than might be apparent at first glance.

I tell the story of the Italian authorities identifying and arresting someone trying to hire a hitman using cryptocurrency and the dark web. As far as I know, successful cryptocurrency hitmen remain as rare as unicorns

David suggests that I should be glad not to live in Singapore, where the penalty for information the establishment doesn’t like is a criminal libel judgment that I’d be forced to crowdfund like Singapore’s government critics. I note that American sites like GoFundMe and Patreon have already imposed ideological screens that mean I wouldn’t be able to crowdfund my defense against Big Social.

And, for This Week in Data Breaches, I note the new tactic of ransomware gangs trying to pressure their victims to pay by threatening the victims’ customers with doxxing plus the remarkable phenomenon of half-billion-user data troves that the source companies  say are not really the result of network breaches and so not disclosable.

Our interview is with Kim Zetter, author of the best analysis to date of the weird messaging from the National Security Agency (NSA) and Cyber Command about the domestic “blind spot” or “gap” in their cybersecurity surveillance. I ask Kim whether this is a prelude to new NSA domestic surveillance authorities (definitely not, at least under this administration), why the gap can’t be filled with the broad emergency authorities for the Foreign Intelligence Surveillance Act and criminal intercepts (they don’t fit, quite) and how the gap is being exploited by Russian (and soon other) cyberattackers. My most creative contribution: maybe Amazon Web Services, where most of the domestic machines are being spun up, would trade faster cooperation in targeting such machines for a break on the know-your-customer rules they may otherwise have to comply with. And if you haven’t subscribed to Kim’s (still free for now) substack newsletter, you’re missing out.

In the news roundup, we give a lick and a promise to today’s Supreme Court decision in the fight between Oracle and Google over application programming interface copyrights, but Mark MacCarthy takes us deep on the Supreme Court’s decision cutting the heart out of most, class actions for robocalling. Echoing Congressional Democrats, Mark thinks the court’s decision is too narrow. I think it’s exactly right. We both expect Congress to revisit the law soon.

Nick Weaver and I explore the fuss over vaccination passports and how Silicon Valley can help. 

Considering what a debacle the Google and Apple effort on tracing turned into, with a lot of help from privacy zealots, I’m pleased that Nick and I agree that this is a tempest in a teapot. Paper vax records are likely to be just fine most of the time. That won’t prevent privacy advocates from trying to set unrealistic and unnecessary standards for any electronic vax records system, more or less guaranteeing that it will fall of its own weight. 

Speaking of unrealistic privacy advocates, Charles-Albert Helleputte explains why the much-touted General Data Protection Regulation privacy regime is grinding to a near halt as it moves from theory to practice. Needless to say, I am not surprised.

Mark and I scratch the surface of Facebook’s Fairness Flow for policing artificial intelligence bias. Like anything Facebook does, it’s attracted heavy criticism from the left, but Mark thinks it’s a useful, if limited, tool for spotting bias in machine learning algorithms.  I’m half inclined to agree, but I am deeply suspicious of the confession in one “model card” that the designers of an algorithm for identifying toxic speech seem to have juiced their real-life data with what they call “synthetic data” because “real data often has disproportionate amounts of toxicity directed at specific groups.” That sure sounds as though the algorithm relying on real data wasn’t politically correct, so the researchers just made up data that fit their ideology and pretended it was real—an appalling step for scientists to take with little notice.  I welcome informed contradiction. 

Nick explains why there’s no serious privacy problem with the IRS subpoena to Circle, asking for the names of everyone who has more than $20 thousand in cryptocurrency transactions. Short answer: everybody who doesn’t deal in cryptocurrency already has their transactions reported to the IRS without a subpoena.

Charles-Albert and I note that the EU is on the verge of finding that South Korea’s data protection standards are “adequate” by EU standards.  The lesson for the U.S. and China is simple: The Europeans aren’t looking for compliance; they’re looking for assurances of compliance. As Fleetwood Mac once sang, “Tell me lies, tell me sweet little lies.” 

Mark and I note the extreme enthusiasm with which the FBI used every high-tech tool to identify even people who simply trespassed in the Capitol on Jan. 6. The tech is impressive, but we suspect a backlash is coming. Nick weighs in to tell me I’m wrong when I argue that we didn’t see these tools used this way against Antifa’s 2020 rioters.

Nick thinks we haven’t paid enough attention to the Accellion breach, and I argue that companies are getting a little too comfortable with aggressive lawyering of their public messages after a breach. One result is likely to be a new executive order about breach notification (and other cybersecurity obligations) for government contractors, I predict.

And Charles and I talk about the UK’s plan to take another bite out of end-to-end encryption services, essentially requiring them to show they can still protect kids from sexual exploitation without actually reading the texts and pictures they receive. 

Good luck with that!

Download the 356th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.