The big cyberlaw story of the week is the Justice Department’s antitrust lawsuit against Google and the many hats it wears in the online ad ecosystem. Lee Berger explains the Justice Department’s theory, which is not dissimilar to the Texas attorney general’s two-year-old claims. When you have lost both the Biden administration and the Texas attorney general, I suggest, you cannot look too many places for friends—and certainly not to Brussels, which is also pursuing similar claims of its own. So what is the Justice Department’s late-to-the-party contribution? At least two things, Lee suggests: a jury demand that will put all those complex Borkian consumer-welfare doctrines in front of a northern Virginia jury and a “rocket docket” that will allow Justice to catch up with and maybe lap the other lawsuits against the company. This case looks as though it will be long and ugly for Google, unless it turns out to be short and ugly. Mark reminds us that, for the Justice Department, finding an effective remedy may be harder than proving anticompetitive conduct.

Nathan Simington assesses the administration’s announced deal with Japan and the Netherlands to enforce a tougher decoupling policy against China’s semiconductor makers. Details are still a little sparse, but some kind of deal was essential for the United States. But for Japan and the Netherlands, the details are critical, and any arrangement will require flexibility and sophistication on the part of the Commerce Department. 

Megan Stifel and I chew over the Justice Department/FBI victory lap after putting a stick in the spokes of The Hive ransomware infrastructure. We agree that the lap was warranted. Among other things, the FBI handled its access to decryption keys with more care than in the past, providing them to many victims before taking down a big chunk of the ransomware gang’s tools. The bad news? Nobody was arrested, and the infrastructure can probably be reconstituted in the near term.

Here is an evergreen headline: “Facebook is going to reinstate Donald Trump’s account.” That could be the opening line of any story in the last few months, and that is probably Facebook’s strategy—a long, teasing dance of seven veils so that by the time Trump starts posting, it will be old news. If that is Facebook’s PR strategy, it is working, Mark MacCarthy reports. Nobody much cares, and they certainly do not seem to be mad at Facebook. So the company is out of the woods, and they have left the ex-president on the receiving end of a blow to the ego that is bound to sting.

Megan has more good news on the cybercrime front: The FBI identified the North Korean hacking group that stole $100 million in crypto last year—and may have kept the regime from getting its hands on any of the funds. 

Nathan unpacks two competing news stories. First, “OMG, ChatGPT will help bad guys write malware.” Second: “OMG, ChatGPT will help good guys find and fix security holes.” He thinks they are both a bit overwrought, but maybe a glimpse of the future.

Mark and Megan explain TikTok’s new offer to Washington. Megan also covers Congress’s “TayTay v. Ticketmaster” hearing after disclosing her personal conflict of interest.

Nathan answers my question: how can the FAA be so good a preventing airliners from crashing and so bad at preventing its systems from crashing? The ensuing discussion turns up more on-point bathroom humor than anyone would have expected.   

In quick hits, I cover three stories:

• First, my complaint about Gen. Milley’s egregious and self-admitted overclassification of January 6th records. And the prospect that he may be investigated for it. 
• Next, the delightful Iran-Iraq War pity-they-cannot-both-lose fight between James Dolan, the owner of Madison Square Garden, and the lawyers he his’s barred from the Garden. In a tactic that reminds me of Donald Trump, Dolan is doubling down on confrontation despite the mounting legal troubles it’s created. My explanation? I am betting both men have Daddy issues. 
• Finally, Google has won at least one victory in Washington this week: It outmaneuvered the Republican effort to score points against Google in the scandal over Gmail’s partisan spam filtering

Download 440th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We kick off a jam-packed episode of the Cyberlaw Podcast by flagging the news that ransomware revenue fell substantially in 2022. There is lots of room for error in that Chainalysis finding, Nick Weaver notes, but the effect is large. Among the reasons to think it might also be real is resistance to paying ransoms on the part of companies and their insurers, who are especially concerned about liability for payments to sanctioned ransomware gangs. I also note that a fascinating additional insight from Jon DiMaggio, who infiltrated the Lockbit ransomware gang. He says that Entrust was hit by Lockbit, which threatened to release its internal files, and that the company responded with days of Distributed Denial of Service (DDoS) attacks on Lockbit’s infrastructure – and never did pay up. That would be a heartening display of courage. It would also be a felony, at least according to the conventional wisdom that condemns hacking back. So I cannot help thinking there is more to the story. Like, maybe Canadian Security Intelligence Service is joining Australian Signals Directorate in releasing the hounds on ransomware gangs. I look forward to more stories on this undercovered disclosure.

Gus Hurwitz offers two explanations for the Federal Aviation Administration system outage, which grounded planes across the country. There’s the official version and the conspiracy theory, as with everything else these days. Nick breaks down the latest cryptocurrency failure; this time it’s Genesis. Nick’s not a fan of this prepackaged bankruptcy. And Gus and I puzzle over the Federal Trade Commission’s determination to write regulations to outlaw most non-compete clauses.

Justin Sherman, a first-timer on the podcast, covers recent research showing that alleged Russian social media interference had no meaningful effect on the 2016 election. That spurs an outburst from me about the cynical scam that was the “Russia, Russia, Russia” narrative—a kind of 2016 election denial for which the press and the left have never apologized.

Nick explains the looming impact of Twitter’s interest payment obligation. We’re going to learn a lot more about Elon Musk’s business plans from how he deals with that crisis than from anything he’s tweeted in recent months.

It does not get more cyberlawyerly than a case the Supreme Court will be taking up this term—Gonzalez v. Google. This case will put Section 230 squarely on the Court’s docket, and the amicus briefs can be measured by the shovelful. The issue is whether YouTube’s recommendation of terrorist videos can ever lead to liability—or whether any judgment is barred by Section 230. Gus and I are on different sides of that question, but we agree that this is going to be a hot case, a divided Court, and a big deal.

And, just to show that our foray into cyberlaw was no fluke, Gus and I also predict that the United States Court of Appeals for the District of Columbia Circuit is going to strike down the Allow States and Victims to Fight Online Sex Trafficking Act, also known as FOSTA-SESTA—the legislative exception to Section 230 that civil society loves to hate. Its prohibition on promotion of prostitution may fall to first amendment fears on the court, but the practical impact of the law may remain.

Next, Justin gives us a quick primer on the national security reasons for regulation of submarine cables. Nick covers the leak of the terror watchlist thanks to an commuter airline’s sloppy security. Justin explains TikTok’s latest charm offensive in Washington.

Finally, I provide an update on the UK’s online safety bill, which just keeps getting tougher, from criminal penalties, to “ten percent of revenue” fines, to mandating age checks that may fail technically or drive away users, or both. And I review the latest theatrical offering from Madison Square Garden—“The Revenge of the Lawyers.” You may root for the snake or for the scorpions, but you will not want to miss it.

In this bonus episode of the Cyberlaw Podcast, I interview Andy Greenberg, long-time WIRED reporter, about his new book, “Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.” This is Andy’s second author interview on the Cyberlaw Podcast. He also came on to discuss an earlier book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. They are both excellent cybersecurity stories.

“Tracers in the Dark”, I suggest, is a kind of sequel to the Silk Road story, which ends with Ross Ulbricht, the Dread Pirate Roberts, pinioned in a San Francisco library with his laptop open to an administrator’s page on the Silk Road digital black market. At that time, cryptocurrency backers believed that Ulbricht’s arrest was a fluke, and that properly implemented, bitcoin was anonymous and untraceable. Greenberg’s book explains, story by story, how that illusion was trashed by smart cops and techies (including our own Nick Weaver!) who showed that the blockchain’s “forever” records make it almost impossible to avoid attribution over time.

Among those who fall victim to the illusion of anonymity are two federal officers who helped pursue Ulbricht—and to rip him off; the administrator of AlphaBay, Silk Road’s successor dark market, an alleged Russian hacker who made so much money hacking Mt. Gox that he had to create his own exchange to launder it all, and hundreds of child sex abuse consumers and producers. 

It is a great story, and Andy brings it up to date in the interview as we dig into two massive, multi-billion seizures made possible by transaction tracing. In fact, for all the colorful characters in the book, the protagonist is really Chainalysis and its competitors, who have turned tracing into a kind of science. We close the talk by exploring Andy’s deeply mixed feelings about both the world envisioned by cryptocurrency’s evangelists and the way Chainalysis is saving us from that world.

The Cyberlaw Podcast kicks off 2023 by staring directly into the sun(set) of Section 702 authorization. The entire panel, including guest host Brian Fleming and guests Michael Ellis  and David Kris, debates where things could be headed this year as the clock is officially ticking on FISA Section 702 reauthorization. Although there is agreement that a straight reauthorization is unlikely in today’s political environment, the ultimate landing spot for Section 702 is very much in doubt and a “game of chicken” will likely precede any potential deal. Everything seems to be in play, as this reauthorization battle could result in meaningful reform or a complete car crash come this time next year. Sticking with Congress, Michael also reacts to President Biden’s recent bipartisan call to action regarding “Big Tech” and ponders where Republicans and Democrats could potentially find agreement on an issue everyone seems to agree on (for very different reasons). The panel also discusses the timing of President Biden’s OpEd in the Wall Street Journal and debates whether it is intended as a challenge to the Republican-controlled House to act rather than simply increase oversight on the tech industry. 

David then introduces a fascinating story about the bold recent action by the Security and Exchange Commission (SEC) to bring suit against Covington & Burling LLP to enforce an administrative subpoena seeking disclosure of the firm’s clients implicated in a 2020 cyberattack by Chinese state-sponsored group, Hafnium. David posits that the SEC knows exactly what it is doing by taking such aggressive action in the face of strong resistance, and the panel discusses whether the SEC may have already won by attempting to protect its burgeoning piece of turf in the U.S. government cybersecurity enforcement landscape. Brian then turns to the crypto regulatory and enforcement space to discuss Coinbase’s recent settlement with New York’s Department of Financial Services. Rather than signal another crack in the foundation of the once high-flying crypto industry, Brian offers that this may just be routine growing pains for a maturing industry that is more like the traditional banking sector, from a regulatory and compliance standpoint, than it may have wanted to believe.

Then, in the China portion of the episode, Michael discusses the latest news on the establishment of reverse Committee on Foreign Investment in the United States (CFIUS), and suggests it may still be some time before this tool gets finalized (even as the substantive scope appears to be shrinking). Next, Brian discusses a recent D.C. Circuit decision which upheld the Federal Communication Commission’s decision to rescind the license of China Telecom at the recommendation of the executive branch agencies known as Team Telecom (Department of Justice, Department of Defense, and Department of Homeland Security). This important, first-of-its-kind decision reinforces the role of Team Telecom as an important national security gatekeeper for U.S. telecommunications infrastructure. Finally, David highlights an interesting recent story about an FBI search of an apparent Chinese police outpost in New York and ponders what it would mean to negotiate with and be educated by undeclared Chinese law enforcement agents in a foreign country.

In a few updates and quick hits:

• Brian updates listeners on the U.S. government’s continuing efforts to win multilateral support from key allies for tough new semiconductor export controls targeting China.
• Michael picks up the thread on the Twitter Files release and offers his quick take on what it says about ReleaseTheMemo.  

And, last but not least, Brian discusses the unsurprising (according the Stewart) decision by the Supreme Court of the United States to allow WhatsApp’s spyware suit against NSO Group to continue.  

Our first episode for 2023 features Dmitri Alperovitch, Paul Rosenzweig, and Jim Dempsey trying to cover a months’ worth of cyberlaw news. Dmitri and I open with an effort to summarize the state of the tech struggle between the U.S. and China. I think recent developments show the U.S. doing better than expected. U.S. companies like Facebook and Dell are engaged in voluntary decoupling as they imagine what their supply chain will look like if the conflict gets worse. China, after pouring billions into an effort to take a lead in high-end chip production, may be pulling back on the throttle. Dmitri is less sanguine, noting that Chinese companies like Huawei have shown that there is life after sanctions, and there may be room for a fast-follower model in which China dominates production of slightly less sophisticated chips, where much of the market volume is concentrated. Meanwhile, any Chinese retreat is likely tactical; where it has a dominant market position, as in rare earths, it remains eager to hobble U.S. companies.

Jim lays out the recent medical device security requirements adopted in the omnibus appropriations bill. It is a watershed for cybersecurity regulation of the private sector and overdue for increasingly digitized devices that in some cases can only be updated with another open-heart surgery.

How much of a watershed may become clear when the White House cyber strategy, which has been widely leaked, is finally released. Paul explains what it’s likely to say, most notably its likely enthusiasm not just for regulation but for liability as a check on bad cybersecurity. Dmitri points out that all of that will be hard to achieve legislatively now that Republicans control the House.

We all weigh in on LastPass’s problems with hackers, and with candid, timely disclosures. For reasons fair and unfair, two-thirds of the LastPass users on the show have abandoned the service. I blame LastPass’s acquisition by private equity; Dmitri tells me that’s sweeping with too broad a brush.

I offer an overview of the Twitter Files stories by Bari Weiss, Matt Taibbi, and others. When I say that the most disturbing revelations concern the massive government campaigns to enforce orthodoxy on COVID-19, all hell breaks loose. Paul in particular thinks I’m egregiously wrong to worry about any of this. No chairs are thrown, mainly because I’m in Virginia and Paul’s in Costa Rica. But it’s an entertaining and maybe even illuminating debate.

In shorter and less contentious segments:

• Dmitri unpacks the latest effort by Russian hackers to subvert the security of a Ukrainian web-based military information site. He thinks the Ukrainian ability to use the site despite Russian attacks may have lessons for NATO.
• Dmitri also sheds light (and not a little shade) on Chinese claims to have broken RSA with a quantum computer. 
• Jim updates us on TikTok’s travails and the ongoing debate over restricting its use in the United States.
• I point out that another black man has been arrested because of a facial recognition error—bringing the total of mistaken face-recognition arrests in the entire country over the past decade to four. All of which could have been avoided by police department policy. 
• On the other hand, I also identify a shocking abuse of facial recognition to oppress some of the most loathed people in America: Lawyers. Madison Square Garden, in what must be the dumbest corporate policy of the year, uses facial recognition to identify lawyers working for law firms that have ongoing lawsuits against the company. The apparent purpose, or at least the result, is to prevent lawyers from those firms from bringing Girl Scout troops to see the Rockettes. No problem; I am sure everyone would rather watch the ensuing litigation.
• I remind listeners that Trump's return to Facebook and Instagram could happen very soon.
• The EU has advanced Its transatlantic data deal with the US, though more thrashing about should be expected.