We spend much of this episode of the Cyberlaw Podcast talking about toxified technology – new tech that is being demonized for a variety of reasons. Exhibit One, of course, is “spyware,” essentially hacking tools that allow governments to access phones or computers otherwise closed to them, usually by end-to-end encryption. The Washington Post and the New York Times have led a campaign to turn NSO’s Pegasus tool for hacking phones into radioactive waste. Jim Dempsey, though, reminds us that not too long ago, in defending end-to-end encryption, tech policy advocates insisted that the government did not need mandated access to encrypted phones because they could engage in self-help in the form of hacking. David Kris points out that, used with a warrant, there’s nothing uniquely dangerous about hacking tools of this kind. I offer an explanation for why the public policy community and its Silicon Valley funders have changed their tune on the issue: having won the end-to-end encryption debate, they feel free to move on to the next anti-law-enforcement campaign.

That campaign includes private lawsuits against NSO by companies like WhatsApp, whose lawsuit was briefly delayed by NSO’s claim of sovereign immunity on behalf of the (unnamed) countries it builds its products for. That claim made it to the Supreme Court, David reports, where the U.S. government recently filed a brief that will almost certainly send NSO back to court without any sovereign immunity protection.

Meanwhile, in France, Amesys and its executives are being prosecuted for facilitating the torture of Libyan citizens at the hands of the Muammar Qaddafi regime. Amesys evidently sold an earlier and less completely toxified technology—packet inspection tools—to Libya. The criminal case is pending.

And in the U.S., a whole set of tech toxification campaigns are under way, aimed at Chinese products. This week, Jim notes, the Federal Communications Commission came to the end of a long road that began with jawboning in the 2000s and culminated in a flat ban on installing Chinese telecom gear in U.S. networks. On deck for China are DJI’s drones, which several Senators see as a comparable national security threat that should be handled with a similar ban. Maury Shenk tells us that the British government is taking the first steps on a similar path, this time with a ban on some government uses of Chinese surveillance camera systems.

Those measures do not always work, Maury tells us, pointing to a story that hints at trouble ahead for U.S. efforts to decouple Chinese from American artificial intelligence research and development. 

Maury and I take a moment to debunk efforts to persuade readers that artificial intelligence (AI) is toxic because Silicon Valley will use it to take our jobs. AI code writing is not likely to graduate from facilitating coding any time soon, we agree. Whether AI can do more in human resources (HR) may be limited by a different toxification campaign—the largely phony claim that AI is full of bias. Amazon’s effort to use AI in HR, I predict, will be sabotaged by this claim. The effort to avoid bias will almost certainly lead Amazon to build race and gender quotas into its engine.

And in a few quick hits:

• I express doubt that Australia’s “unleash the hounds” approach to ransomware actually has anything to do with one notorious ransomware actor’s extortion site going down 
• Maury praises an MIT Technology Review piece that argues persuasively that China’s social credit system is not quite as dystopian as it’s been portrayed. I point out that, with Airbnb practicing guilt by association and PayPal taking your money for saying things PayPal doesn’t like, Silicon Valley can brag that it’s going to reach Full-Bore Dystopia well before China. 
• I cover the fourth review in three administrations of the dual-hat leadership of NSA and Cyber Command. No change is likely. 

And we close with a downbeat assessment of Elon Musk’s chances of withstanding the combined hostility of European and U.S. regulators, the press, and the left-wing tech-toxifiers in civil society. He is a talented guy, I argue, and with a three-year runway, he could succeed, but he does not have three years.

The Cyberlaw Podcast leads with the legal cost of Elon Musk’s anti-authoritarian takeover of Twitter. Turns out that authority figures have a lot of weapons, many grounded in law, and Twitter is at risk of being on the receiving end of those weapons. Brian Fleming explores the apparently unkillable notion that the Committee on Foreign Investment in the U.S. (CFIUS) should review Musk’s Twitter deal because of a relatively small share that went to investors with Chinese and Persian Gulf ties. It appears that CFIUS may still be seeking information on what Twitter data those investors will have access to, but I am skeptical that CFIUS will be moved to act on what it learns. More dangerous for Twitter and Musk, says Charles-Albert Helleputte, is the possibility that the company will lose its one-stop-shop privacy regulator for failure to meet the elaborate compliance machinery set up by European privacy bureaucrats. At a quick calculation, that could expose Twitter to fines up to 120% of annual turnover. Finally, I reprise my skeptical take on all the people leaving Twitter for Mastodon as a protest against Musk allowing the Babylon Bee and President Trump back on the platform. If the protestors really think Mastodon’s system is better, I recommend that Twitter adopt it, or at least the version that Francis Fukuyama and Roberta Katz have described.

If you are looking for the far edge of the Establishment’s Overton Window on China policy, you will not do better than the U.S.-China Economic and Security Review Commission, a consistently China-skeptical but mainstream body. Brian reprises the Commission’s latest report. The headline, we conclude, is about Chinese hacking, but the recommendations does not offer much hope of a solution to that problem, other than more decoupling. 

Chalk up one more victory for Trump-Biden continuity, and one more loss for the State Department. Michael Ellis reminds us that the Trump administration took much of Cyber Command’s cyber offense decision making out of the National Security Council and put it back in the Pentagon. This made it much harder for the State Department to stall cyber offense operations. When it turned out that this made Cyber Command more effective and no more irresponsible, the Biden Administration prepared to ratify Trump’s order, with tweaks.

I unpack Google’s expensive (nearly $400 million) settlement with 40 States over location history. Google’s promise to stop storing location history if the feature was turned off was poorly and misleadingly drafted, but I doubt there is anyone who actually wanted to keep Google from using location for most of the apps where it remained operative, so the settlement is a good deal for the states, and a reminder of how unpopular Silicon Valley has become in red and blue states.

Michael tells the doubly embarrassing story of an Iranian hack of the U.S. Merit Systems Protection Board. It is embarrassing to be hacked with a log4j exploit that should have been patched. But it is worse when an Iranian government hacker gets access to a U.S. government network—and decided that the access is only good for mining cryptocurrency. 

Brian tells us that the U.S. goal of reshoring chip production is making progress, with Apple planning to use TSMC chips from a new fab in Arizona. 

In a few updates and quick hits:

• I remind listeners that a lot of tech companies are laying employees off, but that overall Silicon Valley employment is still way up over the past couple of years.
• I give a lick and a promise to the mess at cryptocurrency exchange FTX, which just keeps getting worse.
• Charles updates us on the next U.S.-E.U. adequacy negotiations, and the prospects for Schrems 3 (and 4, and 5) litigation.

And I sound a note of both admiration and caution about Australia’s plan to “unleash the hounds” – in the form of its own Cyber Command equivalent – on ransomware gangs. As U.S. experience reveals, it makes for a great speech, but actual impact can be hard to achieve.

We open this episode of the Cyberlaw Podcast by considering the (still evolving) results of the 2022 midterm election. Adam Klein and I trade thoughts on what Congress will do. Adam sees two years in which the Senate does nominations, the House does investigations, and neither does much legislation—which could leave renewal of the critically important intelligence authority, Section 702 of the Foreign Intelligence Surveillance Act (FISA), out in the cold. As supporters of renewal, we conclude that the best hope for the provision is to package it with trust-building measures to restore Republicans’ willingness to give national security agencies broad surveillance authorities.

I also note that foreign government cyberattacks on our election, which have been much anticipated in election after election, failed once again to make an appearance. At this point, election interference is somewhere between Y2K and Bigfoot on the “things we should have worried about” scale.

In other news, cryptocurrency conglomerate FTX has collapsed into bankruptcy, stolen funds, and criminal investigations. Nick Weaver lays out the gory details.

A new panelist on the podcast, Chinny Sharma, explains to a disbelieving U.S. audience the U.K. government’s plan to scan all the country’s internet-connected devices for vulnerabilities. Adam and I agree that it could never happen here. Nick wonders why the U.K. government does not use a private service for the task. 

Nick also covers This Week in the Twitter Dogpile. He recognizes that this whole story is turning into a tragedy for all concerned, but he is determined to linger on the comic relief. Dunning-Krueger makes an appearance. 

Chinny and I speculate on what may emerge from the Biden administration’s plan to reconsider the relationship between the Cybersecurity and Infrastructure Security Agency (CISA) and the Sector Risk Management Agencies that otherwise regulate important sectors. I predict turf wars and new authorities for CISA in response. The Obama administration’s egregious exemption of Silicon Valley from regulation as critical infrastructure should also be on the chopping block. Finally, if the next two Supreme Court decisions go the way I hope, the Federal Trade Commission will finally have to coordinate its privacy enforcement efforts with CISA’s cybersecurity standards and priorities. 

Adam reviews the European Parliament’s report on Europe’s spyware problems. He’s impressed (as am I) by the report’s willingness to acknowledge that this is not a privacy problem made in America. Governments in at least four European countries by our count have recently used spyware to surveil members of the opposition, a problem that was unthinkable for fifty years in the United States. This, we agree, is another reason that Congress needs to put guardrails against such abuse in place quickly.

Nick notes the U.S. government’s seizure of what was $3 billion in bitcoin. Shrinkflation has brought that value down to around $800 million. But it is still worth noting that an immutable blockchain brought James Zhong to justice ten years after he took the money.  

Disinformation—or the appalling acronym MDM (for mis-, dis-, and mal-information)—has been in the news lately. A recent paper counted the staggering cost of “disinformation” suppression during coronavirus times. And Adam published a recent piece in City Journal explaining just how dangerous the concept has become. We end up agreeing that national security agencies need to focus on foreign government dezinformatsiya—falsehoods and propaganda from abroad – and not get in the business of policing domestic speech, even when it sounds a lot like foreign leaders we do not like. 

Chinny takes us into a new and fascinating dispute between the copyleft movement, GitHub, and Artificial Intelligence (AI) that writes code. The short version is that GitHub has been training an AI engine on all the open source code on the site so that it can “autosuggest” lines of new code as you are writing the boring parts of your program. The upshot is that open source code that the AI strips off the license conditions, such as copyleft, that are part of some open source code. Not surprisingly, copyleft advocates are suing on the ground that important information has been left off their code, particularly the provision that turns all code that uses the open source into open source itself. I remind listeners that this is why Microsoft famously likened open source code to cancer. Nick tells me that it is really more like herpes, thus demonstrating that he has a lot more fun coding than I ever had. 

In updates and quick hits:

• I note that the peanut butter sandwich nuclear spies have been sentenced.
• Adam celebrates TSMC’s decision to build a 3 nanometer semiconductor fab in Arizona. We cross sword about whether the fab capital of the U.S. will be Phoenix or Austin.  
• I celebrate the Russian government’s acknowledgment of the Cyberlaw Podcast’s reach when it designated long-time regular Dmitri Alperovitch for Russian sanctions. Occasional guest Chris Krebs also makes the list.
• www.mid.ru

Adam and I flag the Department of Justice’s release of basic rules for what I am calling the Euroappeasement court: the quasi-judicial body that will hear European complaints that the U.S. is not living up to human rights standards that no country in Europe even pretends to live up to. 

The war that began with the Russian invasion of Ukraine grinds on. Cybersecurity experts have spent much of 2022 trying to draw lessons about cyberwar strategies from the conflict. Dmitri Alperovitch takes us through the latest lessons, cautioning that all of them could look different in a few months, as both sides adapt to the others’ actions. 

David Kris joins Dmitri to evaluate a Microsoft report hinting that China may be abusing its recent edict requiring that software vulnerabilities be reported first to the Chinese government. The temptation to turn such reports into zero-day exploits may be irresistible, and Microsoft notes with suspicion a recent rise in Chinese zero-day exploits. Dmitri worried about just such a development while serving on the Cyber Safety Review Board, but he is not yet convinced that we have the evidence to prove the case against the Chinese mandatory disclosure law. 

Sultan Meghji keeps us in Redmond, digging through a deep Protocol story on how Microsoft has helped build Artificial Intelligence (AI) in China. The amount of money invested, and the deep bench of AI researchers from China, raises real questions about how the United States can decouple from China—and whether China may eventually decide to do the decoupling. 

I express skepticism about the White House’s latest initiative on ransomware, a 30-plus nation summit that produced a modest set of concrete agreements. But Sultan and Dmitri have been on the receiving end of deputy national security adviser Anne Neuberger’s forceful personality, and they think we will see results. We’d better. Baks reported that ransomware payments doubled last year, to $1.2 billion.  

David introduces the high-stakes struggle over when cyberattacks can be excluded from insurance coverage as acts of war. A recent settlement between Mondelez and Zurich has left the law in limbo. 

Sultan tells me why AI is so bad at explaining the results it reaches. He sees light at the end of the tunnel. I see more stealthy imposition of woke academic values. But we find common ground in trashing the Facial Recognition Act, a lefty Democrat bill that throws together every bad proposal to regulate facial recognition ever put forward and adds a few more. A red wave will be worth it just to make sure this bill stays dead.

Finally, Sultan reviews the National Security Agency’s report on supply chain security. And I introduce the elephant in the room, or at least the mastodon: Elon Musk’s takeover at Twitter and the reaction to it. I downplay the probability of CFIUS reviewing the deal. And I mock the Elon-haters who fear that scrimping on content moderation will turn Twitter into a hellhole that includes *gasp!* Republican speech. Turns out that they are fleeing Twitter for Mastodon, which pretty much invented scrimping on content moderation.

You heard it on the Cyberlaw Podcast first, as we mash up the week’s top stories: Nate Jones commenting on Elon Musk’s expected troubles running Twitter at a profit and Jordan Schneider noting the U.S. government’s creeping, halting moves to constrain TikTok’s sway in the U.S. market. Since Twitter has never made a lot of money, even before it was carrying loads of new debt, and since pushing TikTok out of the U.S. market is going to be an option on the table for years, why doesn’t Elon Musk position Twitter to take its place? 

It’s another big week for China news, as Nate and Jordan cover the administration’s difficulties in finding a way to thwart China’s rise in quantum computing and artificial intelligence (AI). Jordan has a good post about the tech decoupling bombshell. But the most intriguing discussion concerns China’s remarkably limited options for striking back at the Biden administration for its harsh sanctions.

Meanwhile, under the heading, When It Rains, It Pours, Elon Musk’s Tesla faces a criminal investigation over its self-driving claims. Nate and I are skeptical that the probe will lead to charges, as Tesla’s message about Full Self-Driving has been a mix of manic hype and lawyerly caution. 

Jamil Jaffer introduces us to the Guacamaya “hacktivist” group whose data dumps have embarrassed governments all over Latin America—most recently with reports of Mexican arms sales to narco-terrorists. On the hard question—hacktivists or government agents?—Jamil and I lean ever so slightly toward hacktivists. 

Nate covers the remarkable indictment of two Chinese spies for recruiting a U.S. law enforcement officer in an effort to get inside information about the prosecution of a Chinese company believed to be Huawei. Plenty of great color from the indictment, and Nate notes the awkward spot that the defense team now finds itself in, since the point of the operation seems to have been, er, trial preparation. 

To balance the scales a bit, Nate also covers suggestions that Google's former CEO Eric Schmidt, who headed an AI advisory committee, had a conflict of interest because he also invested in AI startups. There’s no suggestion of illegality, though, and it is not clear how the government will get cutting edge advice on AI if it does not get it from investors like Schmidt.

Jamil and I have mildly divergent takes on the Transportation Security Administration's new railroad cybersecurity directive. He worries that it will produce more box-checking than security. I have a similar concern that it mostly reinforces current practice rather than raising the bar. 

And in quick updates:

• The Federal Trade Commission has made good on its promise to impose consent decree obligations on CEOs as well as companies. The first victim is the CEO of Drizly.
• France has fined Clearview AI the maximum possible fine for not defending a General Data Protection Regulation (GDPR) case – unsurprisingly, because Clearview AI does no business in France.

I offer this public service announcement: Given the risk that your Prime Minister’s phone could be compromised, it’s important to change them every 45 days.