The Cyberlaw Podcast

What is the federal government doing to get compromised hardware and software out of its supply chain? That’s what we ask Harvey Rishikof, coauthor of “Deliver Uncompromised,” and Joyce Corell, who heads the Supply Chain and Cyber Directorate at the National Counterintelligence and Security Center. There’s no doubt the problem is being admired to a fare-thee-well, and some evidence it’s also being addressed. Listen and decide!

In the News Roundup, Nate Jones and I disagree about the Second Circuit ruling that President Trump can’t block his critics on Twitter. We don’t disagree about that ruling, but I’m a lot more skeptical than Nate that it will be applied to that other famous Washington tweeter, Rep. Alexandria Ocasio-Cortez.

GDPR still sucks, but now it bites, too. Matthew Heiman explains just how bad the bite was for Marriott and British Airways.

Gus Hurwitz reprises how much—or little—we know about the FTC and Facebook. We won’t know much, he says, until we answer the question, “Where’s the complaint?”

Talk about hard supply chain issues. Congress banned Chinese surveillance cameras from the federal supply chain, but that turns out to be a lot different from, you know, actually getting rid of them

For a change of pace, Gus and I rag on the U.S. Patent and Trademark Office (USPTO) for its petition that the Supreme Court overturn a Fourth Circuit ruling that adding “.com” to a generic term makes it trademarkable. You tell ‘em, USPTO! It’s not like adding “.com” to a word has the same creativity and distinctiveness as adding “i” in front of “phone” or “pod.”

Nate and I spar over whether Section 301 can be used to retaliate against France for its 3% digital tax.

Matthew tells us that the Trump administration isn’t sharing details on classified cyberattack rules with Congress, and after a modicum of mockery, we actually find ourselves agreeing with Congress’s demand to be briefed on the rules.

Finally, in quick hits, I flag the hypocrisy of those who claim to love the idea of privacy until it gets in the way of boycotting people they disagree with and the surprising ways that GDPR has enabled personal data breaches on an industrial scale.

Download the 272nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-272.mp3
Category:general -- posted at: 5:39pm EDT

This week I interview Glenn Reynolds, of Instapundit and the University of Tennessee at Knoxville law school, about his new book, “The Social Media Upheaval.” In a crisp 64 pages, Glenn analogizes social media to a primeval city, where new proximity produces periodic outbreaks of diseases that more isolated people never experienced; traces social media’s toxicity to the desperate pursuit of engagement; and proposes remedies both for individual users and for society whole.  All that plus thoughtful advice on dietary supplements and deadlifts!

In the news roundup, Matthew Heiman dissects a recent Third Circuit ruling that Amazon can be held strictly liable for products it markets for third parties. Unlike Matthew, I am largely persuaded by the court’s ruling on products liability—but Matthew and I both have doubts about its use of Section 230 of the Communications Decency Act to protect Amazon from failure to warn liability.

Maury Shenk and Nick Weaver review the progress of the War on Facial Recognition. Opponents have rolled out the ultimate weapon in modern left ideology—ICE is using it! But facial recognition is still winning, mostly because its opponents are peddling undifferentiated fear of a technology that’s already being used for many very different purposes, from anonymously tracking shoppers moving through a store (where the store doesn’t need to know the shoppers’ identities) to boarding planes (where the airline damn well better know the passengers’ identities, and the tech only has a couple of hundred faces to match).

Matthew and Nick consider China’s seizing and installing spyware on travelers’ devices. Turns out, China’s practice isn’t all that different from most government efforts to extract data from phones, except that the Chinese leave the code on Android devices so that security researchers can reverse engineer China’s deepest fears. And what do they fear most? Japanese heavy metal, apparently. Almost makes you feel a bit of empathy for Beijing…

Maury also highlights Big Tech’s concerns about the UK’s particularly aggressive proposal for an online “duty of care.”

Nick and I follow the problem of fake cancer cures being advertised on Facebook and YouTube down the usual ratholes—who should be responsible in the first place, and why does Silicon Valley think that algorithms will ever be able to discipline such content?

This Week in the U.S.-China trade war: No one seems to know exactly what President Trump’s concessions at the G-20 meeting amount to, but more and more U.S. tech companies have decided that moving 30% of their tech sourcing out of China is a good idea no matter how the trade war ends. This war isn’t good for U.S. companies, but it’s really not good for China’s. Which, come to think of it, is what President Trump has said right from the start.

Finally, if you’re looking for tough government action against contractors with bad cybersecurity, Customs and Border Patrol is your agency.  It has cut ties with Perceptics, the firm that was breached by Boris the Bullet-Dodger, and seems to be readying a debarment proceeding that will cut the firm off from future contracts. Matthew and I speculate that there may be something more behind this harsh remedy—perhaps a lack of prompt contractor candor about the breach. Whatever the context, this proceeding is likely to set a precedent that haunts other contractors long into future.

Download the 271st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-271.mp3
Category:general -- posted at: 8:40am EDT

The theme this week is China’s growing confidence in using cyberweapons in new and sophisticated ways, as the U.S. struggles to find an answer to China’s growing ambition to dominate technology. Our interview guest, Chris Bing of Reuters, talks about his deep dive story on Chinese penetration of managed service providers like HP Enterprise—penetration that allowed them access to hundreds of other companies that rely on managed service providers for most of their IT. Most chilling for the customers are strong suggestions that the providers often didn’t provide notice of the intrusions to their customers—or that the providers’ contracts may have prevented their customers from launching quick and thorough investigations when their own security systems detected anomalous behavior originating with the providers. Chris also tells the story of an apparent Five Eyes intrusion into Yandex, the big Russian search engine.

Returning to China, in our News Roundup Nate Jones covers the latest in the U.S.-China trade war before diving into a Wall Street Journal article (by Kate O’Keeffe) that I call the Rosetta Stone for the last two years of cyber policymaking. Looking for the unifying theme in the lobbying fight over FIRRMA, the president’s executive orders on cyber and sanctions on companies like Sugon? Look no further than AMD, its aggressive accommodation of China’s ambitions in chip manufacture, and the Pentagon’s desperate effort to thwart the company’s plans. Nate and I also consider a possible new U.S. requirement that domestic 5G equipment be made outside China.

What is China planning to do with all that cyber power? Jordan Cannon lays out one little-followed story in which China seems to have taken an election-tilting page straight out of Vladimir Putin’s textbook. And Nate covers a newly patient Chinese hacking cadre willing to compromise a dozen telecomm companies for years just to collect metadata on as few as twenty telecomm customers.

Speaking of metadata, David Kris explains why Congress is more exercised over National Security Agency’s (NSA) access to American phone metadata than China’s. Congress took the view that NSA should not collect the metadata of innocent Americans, even if it only searched the data when it had a legal basis for doing so. Instead, Congress constructed a new Section 215 program that depended on each telecomm company to do searches of data that remained in their hands. Unsurprisingly, the companies have done that badly, sending the wrong data to NSA on more than one occasion. Naturally, Congress now blames NSA for “overcollecting.” 

Are you a conservative comforting yourself with the idea that Silicon Valley censorship is just a creature of platform monopoly that can be cured by more competition? Better stop reading the newspaper, as of last week. Two more conservative-hostile moves by Silicon Valley show that competition isn’t likely to end virtue signaling in the Valley. After Google banned Project Veritas’s video exposé of YouTube for, uh, privacy—that’s it, privacy—violations, its distant No. 2 competitor Vimeo responded to the competitive opportunity by also banning the video for, uh, defamation or something. And when Twitter competitor Parler offered a home to conservatives, Apple reportedly threatened (at least briefly) not to distribute the app unless it kicked some unspecified bad actors off the service.

Meanwhile, two Silicon Valley platforms that really do need at least a few conservatives were singing that famous C&W song, “I hate you. I need you. I hate that I need you.” And just to show their contempt for people they’re afraid to shut down completely, Reddit “quarantined” their wildly popular subreddit r/the_donald over posts the moderators said they’d never seen or had reported to them. And Twitter announced that it planned to salve its SJW conscience while still profiting from Trump’s tweets by attaching disapproving labels to them. Nate tries to hose me down, but it’s too late. 

Finally, in breaking news from 1993, David reports that the Trump Administration is considering an encryption crackdown but can’t choose between a toothless statement of principles and a feckless proposal of legislation that will not pass. I offer the suggestion that the statement of principles will be enough to undercut Silicon Valley’s campaign to stop encryption controls in countries like Australia, the UK and Germany. That’s where controls will eventually come from, David and I agree. I’m looking forward to all those folks who told us that GDPR was just the voice of civilization calling across the Atlantic saying the same about European encryption mandates.

 

Download the 270th Episode (mp3). 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-270.mp3
Category:general -- posted at: 10:23pm EDT

Our interview guests are Dick Clarke and Rob Knake, who have just finished their second joint book on cybersecurity, The Fifth Domain. We talk about what they got right and wrong in their original book. There are surprising flashes of optimism from Clarke and Knake about the state of cybersecurity, and the book itself is an up-to-date survey of the policy environment. Best of all, they have the courage to propose actual policy solutions to problems that many others just admire. I disagree with about half of their proposals, so much light and some heat are shed in the interview, which I end by bringing back the McLaughlin Group tradition of rapid-fire questions and an opinionated “you’re wrong” whenever the moderator disagrees. C’mon, you know the arguments are really why you listen, so enjoy this one!

In the news roundup, Gus Hurwitz covers the Supreme Court’s ruling on when a forum is subject to First Amendment limits. Short version: There is no Justice who thinks Silicon Valley’s platforms are public fora subject to the First Amendment. Sen. Hawley (R.-Mo.) is mocked, which prompts me to invite him to defend himself on a future episode (not because the First Amendment applies to the podcast but because it would be fun).

Matthew Heiman spells out the thinking behind Facebook’s proposed cryptocurrency. He thinks it’s all about the data; I think it’s all about WeChat. Whatever the motive, every regulatory body in Europe and the U.S. has descended on the company to extract concessions—or perhaps to kill it outright, as our own Nick Weaver has proposed.

Maury Shenk reports on the U.S. government’s threat to limit Indian H-1B visas if India persists in its extreme data localization policies. I suggest that the fight may be as much about terrorism finance as protectionism.

This week behind the Silicon Curtain: Apple is considering moving 15-30% of its production capacity out of China. Matthew and I agree that it’s easier said than done, but that the move is inevitable.

Gus lays out the difficulties that YouTube has had meeting the child protection requirements of the Child Online Privacy Protection Rule and the Federal Trade Commission’s growing interest in changing YouTube’s approach to videos aimed at kids.

Is China’s social credit rating system a Potemkin village? Bloomberg seems to think so, but Maury has his doubts. So, if you thought you could stop fearing the system and start laughing at it, better think again. 

Finally, this week in karma: The medical billing firm whose cybersecurity failings resulted in multiple medical data breaches has filed for bankruptcy, evidently the result of liabilities arising from the breach.

 

Download the 269th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-269.mp3
Category:general -- posted at: 8:19am EDT

We kick off Episode 267 with Gus Hurwitz reading the runes to see whether a 50-year Chicago winter for antitrust plaintiffs is finally thawing in Silicon Valley. Gus thinks the predictions of global antitrust warming are overhyped. But he recognizes we’re seeing an awful lot of robins on the lawn: The rise of Margrethe Vestager in the EU, the enthusiasm of state AGs for suing Big Tech, and the piling on of Dem presidential candidates and the House of Representatives. Judge Koh’s Qualcomm decision is another straw in the wind, triggering criticism from Gus (“an undue extension of Aspen Skiing”) and me (“the FTC needs a national security minder in privacy and competition law”). Matthew Heiman tells me I’m on the wrong page in suggesting that Silicon Valley’s suppression of conservative speech is a detriment to consumer welfare that the antitrust laws should take it into account, even in a Borkian world

I mock Austrian Greens for suing to censor speech calling it a “fascist party”—and not just in Austria but around the world. That’ll show ‘em, guys. Less funny is the European Court of Justice’s advocate general, who more or less buys the Greens’ argument. And thereby reminds us why we miss Tom Wolfe, who famously said, “The dark night of fascism is always descending in the United States and yet lands only in Europe.”

Nate Jones answers the question, “Were the Russians much better at social media than we thought?” All the adjustments to that story, he notes, have increased the sophistication we’ve seen in Russia’s social media attacks.

This Week in Host Self-Promotion: I take advantage of the topic to urge my solution to the utterly unsolved problem of hack-and-dox attacks by foreign governments on U.S. candidates they don’t like: Ban the distribution of data troves stolen from candidates and officials. Nate agrees that the First Amendment doctrine here is a lot friendlier to my proposal than most people think, but he cautions that the details get messy fast.

Matthew comments on Baltimore’s tragedy of errors in handling its ransomware attack. The New York Times’ effort to pin the blame on NSA, which always looked tendentious and agenda-driven, now has another problem: It’s almost certainly dead wrong. EternalBlue doesn’t seem to have been used in the ransomware attack. Baltimore’s best case now is that its cybersecurity sucked so bad that other, completely unrelated hackers were using EternalBlue to wander the city’s system.

Speaking of cybersecurity, Matthew reminds us of two increasingly common and dangerous hacker tactics: (1) putting the “P” in APT by hanging around the system so long that you’ve downloaded all the manuals, taken all the online training, and know exactly when and how to scam the system; and (2) finding someone with lousy network security who’s connected to a harder target and breaking in through the third party.

Finally, Gary Goldsholle helps us make sense of the litigation between the SEC and Kik, which launched a cryptotoken that it insisted wasn’t a security offering and then crowdfunded its lawsuit against the SEC. So, good news for lawyers if nothing else, and perhaps for future Initial Popcorn Offerings. 

 

Download the 267th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-267.mp3
Category:general -- posted at: 5:41pm EDT

If you’ve lost the Germans on privacy, you’ve lost Europe, and maybe the world. That’s the lesson that emerges from my conversation with David Kris and Paul Rosenzweig about the latest declaration that the German interior minister wants to force messaging apps to decrypt chats. This comes at the same time that industry and civil society groups are claiming that GCHQ’s “ghost proposal” for breaking end-to-end encryption should be rejected. The paper, signed by all the social media giants, says that GCHQ’s proposal will erode the trust that users place in Silicon Valley. I argue that that argument is well past its sell-by date.

Speaking of trust, Paul outlines the latest tit-for-tat in the growing Silicon Curtain between the US and China, as that country announces plans to publish an “unreliable entities” list. I note that the same spirit seems to be animating the announcement that China and Russia are transitioning their militaries from Microsoft Windows to other operating systems. Talk about a bonanza for the NSA: Just the coding errors will sustain its hackers for a generation – even in the unlikely event that the Chinese and Russians resist the temptation to seed the system with backdoors aimed at their erstwhile coding partners.

Maury Shenk highlights the latest German effort to regulate “broadcasting” of content on the Internet, which the German authority says will mandate transparency and diversity. I think it’s transparently about locking in the German establishment, a view hardly contradicted by the ham-handed way CDU leader Annegret Kramp-Karrenbauer responded to the CDU’s drubbing in the EU elections. The losses were widely attributed to YouTube influencers who urged young voters to reject the main parties. The solution, AKK suggested, was more regulation of YouTube influencers. Ja, natürlich.

David brings us up to date on Iran’s latest effort to engage in social media manipulation and Facebook’s response.

Alicia Loh parses a D.C. Circuit ruling that all the White House has to do to comply with laws on keeping records of official communications is send out a memo. That obligation was satisfied, the court ruled, by a memo telling White House staff who use “vanishing” messaging apps to take screenshots of any official communications and preserve the messages. Alicia is practically the only member of our panel who even knows how to take a screenshot on a phone, which suggests that White House staff compliance might be, well, underwhelming.

Maury gives us a quick update on US states imitating GDPR. Short version: Watch California and then New York. 

And in a lightning round, I am struck by the sight of an FTC commissioner begging the Ninth Circuit not to uphold the FTC’s position in the Qualcomm case on appeal. Maury and I note the growing demand for mass contract labor spurred by the need to train AI. And Paul and I speculate on the probability of antitrust cases against Google and Amazon. It’s been a long cold Chicago winter for antitrust plaintiffs, we conclude, but a change in the climate may be coming. 

Download the 266th Episode (mp3). 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-266.mp3
Category:general -- posted at: 4:55pm EDT

Paul Rosenzweig leads off with an enduring and fecund feature in Washington these days: China Tech Fear. We cover the Trump administration’s plan to blacklist up to five Chinese surveillance companies, including Hikvision, for contributing to human rights violations against Uighurs in the Xinjiang province in China, the Department of Homeland Security’s rather bland warning that commercial Chinese drones pose a data risk for U.S. users, and the difficulty U.S. chipmakers are facing in getting “deemed export” licenses for Chinese nationals.

We delve deeper into a remarkably shallow and agenda-driven New York Times article by Nicole Perlroth and Scott Shane blaming the National Security Agency for Baltimore’s ransomware problem without ever asking why the city failed for two years to patch its systems. David Kris uses the story to talk about the vulnerabilities equities process and its flaws.

There may be a lot—or nothing—to the Navy email “spyware” story, but David points out just how many modern cyber issues it touches. With the added fillip of a “Go Air Force, Beat Navy” theme not usually sounded in cybersecurity stories.

Paul expands on what I have called “Cheap Fakes” (as opposed to “Deep Fakes”): the Pelosi video manipulated to make her sound impaired. And he manages to find something approaching good news in the advance of faked video—it may mean the end of (video) blackmail.

But not the end of “revenge porn” and revenge porn laws. I ask Gus Hurwitz whether those laws are actually protected by the Constitution, and the answer turns out to be highly qualified. But, surprisingly, media lawyers aren’t objecting that revenge porn laws that criminalize the dissemination of true facts are on a slippery slope to criminalizing news media. That is the argument they’re making about the expanded charges of espionage against WikiLeaks founder Julian Assange. David offers his view of the pros and cons of the indictment.

And Gus closes us out with some almost unalloyed good news. Despite my suspicion of any bipartisan bill in the current climate, he insists that the Senate-passed anti-robocalling bill is a straight victory for the Forces of Good. But, he warns, the House could still screw things up by adding a private right of action along the lines of the Telephone Consumer Protection Act, which has provided the plaintiffs bar with an endless supply of cases without actually benefiting consumers.

You can subscribe to The Cyberlaw Podcast using iTunesGoogle PlaySpotifyPocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-265.mp3
Category:general -- posted at: 6:09pm EDT

We begin this episode with a quick tour of the Apple antitrust decision that pitted two Trump appointees against each other in a 5-4 decision. Matthew Heiman and I consider the differences in judging styles that produced the split and the role that 25 years of “platform billionaires” may have played in the decision.

Eric Emerson joins us for the first time to talk about the legal fallout from the latest tariff increases on Chinese products. Short version: Companies have some short-term tactics to explore (country of origin, drawback, valuation), but large importers and resellers have to grapple with larger and costlier strategies of supply chain diversification and localization.

Meanwhile, China has not been taking the trade war lying down. In addition to its own tariff increases, it seems to be enforcing its demanding cybersecurity law more aggressively against foreign firms. I ask whether we are also seeing retaliation in Chinese courts as well.

In related news, Nick Weaver and I debate the potentially sweeping new Executive Order on Securing the Information and Communications Technology and Services Supply Chain.

Maury Shenk explains the UK Supreme Court ruling that expands the court’s authority over the UK’s intelligence agencies despite clear Parliamentary language to the contrary. Bottom line: Bad news for UK intelligence. Hidden good news for the U.S.: Turns out that there is something worse than activist judges interpreting a written constitution—activist judges who can more or less make up the constitution they want.

It was a cybersecurity disaster week for some of the biggest names in tech. Nick helps me understand which bugs were worst, Cisco’s, Intel’s or Microsoft’s. Then we review the equally bad week that the NSO Group and its WhatsApp exploit had.

Cleaning up in a lightning round, we cover the order requiring the Chinese owner of Grindr to sell by mid-2020. We also cover Canada’s approach to social media, which spurs me to praise France’s Macron (!) for his moderation. The EU has a plan for sanctions on cyberattackers; Matthew and I doubt it will get much use. I think too much fuss is being made over leak investigators using Web bugs to see if defense counsel at Guantanamo have been leaking; Nick disagrees, at least a bit. And I close with yet another item in the long-running feature, “This Week in Internet Sex Toy Law.” Suffice it to say that the latest case can’t be understood without consulting both Orin Kerr and Jerry Seinfeld.

  

Download the 264th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-264.mp3
Category:general -- posted at: 3:46pm EDT

With apologies for the late post, Episode 263 of The Cyberlaw Podcast tells the sad tale of another U.S. government leaker who unwisely trusted The Intercept not to compromise its source. As Nick Weaver points out, The Intercept also took forever to actually report on some of the material it received.

In other news, Brian Egan and Nate Jones agree that Israel broke no new ground in bombing the headquarters of Hamas’s rudimentary hacking operation during active hostilities.

Nick and I dig into the significance of China’s use of intrusion tools pioneered by NSA. We also question the New York Times’s grasp of the issue

The first overt cyberattack on the U.S. electric grid was a bust, I note, but that’s not much comfort.

How many years of being told “I’m washing my hair that night” should tell you you’re not getting anywhere? The FCC probably thought China Mobile should have gotten the hint after eight years of no action on its application to provide US service, but just in case the message didn’t get through, it finally pulled the plug last week.

Delegating to Big Social the policing of terrorist content has a surprising downside, as Nate points out. Sometimes the government or civil society need that data to make a court case.

We touch briefly on Facebook’s FTC woes and whether Sen. Hawley (R.-Mo.) should be using the privacy stick to beat a company he’s mad at for other reasons. I reprise my longstanding view that privacy law is almost entirely about beating companies that you’re mad at for other reasons.

 

Download the 263rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-263.mp3
Category:general -- posted at: 3:02pm EDT

Has the Chinese government hired American lawyers to vet their cyberespionage tactics—or just someone who cares about opsec? Probably the latter, and if you’re wondering why China would suddenly care about opsec, look no further than Supermicro’s announcement that it will be leaving China after a Bloomberg story claiming that the company’s supply chain was compromised by Chinese actors. Nick Weaver, Joel Brenner and I doubt the Bloomberg story, but it has cost Supermicro a lot of sales—and even if it isn’t true this time, the scale and insouciance of past Chinese cyberespionage make it inherently believable. Hence the company’s shift to other sources (and, maybe, a new caution on the part of Chinese government hackers).

GDPR and the California Consumer Privacy Act (CCPA) may be the Dumb and Dumber of privacy law, but neither is going away. And for the next six months, California’s legislature will be struggling against a deadline to make sense of the CCPA. Meegan Brooks gives us an overview.

But we in Washington can’t get too smug about California’s deadline-driven dysfunction. Congress also faces a year-end deadline to renew the Section 215 program, and even the executive branch hasn’t decided what it wants. Joel takes us through the program’s history, its snake-bitten implementation, and the possible outcomes in Congress.

This week in Silicon Valley content control: Facebook dropped the link-ban hammer on Louis Farrakhan, Alex Jones and Milo Yiannopoulos for being “dangerous.” But did it really? Once again, I volunteer to put my Facebook access at risk by testing Facebook’s censorship engine—posting a different Infowars story there every day. Not because I love the conspiracy-mongering Alex Jones but because banning links is a bad idea. (Among other things, you can’t really pile links up and burn them in cinematic pyres at rallies.) But both Facebook and Jones may have a codependent interest in overstating the ban, because as of Day 4 of my experiment, my Facebook account is still alive and well, as are the Infowars links.

The FBI has accused U.S. scientists of sending intellectual property to China, running shadow labs and (this part really appalls Nick) corrupting the peer review process at NIH. Science magazine suggests that the flap is born of racial bias.

We close the episode with the latest and most shocking facial recognition scandal. It turns out face recognition researchers are chasing down unwilling subjects and restraining them to get the subjects’ pictures—all in service to untried and udderly unreliable technology. All we need to turn this into a major scandal is a public policy entrepreneur willing to work the intersection between the EFF and PETA. 

 

 

Download the 262nd Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-262.mp3
Category:general -- posted at: 5:43pm EDT

On Episode 261, blockchain takes over the podcast again. We dive right into the recent activity from the SEC, namely, the Framework for “Investment Contract” Analysis of Digital Assets and the No-Action Letter issued to TurnKey Jet, Inc. (TurnKey) for a digital token. Gary Goldsholle noted this guidance has been eagerly anticipated since July 2017 when the SEC first applied the Howey Test to a digital token with the DAO report. The current framework focuses primarily on the reasonable expectation of profits and efforts of others prongs of the Howey Test. While the framework lays out a number of factors to consider when determining whether a token is a security, the practicality of those factors is still up for debate.

Will Turner explained that the TurnKey No-Action Letter was most useful for parties interested in structuring a private, permissioned, centralized blockchain, but believes the guidance in the Framework would allow for alternative structures. The key from the SEC’s perspective is that there is no expectation of profits for token holders, since the token is a stablecoin pegged to the value of USD and there is no use of the token outside of TurnKey’s network. Jeff Bandman noted the irony that the first No-Action Letter related to blockchain and cryptocurrency involves private jets, particularly since “Mr. and Ms. 401(k)”—the retail investors SEC Chairman Jay Clayton is focused on protecting—are not likely to become private jet users anytime soon.

Jeff emphasized the importance of network functionality and observed that the network for private jet use was already established. Alan Cohn highlighted this tension between the need for centralization to achieve functionality, and need for decentralization as a means to avoid meeting the “derived from the efforts of others” prong of the Howey Test.

Gary then turned to Blockstack’s Regulation A filing, the most comprehensive effort to register a token under Reg. A that we have seen to date. Blockstack is seeking to be a Tier 2 issuer, meaning they can raise up to $50 million in 12 months, which comes with heightened disclosure obligations and requires audited financials. While they seek to raise capital as a security today, their ultimate goal – and a central risk factor in their offering circular – is to achieve the requisite level of decentralization such that they no longer would meet the definition of a security.

Meanwhile, in Congress, the recently reintroduced Token Taxonomy Act of 2019 would exempt a newly defined category of digital tokens from the definition of a security, as well as provide some clarity on tax issues for cryptocurrency users and exchanges. Jeff observed that these amendments might contribute further to a gap in federal regulation over spot trading markets. While the CFTC has enforcement authority, they do not have the authority to directly supervise the bitcoin trading market. 

Turning to the interview, Jeff describes how he co-founded Global Digital Finance (GDF), along with other co-founders in Europe, Asia and the United States, in order to address the lack of international standards surrounding the blockchain industry—or even a general consensus of terminology. Jeff describes how GDF has a number of working groups focused on developing high-level principles and standards on a range of topics, including stablecoins, custody, tax and security tokens. GDF is trying to fill in some of the gaps that appear when jurisdictions regulate cryptocurrencies and crypto-assets differently. As an example of its work, GDF’s KYC/AML/CTF group recently commented on FATF’s standards, issuing two comments in October 2018 and April 2019.


Jeff is also in the process of launching a new transfer agent service, Block Agent, focused on enabling and supporting SEC-regulated issuances. As markets mature, it is increasingly important to have the necessary post-trade infrastructure, and he is committed to offering services that recognize the novel features and efficiencies around these new technologies. 

For our listeners in the D.C. area, Steptoe is hosting a half-day complimentary regulatory symposium this Thursday, May 2, in our D.C. office. Our plenary speakers include current and former commissioners and high-level officials with agencies such as the Federal Energy Regulatory Commission, the Surface Transportation Board, and the Environmental Protection Agency. We will also have breakout panels focused on four separate topics: Deference, Globalization, Regulatory/Legislative Approach and Preemption. To register, click here

Download the 261st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-261.mp3
Category:general -- posted at: 9:21pm EDT

In this episode, Nick Weaver and I discuss new Internet regulations proposed in the UK. He’s mostly okay with its anti-nudge code for kids, but not with requiring proof of age to access adult material. I don’t see the problem; after all, who wouldn’t want to store their passport information with Pornhub?

Sri Lanka’s government has suspended social media access in the wake of the Easter attack. As Matthew Heiman notes, the reaction in the West is more or less a shrug—far different from the universal contempt and rejection displayed toward governments who did much the same during the 2011 Arab Spring rebellions. What made the difference? I argue that it’s Putin’s remarkably successful 2016 social media counterattack on Hilary Clinton as payback for her social media campaign against him in 2011.

DNS hijacking is just getting more brazen, according to a new Cisco Talos report. Nick and I talk about why that is and what could be done about it.

Paul Rosenzweig, back from hiatus and feisty as ever, mocks the EU Commission for its on-again, off-again criticism of Kaspersky’s security. Short version: The Commission wants badly to play in cybersecurity because it’s the Hot New Thing, but it has no institutional competence there, in either sense of the word. Speaking of Kaspersky, someone is doing a bad job of trying to compromise its critics with ham-handed private investigator-imposters.

Naked Kitten? Nick and I have a good laugh at the doxxing of Iranian government hackers.

Man bites dog: The Trump Administration is taking interagency processes seriously, and doing a better job than Obama’s team—at least when it comes to use of Cyber Command. Matthew dives into the repeal of PPD-20.

Paul brings us up to date on the Mar-a-Lago Thumb Drive Affair. Maybe it wasn’t malware after all.

Remember that face recognition software that the NGOs said was so crappy it had to be banned? Now, the New York Times reports that it’s so good it has to be banned. Not so fast, says Microsoft: Our face recognition software is still so crappy that it can’t be sold to law enforcement, and it ought to be export controlled so that China can sell—and keep improving—its face recognition tools.

Bet you thought we forgot the Mueller Report. Nope! In fact, I offer the one conclusion about the report that everyone across the political spectrum can agree on. Anti-climactically, Paul and I point out that the report throws sidelights on the "Going Dark" debate and Bitcoin anonymity. Nick points out that we already knew everything the Mueller Report tells us on those topics.

Finally, Nick and I wrangle over the lessons to be drawn from Facebook’s privacy travails.

 

Download the 260th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-260_1.mp3
Category:general -- posted at: 9:54pm EDT

Our News Roundup is hip deep in China stories. The inconclusive EU-China summit gives Matthew Heiman and me a chance to explain why France understands—and hates—China’s geopolitical trade strategy more than most.

Maury Shenk notes that the Pentagon’s reported plan to put a bunch of Chinese suppliers on a blacklist is a bit of a tribute to China’s own list of sectors not open to Western companies. In other China news, Matthew discloses that there’s reason to believe that China has finally begun to use all the U.S. personnel data it stole from OPM. I’m so worried it may yet turn my hair pink, at least for SF-86 purposes.

And in a sign that it really is better to be lucky than to be good, Matthew and I muse on how the Trump Administration’s China policy is coinciding with broader economic trends to force U.S. companies to reconsider their reliance on Chinese manufacturing.

It’s not all China, though. To kick things off, Nick Weaver and I schadenfreude our way through an otherwise serious take on the Julian Assange story and its strikingly narrow Computer Fraud and Abuse Act charge—and why extradition is likely to be a pain.

We also delve into the Google Sensorvault story. Nick and I agree that law enforcement access to location data, especially under the conditions set by Google, isn’t much of a privacy scandal, at least compared to private access to the same data. But that doesn’t mean it won’t raise endless legal problems for all concerned, partly because asking for a warrant out of the box isn’t quite the right legal or privacy framework.

Pete Jeydel notes two examples of CFIUS’s new toughness: It’s forcing a Russia-linked firm to sell stake in a cybersecurity company, and it has handed out a $1 million fine to a company that blew off its obligations under a mitigation agreement.

Maury covers the German data protection commissioner’s refusal to let German police store data in the Amazon cloud. The commissioner blames the CLOUD Act and the risk that US authorities may get cross-border access to the data. I flag the commissioner for hypocrisy and ignoring international law. Turns out that the Justice Department has a good new whitepaper out on the CLOUD Act, and it points out that remote access to offshore data has been an implicit part of the Budapest Convention since the ‘90s. 

Returning once more to China, Maury and I touch on the Chinese government’s use of AI to find Uighurs in crowds of Han Chinese. In my view, the only thing surprising about this story is that the New York Times thinks we should be surprised by it.

 

Download the 259th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-259.mp3
Category:general -- posted at: 5:05pm EDT

Our News Roundup leads with the long, slow death of Section 230 immunity. Nick Weaver explains why he thinks social media’s pursuit of engagement has led to a poisonous online environment, and Matthew Heiman replays the astonishing international consensus that Silicon Valley deserves the blame—and the regulation—for all that ails the Internet. The UK is considering holding social media execs liable for “harmful” content on their platforms. Australia has already passed a law to punish social media companies for failure to remove “abhorrent violent material.” And Singapore is not far behind. Even Mark Zuckerberg is reading the writing on the wall and asking for regulation. I note that lost in the hate directed at social media is any notion that other countries shouldn’t be able to tell Americans what they can and can’t read. I also wonder whether the consensus that platforms should be editors will add to conservative doubts about maintaining Section 230 at all—and in the process endanger the U.S.-Mexico-Canada Agreement that would enshrine Section 230 in U.S. treaty obligations.

Nate Jones and I summarize the latest Reuters piece on American hackers working for the UAE. The short version? This is more a victory lap combined with journalists’ special pleading than a major new story.

Nate also briefs us on the latest tale of woe from Silicon Valley, where taking Chinese money and tech means you’re likely to get burned—in a government-ordered fire sale.

Nick and I disagree about how flawed facial recognition is, but not on the fact that NGOs are working overtime to turn the technology toxic.

Nate gives Kaspersky’s lawyers high grades for imagination and effort but not for credibility in their claim that we can trust the company’s software because Russian law doesn’t authorize Putin to intercept its data feeds. 

And, with a hat tip to Gus Coldebella for the story, Matthew and I dig into the Washington attorney general’s $12 million settlement with Motel 6 for its cooperation with ICE. We think Motel 6 could have defended on federal preemption grounds and maybe gotten help from the Justice Department. But if the problem was bad publicity, that defense would have just made things worse.

Our interview is with Adam Segal, the Council on Foreign Relations’ expert on all things digital and China. Adam prognosticates on the likely fate of US-China trade talks, data localization in China, and on the future of China’s commercial cyberespionage plans.

Download the 258th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: TheCyberlawPodcast-258.mp3
Category:general -- posted at: 5:58pm EDT

In today’s News Roundup, Klon Kitchen adds to the North Korean Embassy invasion by an unknown group. Turns out some of the participants fled to the U.S. and lawyered up, but the real tipoff about attribution is that they’ve given some of the data they stole to the FBI. That rules out CIA involvement right there.

Nick Weaver talks about Hal Martin pleading guilty to unlawfully retaining massive amounts of classified NSA hacking data. It’s looking more and more as though Martin was just a packrat, making his sentence of nine years in prison about right. But as Nick points out, that leaves unexplained how the Russians got hold of so much NSA data themselves.

Paul Hughes explains the seamy Europolitics behind the new foreign investment regulations that will take effect this month.

Nick explains the deeply troubling compromise of update certs at ASUS and the company’s equally troubling response. I ask why the only agency with clear authority over an incident with important national security implications is the FTC.

Nick and I comment on the Federal Trade Commission’s pending investigation of the privacy practices of seven Internet service providers.

Speaking of sensitive data practices, Klon talks about the Committee on Foreign Investment in the United States’ belated recognition that maybe the Chinese government shouldn’t have access to the most intimate desires of a portion of the U.S. LGBTQ community. I try to explain the difference between Tik Tok and Yik Yak and mostly fail.

Meanwhile, in splinternet news, the EU Parliament has approved the controversial Copyright Directive. A bunch of MEPs, soon to be running for reelection, claim they meant to vote against it, really, but somehow ended up voting for it.

The Department of Housing and Urban Development is suing Facebook for violating the Fair Housing Act. I ask listeners for help in finding guests who can talk about whether it’s a good idea to bar ad targeting that lets companies look for more customers like the ones they already have, even if their customers already skew toward particular genders and ethnicities.

Finally, Nick and I break down Gavin de Becker’s claim that the real killer in the Bezos sexting flap was Saudi Arabia. Plenty of smoke there, but the lack of a reference to any forensic evidence raises doubts about de Becker’s version of events.

Download the 257th Episode (mp3). 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-257.mp3
Category:general -- posted at: 6:05pm EDT

In our interview, Elsa Kania and Sam Bendett explain what China and Russia have learned from the American way of warfighting—and from Russia’s success in Syria. The short answer: everything. But instead of leaving us smug, I argue it ought to leave us worried about surprise. Elsa and Sam both try to predict where the surprises might come from. Yogi Berra makes an appearance.

In the News Roundup, David Kris explains the Fourth Circuit’s decision to accept a lib/left invitation to screw up the law of stored electronic communications for a generation.

And in other litigation, a Trump-appointed judge dismisses a lawsuit against Silicon Valley’s censorship of the right. Nate Jones and I agree that, while the decision is broadly consistent with law, it may spell trouble for Silicon Valley in the long run. That’s because it depends on an idiosyncratic U.S. Court of Appeals for the D.C. Circuit interpretation of the District’s public accommodation law. I speculate that Alabama or Texas or Mississippi could easily draft a law prohibiting discrimination on the basis of viewpoint in public accommodations like the Internet. 

Nick Weaver and I note the UN report that North Korea has stolen $571 million, much of it in cryptocurrency. I ask whether the US Treasury could seize those ill-gotten bits. Maybe, says Nick, but it would really bollix up the world of cryptocurrency (not that he minds).

I explain why DHS will be rolling out facial scanning technology to a boatload of US airports—and why there’s no hidden privacy scandal in the initiative.

It kind of makes you wonder about their banks and their chocolate: Nick gloats as Switzerland’s proposed Internet voting system follows his predicted path from questionable to deep, smoking crater.

Elsa Kania and I touch on the Navy Secretary’s willingness to accept scathing criticism of the Navy’s cybersecurity. And Nick and I close with an effort to draw lessons from the disastrous software and human factor interactions at the heart of the Boeing 737 MAX crashes.

Download the 255th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-255.mp3
Category:general -- posted at: 9:33am EDT

On Episode 254 of The Cyberlaw Podcast, Stewart spends a few days off the grid, and David Kris, Maury Shenk and Brian Egan extol the virtues of data privacy and the European Union in his absence.

 

Maury interviews James Griffiths, a journalist based in Hong Kong and the author of the new book, “The Great Firewall of China: How to Build and Control an Alternative Version of the Internet.”

 

In the news, David and Brian discuss last week’s revelation that the NSA is considering whether it will continue to seek renewal of the of the Section 215 “call detail record” program authority when it expires in December. We plug last week’s Lawfare Podcast in which the national security advisor to House Minority Leader McCarthy made news when he reported that the NSA hasn’t been using this program for several months. David waxes poetic on the little-known and little-used “lone wolf” authority, which is also up for renewal this year.

 

We explore the long lineup of politicians and government officials who are lining up with new proposals to “get tough” on large technology companies. Leading the charge is Sen. Warren, who promises to roll out a plan to break up “platform utilities”—basically, large Internet companies that run their own marketplaces—if she is elected president. Not to be outdone, the current chair of the Federal Trade Commission has urged that Congress provide new authorities for the FTC to impose civil enforcement penalties on tech (and presumably other) companies that violate their data privacy commitments. And last—but never least—the French finance minister announced that he will propose a 3 percent tax on the revenue of the 30 largest Internet businesses in France, most of which are U.S. companies.

 

David discusses how one technology company is using a more familiar tool—litigation—to fight back against Chinese companies for creating and then selling fake Facebook and Instagram accounts.

 

In the “motherhood and apple pie” category, Maury explains French President Macron’s call for the creation of a “European Agency for the Protection of Democracies” to protect elections against cyberattacks. And Brian covers a recently re-introduced bill, the Cyber Deterrence and Response Act, which would impose sanctions on “all entities and persons responsible or complicit in malicious cyber activities aimed against the United States.”

 

 

If you are in London this week, you can see James Griffiths during his book tour. On March 13, he will be at the Frontline Club, and on March 14, he will be at Chatham House. You can also see him later this month at the Hong Kong Foreign Correspondents Club.

 

 

Download the 254th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-254.mp3
Category:general -- posted at: 4:55pm EDT

Our interview is with two men who overcame careers as lawyers and journalists to become serial entrepreneurs now trying to solve the “fake news” problem. Gordon Crovitz and Steve Brill co-founded NewsGuard to rate news sites on nine journalistic criteria—using, of all things, real people instead of algorithms. By the end of the interview, I’ve confessed myself a reluctant convert to the effort. This is despite NewsGuard’s treatment of Instapundit, which Gordon Crovitz and I both read regularly but which has not received a green check. 

In the news, Klon Kitchen talks about the latest on cyberconflict with Russia: CyberCom’s takedown of the Russian troll farm during 2018 midterms. The Russians are certainly feeling abused. They are using U.S. attacks to justify pursuing “autonomous Internet,” and they’ve sentenced two Kaspersky Lab experts to long jail terms for treason.

Gus Hurwitz, Klon, and Nick Weaver muse on the latest evidence that information intermediaries still haven’t settled on a business model. Amazon marketplace sellers will now have the ability to remove what they deem counterfeit listings. Amazon has let the FTC discipline fake paid Amazon reviews. And The Verge has a disturbing article on the human costs of using human beings to enforce Facebook’s content rules. (The failure of Silicon Valley to get a handle on this problem is, of course, the key to NewsGuard’s business model.) 

Finally, just to give me an excuse to link to this Dr. Strangelove clip, Gus tells us that not even our prosthetic arms are safe from IoT hacking

Download the 253rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-253.mp3
Category:general -- posted at: 7:45pm EDT

We interview Dmitri Alperovitch of CrowdStrike on the company’s 2019 Global Threat Report, which features a ranking of Western cyber adversaries based on how long it takes each of them to turn a modest foothold into code execution on a compromised network. The Russians put up truly frightening numbers—from foothold to execution in less than twenty minutes—but the real surprise is the North Koreans, who clock in at 2:20. The Chinese take the bronze at just over 4 hours. Dmitri also gives props to a newcomer—South Korea—whose skills are substantial.

In the News Roundup, I cheer the police for using “reverse location search warrants” to compel Google to hand over data on anyone near a crime scene. Nick Weaver agrees and puts the blame on Google and others who collect the data rather than the police who use it to solve crimes.

A committee of the U.K. House of Commons has issued a blistering final report on disinformation and fake news. I offer this TL;DR: that all right-thinking Brits must condemn Facebook because Leave won, just as all right-thinking Americans must condemn Facebook because Trump won. Maury Shenk takes a more nuanced view.

Nick and Dmitri explain just how scary the growth of DNSpionage has become. The only thing as scary seems to be the continuing effort to put voting systems on the Internet. Nick reacts to this in the typical way of his people.

The mysterious Facebook Title III case won’t be unsealed, so we really don’t know what the Justice Department was trying to get from Facebook.

The New York Times claims that India is proposing Internet censorship along China’s model. I think that’s just the New York Times’s bias showing and that India is mainly imitating Europe. Maury rides to the New York Times’s rescue.

In breaking news, The Cyberlaw Podcast has developed AI podcasting so good we don’t dare tell you about it.

This Week in Chutzpah: Alleged hacker Lauri Love has lost his bid to recover the data he stole. I want to know why we didn’t give it back to him with a couple of keyloggers installed. The temptation to decrypt—and give prosecutors new evidence—would be irresistible.

In closing, Nick and I dwell on YouTube’s pedophile comment problem and whether recommendation engines are more to blame than human nature.

Our colleagues Nate Jones and David Kris have launched the Culper Partners Rule of Law Series. Be sure to listen as episodes are released through Lawfare

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here.

 

Download the 252nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-252_1.mp3
Category:general -- posted at: 11:06am EDT

The backlash against Big Tech dominates this episode, with new regulatory initiatives in the U.S., EU, Israel, Russia and China. The misbegotten link tax and upload filter provisions of the EU copyright directive have survived the convoluted EU legislative gantlet. My prediction: The link tax will fail because Google wants it to fail, but the upload filter will succeed because Google wants YouTube’s competitors to fail.

Rumors are flying that the Federal Trade Commission and Facebook will agree on a $1+ billion fine on the company for failure to adhere to its consent decree. My guess? This is not so much about law as it is about the climate of hostility around the company since it took the blame for Trump’s election.

And, in yet another attack on Big Tech, the EU is targeting Google and Amazon for unfair practices as sales platforms.

Artificial intelligence is so overworked a tech theme that it has even attracted the attention of the White House and the Defense Department. We ask a new contributor, Jessica “Zhanna” Malekos Smith, to walk us through the president’s executive order on artificial intelligence. I complain that it’s a cookie-cutter order that could as easily be applied to alien abductions. The Pentagon’s AI strategy, in contrast, is somewhat more substantive.

If you can’t beat ‘em, ban ‘em. Instead of regulating Big Tech, Russia is looking to take its own internet offline in an emergency. The real question is whether Russia is planning to cause the emergency it’s protecting itself against. If so, we are profoundly unready.

The CFIUS model is contagious! Brian Egan tells us Israel is considering restrictions on Chinese investment as the world keeps choosing sides in the new cold war.

China’s Ministry of Public Security is now authorized to conduct no-notice penetration testing of internet businesses operating in China. I must say, it was nice of them to offer the service in beta to the Office of Personnel Management, Anthem and Equifax. Speaking of which, could this spell more trouble for Western firms doing business in China?

Brian touches on the Treasury Department’s new sanctions against Iranian organizations for supporting intelligence and cyber operations targeting U.S. persons. It turns out that the hackers had help—and that there is no ideology so loathsome it can’t win converts among Americans.

Nate Jones describes the EU’s plan to use “cyber sanctions” to fend off hackers during upcoming elections.

This Week in Old Guys You Shouldn’t Mess With: Nate reveals how 94-year-old William H. Webster helped take down a Jamaican scam artist.

Our colleagues Nate Jones and David Kris have launched the Culper Partners Rule of Law Series. Be sure to listen as episodes are released through Lawfare.

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here.

You can subscribe to The Cyberlaw Podcast using iTunesGoogle PlaySpotifyPocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-251.mp3
Category:general -- posted at: 5:02pm EDT

If you get SMS messages on your phone and think you have two-factor authentication, you’re kidding yourself. That’s the message Nick Weaver and David Kris extract from two stories we cover in this week’s episode of The Cyberlaw Podcast—the Justice Department’s indictment of a couple of kids whose hacker chops are modest but whose social engineering skills are remarkable. They used those skills to bribe or bamboozle phone companies into changing the phone numbers of their victims, allowing them to intercept all the two-factor authentication they needed to steal boatloads of cryptocurrency. For those with better hacking chops than social skills, there’s always exploitation of SS7 vulnerabilities, which allow interception of text messages without all the muss and fuss of changing SIM cards.

Okay, it ain’t “When Harry Met Sally,” but for a degraded age, “When Bezos Exposed Pecker” will have to do. David keeps us focused on the legal questions: Was the “Enquirer” letter really extortion? Would publication of the pics be actionable? And is there any way the “Enquirer” could get those text messages without someone committing a crime? And, of course, whether the best way to woo your new girlfriend is to send her brother to jail.

Social media—privacy law threat or competition law menace? That’s the question European (naturally) regulators are weighing. But Matthew Heiman and I have a pretty good idea what their answer will be: Both! We look at the Twitter-mobbing of Facebook by regulators and ask whether the competition charges make more sense than the privacy claims.

Looks like the net effect of the Obama-Xi agreement on not stealing commercial secrets is that a better class of Chinese officials is stealing our commercial secrets. President Xi kicked the People’s Liberation Army (PLA) to the curb and brought in the professionals from China’s Ministry of State Security (MSS). So now Chinese tradecraft is a little better, and the Justice Department is indicting MSS officials instead of PLA soldiers. David sums up.

NERC is proposing a $10 million fine for cybersecurity violations on a utility reported to be Duke Energy. Matthew and I are shocked. Not by the fine, which was negotiated, or by the violations, many of them self-reported, but by the cheese-paring, penny-ante nature of so-called cybersecurity enforcement at NERC and FERC. All this Sturm und Drang to make sure utilities use six-character passwords? When security guys complain about compliance trumping security, these NERC rules will be Exhibit A.

Finally, add another chapter to the Annals of Failed Civil Liberties Campaigns, as EFF and likeminded reporters try to get us outraged about the FBI using court orders to identify a North Korean botnet. Nick points out that academics have been conducting research that is more intrusive for years without unduly disturbing university lawyers.

Okay, one more: I celebrate HoyaSaxaSD for a podcast review that honors our own inimitable Nick Weaver:

“I got a fever, and the only cure is more Weaver. Love the show. I’m a lawyer but not in tech or security law, but it’s still fascinating. My teenage sons also like most episodes, especially the Nick Weaver segments. And I concur. There needs to be Weaver in every episode, and more of him. In fact, an hour of Weaver and Baker debating/discussing would be the perfect show.” 

I am moved to channel Peggy Lee. And if more good reviews don’t pour in, I may make that performance a weekly feature. David Kris, I’m sure, would consider that extortion, on the ground that no one has a right to butcher Peggy Lee’s oeuvre like that.

 

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here: https://www.thirdway.org/letter/2019-cyber-symposium-call-for-papers

 

Download the 250th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-250.mp3
Category:general -- posted at: 4:30pm EDT

In this episode, I interview Chris Bing and Joel Schectman about their remarkable stories covering the actions of what amount to U.S. cyber-mercenary hackers. We spare a moment of sympathy for one of those hackers, Lori Stroud, who managed to go from hiring Edward Snowden to hacking for the UAE in the space of a few years.

In the news, I ask my partner Phil Khinda whether the $29 million Yahoo breach settlement is a new front in breach derivative litigation or a black swan. He says it’s more of a red herring—and explains why.

This week in black ops: I ask Nate Jones to comment on the tradecraft used in an apparent effort to smear Citizen Lab for its reports on NSO. My take: This feels a lot like what BlackCube did for Harvey Weinstein, except that this was the budget version.

The Russians are so far from being shamed for their hacking that now they’re faking it. Dr. Megan Reiss notes Special Counsel Mueller’s recent claim that Russians are leaking discovery materials and pretending they came from a hack of the counsel’s office. We are reminded of the Russians’ recent unveiling of a remarkably adroit robot that turned out to be a man in a robot suit.

Maury Shenk and I discuss Google’s latest imitation of Apple’s “law enforcement lockout” feature and its claim that hurting law enforcement was “unintended side effect.”

Maury also notes the flap over a flaw in Apple’s FaceTime that allows for eavesdropping. Predictably, New York State is investigating.

And in possibly related news, Apple went out of its way to publicly embarrass Facebook and Google over their use of corporate certificates to sideload apps that recorded the browsing habits of paid volunteers.

Quick hits:

This week in dogs biting men: Ukraine says Russia is trying to disrupt its upcoming election, and the Pentagon is reportedly failing to stay ahead of cyber threats. Megan covers the first and Nate the second.

I offer one and a half cheers for Japan’s pioneering and mildly intrusive survey of bot-vulnerable IoT devices

Finally, EPIC et al. are calling on FTC to impose a $2 billion fine, structural changes and more on Facebook, claiming that “the algorithmic bias of the [Facebook] news feed reflects a predominantly Anglo, male world view.” If you still need evidence that privacy law is the legal equivalent of a Twitter mob—an always-ready tool for punishing unpopular views—EPIC’s filing should be all you need.

 

Download the 249th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-249.mp3
Category:general -- posted at: 5:26pm EDT

If the surgeon about to operate on you has been disciplined for neglecting patients, wouldn’t you like to know? Well, the mandarins of the European Union privacy lobby beg to differ. Google has been told by a Dutch court not to index that story, and there seems to have been a six-month lag in disclosing even the court ruling. That’s part of this week’s News Roundup. Gus Hurwitz and I are appalled. I tout my long-standing view that in the end, privacy law just protects the privileged. Gus agrees.

The interview is with John Carlin, author of “Dawn of the Code War.” It’s a great inside story of how we came to indict China’s hacker-spies for attacking US companies.

In other news, the Illinois Supreme Court has demonstrated how bad Illinois’ biometric privacy law is—by the simple expedient of applying it the way it’s written.

Dr. Megan Reiss and I air our ambivalence about the latest site hosting collections of doxed messages. We lack enthusiasm for indiscriminate doxing of the kind highlighted on Distributed Denial of Secrets, but if it’s got to happen, it couldn’t happen to a nicer Russian dictator.

Nick Weaver explains the DHS emergency order telling civilian agencies to protect themselves against DNS hijacking, and why the shutdown may have made those agencies more vulnerable.

Nick and I debate YouTube’s latest algorithmic tweak to avoid recommending “borderline” material. He notes that the algorithm used to push people to extremes. I note that this is a suspiciously good way for YouTube Social Justice Warriors to suppress videos they don’t like but can’t actually show to be violating YouTube’s terms of service.

Speaking of which, maybe the real singularity is when Silicon Valley joins forces with Beijing to produce new technology that will suppress the peasants once and for all. If so, the singularity is nigh, as a Chinese app allows you to identify people around you who deserve to be shamed.

 

Download the 248th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-248.mp3
Category:general -- posted at: 11:46am EDT

So says the remarkable Jeff Jonas, CEO of Senzing. And he’s got a claim to be doing just that. A data scientist before data science was cool, Jeff has used his technical skills and an intuitive grasp of complex data problems to stop card counters in Las Vegas and terrorists targeting the U.S., and then to launch an initiative making voter registration more accurate and widespread. Most recently, in the course of an effort to improve maritime security around Singapore, he also found a key to identifying asteroids due to collide with each other so they can be watched. Because when this happens, who knows where their new course will take them?

The media has been hyping a strikingly bad magistrate judge’s opinion giving 5th Amendment protection to biometric phone security. This leads Gus Hurwitz and me to question why Congress ever promoted U.S. magistrates to “magistrate judges” in the first place. We suggest striking the word “judge” from the title given to these Article I judicial aides; call it the Truth in Judging Act.

Congress and the president can’t even agree on a compromise that would end the partial government shutdown. So what genius decided that our security from terrorist attacks should depend on Congress and the president agreeing every couple of years on yet another part of our counterterrorism legislation? Like it or not, though, 2019 will feature another cliffhanger, as several national security provisions of FISA come to an end unless renewed. Jamil Jaffer and David Kris talk about the provisions and possible outcomes. I plead for a compromise that takes seriously the Trumpist concern about partisan abuse of the law.

If the SEC didn't own EDGAR, I suspect the government would have imposed serious fines on the owner of EDGAR for enabling a new form of insider trading. Jamil and Gus debate the real question: How can hackers with access to guaranteed market moving info manage to make only $4 million in six months of trading?

The Department of Justice’s Office of Legal Counsel has reversed an Obama-era interpretation limiting the scope of federal criminal laws governing online gambling. David provides the background; I introduce our listeners to the Baptist-bootlegger coalition. 

If you would like to hear more from Jeff Jonas and you’ll be in London on January 29, be sure to attend his talk, “AI for Entity Resolution,” at the SAGE Ocean speaker series. Event details can be found here.

 

Download the 247th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-247.mp3
Category:general -- posted at: 11:12am EDT

Brazen Russian intrusions into the U.S. electricity grid lead our episode. I ask Matthew Heiman and Nick Weaver whether Russia intended for us to know about their intrusions (duh, yes!) and how we should respond to the implicit threat to leave Americans freezing in the dark. Their answers and mine show creativity if not exactly sobriety.

In what may be good news about emerging European sobriety, Google gets a favorable opinion from the advocate general to the European Court of Justice (ECJ) on the question of whether to extend Europe’s “right to be forgotten” censorship regime to benighted Americans, and Turks, and Russians and Chinese. Most of those countries would be glad to impose their censorship regime on Europeans, consideration of which may be enough to overcome the America Derangement Syndrome the ECJ has displayed in earlier tech privacy cases.

DHS was right, and EFF was wrong. That’s the lesson Maury Shenk, Nick and I derive from the latest drone crisis at Gatwick Airport. In response, the UK is seeking police powers that DHS recently obtained—over EFF’s bitter opposition.

Matthew unpacks the Fourth Circuit ruling that a politician cannot block constituents on her official Facebook page because it has become a public forum.

Nick explains how the Hal Martin Saga keeps getting weirder—and we try on the full aluminum foil hat to explain how the whole thing could have been orchestrated by the GRU to turn Kaspersky Lab into a hero.

Ron Wyden and Motherboard combined to get mobile phone companies to stop selling location data to third parties. I wonder whether we’ll regret the result. Nobody else does.

Happy New Year from Big Brother: Vietnam takes a leaf from the EU and Chinese playbooks, threatening Facebook with fines for allowing prohibited posts and failing to localize data.

For comic relief, we cover the cybersecurity misadventures of “El Chapo.” Nick Weaver sums up the lesson: Bespoke security is almost always bad security. Oh, and never take a phone from a paranoid boss.

We close with a quick review of how China has misused the Great Firewall to launch cyberattacks and what Silicon Valley (or the rest of us) can do in response. 

 

 

Download the 246th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-246.mp3
Category:general -- posted at: 10:44am EDT

Nate Jones, David Kris and I kick off 2019 with a roundup of the month of news since we took our Christmas break. First, we break down the utterly predictable but undismissable Silicon Valley claim that the administration’s new export control strategy will hurt the emerging AI industry.

Then we draw on our guests’ expertise in counterintelligence prosecutions to review the APT10 indictment – and the claim by Jack Goldsmith and Robert Williams that the strategy is a failure. We conclude that it isn’t a magic bullet, but that’s not quite the same as a failure. I tease my plan to introduce two dozen more or less unthinkable retaliatory responses the U.S. could deploy if and when it decides to get more serious about deterring adversarial cyber operations.

We quickly cover three new hacks that once looked as though they might be government sponsored. Now it looks as though two were less strategic than that. The denial of service attack on newspaper printing may have been a profit-motivated ransomware attack, and the guy who doxxed the German political establishment may have been a lone hacker (hopefully not one weighing 400 pounds or we’ll never hear the end of it).

We quickly review the bidding on the U.S.-China “quantum arms race,” which may be a bit less critical than the press suggests.

David and Nate also review the mixed bag of rulings on three motions to suppress in Hal Martin’s NSA theft case, which just gets weirder and weirder. David and I are in surprising agreement (along with the judge) that the FBI overreached in using handcuffs, a flashbang and a SWAT team to conduct “noncustodial” questioning of Martin.

Today’s forecast: Windy with a high probability of litigation as Los Angeles sues The Weather Company for collecting and sharing location information in its apps. We suspect that, in claiming a lack of adequate disclosure about location collection, Los Angeles is relying on the ancient legal maxim, “Damned if you do and damned if you don’t.”

In other litigation news, Illinois’s biometric privacy law continues to encounter judicial skepticism. But the Illinois state courts, unburdened by federal standing law, may yet give teeth to this seriously dumb law as Rosenbach v. Six Flags lives on in the Illinois Supreme Court.

In Quick Hits, I am intrigued by the idea that a clever generative adversarial AI “cheated” at a mapping task. In fact, the lesson is both less exciting and more troubling: If you don’t understand how your AI is accomplishing the task you’ve set for it, you need to expect some rude surprises.

Despite all the talk of stasis and crisis in Washington, Congress is still passing modestly useful legislation on cyber issues. Nate describes the SECURE Technology Act, which sets vulnerability disclosure policy and calls for bug bounties at DHS.

And, finally, I recommend a fascinating and deeply ambivalating report on the many ways third-party sellers game Amazon’s Marketplace rules.

 

Download the 245th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-245.mp3
Category:general -- posted at: 9:56am EDT

On December 17th, Alan Cohn hosted the 244th episode of The Cyberlaw Podcast. We took a deep dive into all things blockchain and cryptocurrency, discussing recent regulatory developments and projections for 2019.

Our episode begins with Alan welcoming Will Turner to Steptoe’s Corporate and Blockchain Practice. Turner joins the firm’s Chicago office as partner, bringing with him with more than two decades of experience in corporate and securities law, primarily with application to cryptocurrency, fund formation, investment transactions and mergers and acquisitions. Turner also handles matters involving capitalizations, project finance, restructurings and joint ventures. Will Turner explains why the crypto market became bear in 2018, associating this development with the increase in mergers and acquisitions activity in the crypto market. Moving into 2019, Will projects the “hot items” will be anti-money laundering and securities compliance. In addition, Will presents a more general overview of how the blockchain industry is no different from other industries.

Evan Abrams discusses the joint statement issued by the Federal Reserve, the Federal Deposit Insurance Corporation, the Treasury’s Financial Crimes Enforcement Network, the Office of the Comptroller of the Currency and the National Credit Union Administration urging use of technology to bolster anti-money laundering compliance. Abrams states that banks can and should be engaging with the industry and the importance of striking a balance between technology and privacy. Abrams also discusses the U.S. Department of Treasury’s Office of Foreign Assets Control sanctions compliance risks for cryptocurrency companies. In 2019, Abrams projects increased attention on digital counterparts as blockchain-related financial institutions continue to grow. Evan Abrams also highlights the New York Department of Financial Services recent announcement authorizing Signature Bank, a New York State-chartered bank, to offer a digital payment platform called Signet that leverages blockchain technology.

Finally, Josh Oppenheimer covers recent LabCFTC updates from the Commodity Futures Trading Commission (CFTC). On November 27, 2018, the Commodity Futures Trading Commission’s LabCFTC FinTech initiative released A Primer On Smart Contracts. This is the first time since 2017 that the CFTC opined on issues relating to blockchain. The agency released its first primer on virtual currencies on October 17, 2017. Oppenheimer also discusses the pledge the G20 nations made earlier this month regarding their commitment to regulate crypto-assets to further a resilient and open global financial system. In so doing, they agreed to follow standards set forth by the Financial Action Task Force, or FATF. Oppenheimer notes this is significant because FATF, as the global standard setter, has insight into different regulatory approaches and constantly receives input from industry stakeholders. Lastly, Oppenheimer talks about how Ohio is set to become the first state in the country to accept tax payments using cryptocurrency.

For the interview portion of our podcast, Alan welcomes back Gary Goldsholle, who joins the firm as partner, after serving nearly four years as deputy director and senior adviser of the Securities and Exchange Commission’s (SEC) Division of Trading and Markets. Goldsholle brings more than two decades of experience as an executive in the federal government and securities self-regulatory organizations. Goldsholle is working with Steptoe’s Financial Services, Public Policy, and Blockchain and Cryptocurrency practices. Goldsholle discusses the Securities and Exchange Commission’s noteworthy announcement, just days before Thanksgiving, with significant implications for the network marketing industry regarding regulatory oversight and enforcement of cryptocurrency companies. In its Public Statement, the SEC referred to two recent enforcement actions against Paragon Coin, Inc. and CarrierEQ, Inc. (dba Airfox). Both companies sold tokens that the SEC determined to be unregistered securities. Goldsholle also provided insight into EtherDelta, the SEC order concerning trading Ether against other ERC-20 tokens. Moving into 2019, Goldsholle hopes the SEC will define and issue guidance on what the industry calls “utility tokens” and “consumption tokens.” He projects that a custody failure, or similarly significant event, will spur deeper discussion on the issue of taking custody of crypto-assets and promote guidance in the custody space.

 

Download the 244th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-244.mp3
Category:general -- posted at: 3:27pm EDT

In the News Roundup, Nick Weaver and I offer very different assessments of Australia’s controversial encryption bill. Nick’s side of the argument is bolstered by Denise Howell, the original legal podcaster, with 445 weekly episodes of This Week in Law to her credit.

Later in the program, I interview Rep. Jim Langevin (D-RI), who’s a force for cybersecurity both on the Homeland Security Committee and on the Armed Services subcommittee that oversees Cyber Command and DARPA—a subcommittee that insiders expect him to be chairing in the next Congress.

Turning back to news, the Marriott hack, already one of the biggest in history, has developed a new and more interesting angle, Gus Hurwitz explains. It may have been a Chinese intelligence operation.

The Khashoggi killing has backfired on… Israeli and Italian state hacking companies? Yes, indeed. Hacking Team and NSO are now immersed in legal hot water. And as a sign of how much the Middle East has changed, Nate Jones tells us that a Saudi dissident is now waging lawfare in Tel Aviv.

We touch on what the detention in Canada of Huawei’s CFO means for U.S.-China technology relations as well as on a new DOD report on the risks of EMP. Nick explains why he doesn’t worry about EMP but nonetheless loves the EMP alarmists.

 

Download the 243rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-243.mp3
Category:general -- posted at: 10:34am EDT

This episode features an interview with Michael Tiffany, the co-founder and president of White Ops and a deep student of how to curtail adtech fraud. Michael explains the adtech business, how fraudsters take advantage of its structure, and what a coalition of law enforcement and tech companies did to wreck one of the most successful fraud networks, known as 3ve. You can read more about the take down in the joint White Ops and Google report, “The Hunt for 3ve.”

In the news, David Kris covers the Supreme Court argument in the Apple antitrust standing case. At stake: whether Illinois Brick should apply outside a brick-and-mortar context. Our panel guesses that it won’t.

You knew this was coming: Megan Reiss covers U.S. proposals to screen Chinese students for espionage risk before giving them visas. We think it’s a good idea, but really wish there were a way to score every student in China for how compliant they are with government wishes…oh, wait

Nobody trolls like the Russians troll. David Kris covers a Russian trollsuit claiming that Facebook has unfairly censored Russian speech. Showing that they know their opponents’ weakness, the suit includes broad hints that censoring Russians is … racist. Maury Shenk covers the bookend—Russian government threats to sue Google for not complying with Russian censorship demands. And I suggest that Putin’s Data Protection law will be just that—a law to protect Putin’s data. Speaking of privacy law always protecting the powerful, Michael Tiffany offers several reasons why GDPR has been good for Google and Facebook ad market share and bad for European competitors. It’s the tragedy of EU mercantilism: always aiming at the United States and usually hitting itself in the foot.

Another day, another Iranian hacking/ransomware indictment. What’s different about this one, Megan tells us, is that it includes a Treasury order freezing the bitcoin the Iranians collected. That’s a potentially new and powerful law enforcement tool. With only a little cajoling, David Kris acknowledges that this is one Trump administration initiative that is both novel and a good idea.

Wrapping up, David Kris ponders the surprisingly straightforward Fourth Amendment issues raised when the police have to stop an autonomous-mode Tesla going 70 on the 101 with a passed out “driver.” And Megan and I ponder the difficulty posed for social media by the “yellow-vest” riots in Paris. Which model applies: Arab Spring or Russian interference? You know what the Macron administration will say. Buckle up, Big Tech. To paraphrase Peter Parker’s Uncle Ben, with great power comes utter confusion.

 

Download the 242nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-242.mp3
Category:general -- posted at: 11:18am EDT

I propose this episode’s title as Baker’s Law of Evil Technology, something that explains Twitter’s dysfunctional woke-ness, Yahoo’s crappy security and Uber’s deadly autonomous vehicles. Companies with lots of revenue can afford to offer a lot of stuff they don’t much care about, including protection of minority voices; security; and, um, not killing people. But as Uber’s travails show, all that can get tossed out the window when corporate survival is at stake. And here’s Baker’s Law in action: Airline algorithms that deliberately break up families sitting on the plane so they can charge to put the kids back in the same row.

I do a mini-interview of Adam Candeub, who has disclosed that the supposedly populist, supposedly Silicon Valley-skeptical Trump Administration has written a massive and antidemocratic subsidy for conservative-censoring social platforms into NAFTA 2.0. I rant (briefly) about it and pray that Congress kills it in the lame duck.

Merrick Garland may now be available. But, we ask Jamil Jaffer and Gus Hurwitz, is a Facebook Supreme Content Court a good idea?

Speaking of Facebook, even the 98-lb weaklings seem to be kicking sand in the company’s face. I lay out the latest, incredible tale about how an app that finds all your friends’ bikini pics ended up spurring an international breach of U.S. confidentiality orders—at the order of the UK Parliament’s sergeant at arms. And when I say incredible, I mean it; the story told by the participants is extraordinarily hard to believe.

Jamil and Gus note that Commerce has begun identifying an enormous list of “emerging” technologies to be restricted for export. Is this defense-industrial policy? And will it work? The panel disagrees.

Paul Rosenzweig reports that Airbnb now has its own (woker-than-thou, naturally) foreign policy. He thinks it may violate a host of state anti-BDS laws.

Nick Weaver gives us the latest Bear Facts. Both Cozy and Fancy are back with a vengeance—and not much concern about avoiding attribution.

Download the 241st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

 

Direct download: TheCyberlawPodcast-241.mp3
Category:general -- posted at: 11:02am EDT

Mieke Eoyang joins us for the interview about Third Way’s “To Catch a Hacker” report. We agree on the importance of what I call “attribution and retribution” as a way to improve cybersecurity. But we disagree on some of the details. Mieke reveals that this report is the first in a series that will hopefully address my concerns about a lack of detail and innovation in the report’s policy prescriptions.

Russia’s lawyers are almost as good as its hackers, to judge by a “letter” the Russian government sent in the DNC’s hacking case against Putin’s intelligence agents. Matthew Heiman and I conclude that the DNC is going to face an uphill fight trying to overcome Russia’s sovereign immunity arguments.

It’s not cybersecurity, but it is cyberhygiene. Never do a global “find and replace” on a sensitive court filing without making sure the “replace” part actually worked. That seems to be the failure that disclosed to the world that the U.S. has filed criminal charges against Julian Assange under seal. Maury Shenk comments.

“As an additional service to Alexa users, we will protect the privacy of anyone who murders you.” Okay, that’s an unfair summary of Amazon’s position on whether to release Echo recordings in a double murder case. In fact, it’s not the least surprising that Amazon wants a court order before handing over the recordings, if any, or that it got one, or that it seems to have complied promptly.

Dr. Megan Reiss explains the significance, if any, of the Paris Call for Trust and Security in Cyberspace, where more than 50 states and companies—the United States not among them—have signed onto a mostly Mom-and-apple-pie agreement on cyber principles.

Soft power update: Chinese-style social credit is coming to a Venezuela near you. Megan comments.

Sweet justice: California SWATter has pleaded guilty and now faces 20+ years in prison.

Looks like DHS finally made it, so I can stop talking about Congress approving the renaming of NPPD as the Cybersecurity and Infrastructure Security Agency.

And for the lightning round, Matthew confirms that remotely wiping your iPhone constitutes destruction of evidence; I note that Phineas Finn has officially gotten away with the doxing of Hacking Team; and Megan comments on yet another diversion of Western traffic through Russia and China. This time, though, we may have to blame the Nigerians

Download the 240th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-240.mp3
Category:general -- posted at: 5:04pm EDT

This week’s interview is a deep (and long—over an hour) dive into new investment review regulations for the Committee on Foreign Investment in the United States (CFIUS). It’s excerpted from an ABA panel discussion on the topic, featuring: Tom Feddo, who currently oversees CFIUS; Aimen Mir, who used to oversee CFIUS; Sanchi Jayaram, who is in charge of the Justice Department’s CFIUS and Team Telecom work; David Fagan, a noted CFIUS practitioner; and me as moderator. It turns out the new CFIUS law may be the most innovative—and sweeping—piece of legislation on national security in years.  

In the news, it’s time for a Cyberlaw Podcast victory lap, as our bold election-eve prediction that foreign governments would not successfully hack the election seems to hold up well, despite laughable Internet Research Agency claims in a new meta-trolling propaganda campaign.

I note that challenges to FISA are increasing as it starts to play a role in more criminal cases. I ask David Kris whether Bob Mueller took unwise risks with intelligence equities when he charged a Russian company with criminal election trolling, since that company is now seeking discovery of intelligence intercepts.

Dr. Megan Reiss notes that China is making what might be called great strides in “gait recognition” software to supplement face recognition, taking what looks like a global lead in the technology. This reminds me that fifteen years ago, when DARPA was researching gait recognition for terrorist identification, the left/lib NGOs got Congress to kill funding by lampooning what they called “a Monty Python-esque ‘Ministry of Silly Walks.’” Not so funny now, is it guys? Especially in light of evidence that China is exporting its cyber surveillance tech to Africa.

How does China do it? According to the Australian Strategic Policy Institute, with plenty of help from the universities of the English-speaking world. Apparently the People’s Liberation Army has been sending its scientists to the West under light cover to study cutting edge defense tech.

Nate Jones and I examine the latest chapters in the now-encyclopedic tale of Silicon Valley v. Conservatives. We take a look at a Trump immigration campaign ad that Facebook and broadcast media (Fox included) refused to run. Gab is back, but just by the skin of its teeth. Meanwhile, the pitchforks and torches are being mustered for LinkedIn, which apparently hasn’t been sufficiently cowed by lefty censors. And Facebook’s effort to suppress Alex Jones’s InfoWars site is running into trouble.

Megan and I talk about the prospect that Iran is getting ready to launch cyberattacks on the US and Israel.

Nate covers the collapse of IronChat security as Dutch police managed to decrypt 258,000 messages in the app. Maybe spurred by my taunting, Edward Snowden denies that he ever endorsed the product, notwithstanding the claim on IronChat’s website. My tweet on same: “Hey, @Snowden, IronChat sold secure phones at exorbitant prices because of your endorsement.”

Pakistan says “almost all” its banks have been hacked.  Wouldn’t it be ironic if North Korea was buying nuclear and missile technology from Pakistan with money stolen from Pakistani banks? 

Download the 239th Episode (mp3).

 You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-239.mp3
Category:general -- posted at: 4:56pm EDT

This episode puts our experts on the spot with an election-eve question: Will foreign governments attack US electoral rolls or vote-counting machinery in 2018? Remarkably, no one on our panel (Matthew Heiman, Nick Weaver, David Kris, and I) thinks they will. So if you want cybersecurity news, you can stop listening to election coverage and tune in to Episode 238 of The Cyberlaw Podcast.

Our interview features Steve Rice (Deputy CIO for DHS) and Max Everett (CIO for the Department of Energy) and was originally taped at a session of the Homeland Security Week conference.

In the news, Nick evaluates the report that China hijacked the Border Gateway Protocol; he thinks we need more data. David agrees with me that one way to get the data would be a Justice Department subpoena.

Matthew Heiman explains why SCOTUS is skeptical of Google’s cy pres settlement that treated 129 million class members like bystanders at someone else’s party – and why that skepticism may not appear in US Reports any time soon.

Nick and David lay out the painful story of how failures in CIA communications with their assets may have severely compromised HUMINT operations in Iran and China.

Matthew and I talk about the string of right-wing killers in the past few weeks and the tech implications, including the defenestration of Gab and a lot of throat-clearing about amending Section 230 of the Communications Decency Act.

Matthew also explains, then casts doubt on, a Florida Appeals Court decision that rejects the “foregone conclusion” doctrine for compelled passcode disclosure.

After all the Internet-enabled vibrator stories we’ve covered on the podcast, I think we’re obliged by gender equity to cover this effort to use artificial intelligence to improve male sex toys. For those who may face confirmation before the Senate Judiciary Committee any time in the next decade, Nick explains that Markov chain techniques have nothing to do with the Devil’s Triangle.

More hostilities in the US-China Cool War: DOJ has indicted a Chinese-state owned company as well as UMC and three individuals for stealing trade secrets from US companies; and in a coordinated move, the Department of Commerce has placed limits on US businesses interacting with the Chinese company. I wonder whether the Cool War between China and the US is increasingly forcing big foreign tech companies to choose between the two as they develop new technology.

 

 

Download the 238th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-238.mp3
Category:general -- posted at: 2:07pm EDT

The theme of this week’s podcast seems to be the remarkable reach of American soft power: Really, we elect Donald Trump, and suddenly everybody’s trolling. The Justice Department criminally charges a Russian troll factory’s accountant, and before David Kris can finish explaining it, she’s on YouTube, trolling the prosecutors with a housewife schtick. She’s not alone. Faced with the news that President Trump is using a commercial iPhone for many of his calls—and, Nate Jones points out, getting tapped by China, Russia, and others as a result—China has a suggestion that scores at the top of the POTUS Troll Scale. Tim Cook goes to Europe to troll Android—and me—with a speech that touches all my buttons: Europhilia, Apple sanctimony in pursuit of profit and blind enthusiasm for privacy regulation. And when the Belgians ask for British help investigating a suspected GCHQ hack of a Belgian ISP, as David and I discuss, the British respond with what can only be described as understated trolling.

This week’s interview is with Dr. Dipayan Ghosh, Pozen Fellow at Harvard’s Shorenstein Center and co-author of a new report, “Digital Deceit II: A Policy Agenda to Fight Disinformation on the Internet.” I find it an interesting mix of good insights and warmed-over Obama-era nostrums (Carly Rae Jepsen makes a brief appearance). Dipayan and I tangle on privacy but struggle toward common ground on the question of limiting the power of the Big Platforms. He’s open-minded and flexible about the details of the proposal, so for fans of civil policy debate (especially those worried about where the platforms’ dominance and ad revenue are taking us), this episode is a keeper.

Why would a Russian technical institute design malware used in an effort to sabotage a major petrochemical plant in Saudi Arabia? Nate Jones lays out the story. Originally suspected of being an Iranian operation, the attack may have originated in Iran, but FireEye persuasively links the underlying (and flawed) malware to Moscow. One possibility is that it’s a Russian false flag job, minus the embarrassing GRU operatives’ Uber receipts. My guess, though, is that the Russian institute is just amortizing malware development costs by selling off exploits developed for the GRU. If so, this may turn out to be another slow motion disaster for the thugs in the Aquarium.

In other news, Yahoo settled a class action over the enormous breach affecting 200 million people and three billion accounts. The price of that settlement? After the lawyers have been paid, the $50 million settlement will work out to about 25 cents per victim. Seems pretty cheap to me.

For a brief moment, reality has descended on the left coast. It looks like California isn’t eager for a judicial ruling on its campaign to nullify federal net neutrality law.

In the UK, Facebook is fined the maximum under pre-GDPR law, for what the privacy agency calls a failure to protect personal data from Cambridge Analytica—but what I suspect is the unspeakable crime of not having prevented the election of Donald Trump. And now that GDPR is in effect, the bien pensants of Europe have served notice; failure to prevent the president’s re-election will cost Silicon Valley billions.

Finally, what goes around comes around for the Uber “bounty” hackers. David and I think that pretty much answers the question whether they were just confused bounty hunters or extortionists with a clever line of patter.

 

Download the 237th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-237.mp3
Category:general -- posted at: 5:02pm EDT

In this episode’s interview we ask whether the midterm elections are likely to suffer as much foreign hacking and interference as we saw in 2016. The answer, from Christopher Krebs, Under Secretary for National Protection and Programs Directorate (soon to be the Cybersecurity and Infrastructure Security Agency), is surprisingly comforting, though hardly guaranteed. Briefly, it’s beginning to look as though the Russians (and maybe the Iranians) are holding their fire for the main event in 2020.

In the News Roundup, Maury Shenk highlights the role of Twitter, trolls and Saudi royals in the Khashoggi killing. He also explains the apparently ridiculous result in the EU Android competition matter. It may be a case of Google giving the EU what it asked for – good and hard.

Terry Albury certainly got it good and hard from a federal judge. He was sentenced to four years in prison for leaking classified documents to The Intercept. Jamil Jaffer explains why Albury’s claim of being a whistleblower didn’t win him much relief. I suggest that the only people who read Intercept articles to the end are federal agents trying to find clues to the leakers’ identities; whatever they’re doing, it’s working.

Maury and I marvel over the flood of venture capital money into China—and a potential ebb tide for Chinese money in Silicon Valley.

Jamil explains the latest SEC report flagging the cost of email fraud; nine firms lost $100 million to cyberfraud. And to add insult to injury, the SEC hints broadly that future victims may be tagged for violating SEC accounting standards, which should be sufficient to prevent such fraud.

I point to the ABA’s recent ethics opinion mandating breach disclosure to clients – and quite a bit more. Maury instructs me on the question of whether putting names on doorbells violates GDPR. Vienna says yes; Germany, no. Maury is sure the Germans have this right.

Finally, I update listeners on the Equifax data breach engineer who figured out that his company must have been breached and traded on his suspicion. In an act of relative mercy for the clueless engineer, he was fined and sentenced to eight months of home confinement.

 

Download the 236th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-236.mp3
Category:general -- posted at: 10:09am EDT

Today we interview Doug, the chief legal officer of GCHQ, the British equivalent of NSA. It’s the first time we’ve interviewed someone whose full identify is classified. Out of millions of possible pseudonyms, he’s sticking with “Doug.” Listen in as he explains why. More seriously, Doug covers the now-considerable oversight regime that governs GCHQ’s intercepts and other intelligence collection, Britain’s view of how the law of war applies in cyberspace, the prospects for UN talks on that topic, the value of attribution, and whether a national security agency should be responsible for civilian cybersecurity (the UK says yes, the U.S. says no).

In the news, Nick Weaver and Matthew Heiman comment on the ongoing controversy surrounding Bloomberg Businessweek’s Chinese supply-chain-attack story.

Matthew tells us that Treasury has announced its CFIUS pilot program, which will require the filing of notices for Chinese acquisitions in 27 critical industries. I argue that a predisposed bureaucracy has made President Trump a transformational president in terms of relations with China.

Speaking of bureaucratic predispositions, DOJ is showing enthusiasm in carrying out its predisposition to haul Chinese spies into court. What’s remarkable is that it was able to do that from across the Atlantic. While not a cyberspy, the recent arrest and extradition of an accused Chinese economic spy is easy to read as DOJ's answer to those who say indictments of government spies are a sign of weakness.

Everybody’s going to have to choose sides as Trump and Xi continue on their collision course. Except Google. At least according to Google, which bailed out of a Pentagon program because it didn’t meet Google’s values. Oh, and because Google had no chance of winning the contract. Talk about virtue signaling on the cheap!

The EU’s virtue signaling isn’t nearly as cheap, at least for Google, which is now appealing a massive EU competition fine. I can’t help wondering who the hell uses Google Shopping searches; the EU fine must be $1 billion for every biased search.

Nick reports on two troubling government reports. He believes one — the cybersecurity of DOD weapons systems really is a problem. He’s less impressed by White House concerns about the health of the defense industrial base, having recently done some “Buy America” electronics procurement himself.

Finally, Vietnam will force local data storage over Silicon Valley’s protests. Nick, Matthew and I explore the continuing delusion of U.S. foreign policymakers in insisting that the Internet must be borderless and open and free. 

Download the 235th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-235.mp3
Category:general -- posted at: 10:01am EDT

Bloomberg Businessweek’s claim that the Chinese bugged Supermicro motherboards leads off our News Roundup. The story is controversial not because it couldn’t happen and not because the Chinese wouldn’t do it but because the story has been denied by practically everyone close to the controversy, including DHS. Bloomberg Businessweek stands by the story. Maybe it’s time for the law, in the form of a libel action, to ride to the rescue.

Congress, astonishingly, has been doing things other than watch the Kavanaugh hearings. It produced a conferenced version of the FAA authorization including authority for DHS and DOJ to intercept drone communications and seize drones without notice or a warrant. This effort to get in front of dangerous technology yields the usual whines from the usual Luddite “technology advocates.” Meantime, Congress has also adopted a bill to change the name of DHS’s cyber and infrastructure security agency to, well, the Cybersecurity and Infrastructure Security Agency

ZTE’s troubles continue, as a federal judge slammed the company for violating the terms of its probation. The judge extended ZTE’s probationary term and the term of its monitor – meaning the company now has two US monitors watching as it tries to rebuild its business.

The Trump Administration is following in the Obama Administration’s footsteps, Gus Hurwitz reports, trying to build consensus around norms for cyber conflict. I remain dubious, but at least this effort is limited to countries not actively engaged in cyber hostilities with the United States.  

California has its own air pollution standards; why not its own net neutrality law? Probably because the FCC under Ajit Pai is not the EPA. Gus and I discuss whether any part of California’s law can withstand preemption.

The hits just keep on coming for the GRU, a formerly vaunted Russian intelligence service, which now can’t even keep secret the names of its most secret agents. Bellingcat, a private website, totally pantses the agency, outing not just its nerve agent operatives but 300 others for good measure.  Piling on, the Justice Department indicts another batch of GRU operatives for hacking sports anti-doping authorities. Even Germany musters the courage to join the UK in fingering Russia for its cyberattacks while the mighty Dutch counter-hacking team joins in the sack dance.

Is the Turing test easier if you only have to convince Californians that you’re human? That may be the theory behind California’s SB 1001, making it unlawful for a bot to deceive a Californian about its botitude “in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.”

More bad news for Justice in Silicon Valley, according to leaks from a court case in which the Department is rumored to have sought a court order forcing Facebook to cooperate in a wiretap of MS-13 members.  

Finally, Dr. Megan Reiss reports, North Korea is apparently getting rich robbing banks. Surprisingly, though, it seems not to be robbing American banks. Yet. 

 

Download the 234th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-234.mp3
Category:general -- posted at: 5:31pm EDT

In this news-only episode, Nick Weaver and I muse over the outing of a GRU colonel for the nerve agent killings in the United Kingdom. I ask the question that is surely being debated inside MI6 today: Now that he’s been identified, should British intelligence make it their business to execute Col. Chepiga?

On a lighter note, Uber is paying $148 million to state AGs for a data breach that apparently had no consequences and might not even have been a breach.

About a year too late for Congressional action, a consensus of sorts is emerging among Republicans that Silicon Valley needs broad privacy regulation. The Trump Administration is asking for comment on data privacy principles. And tech giants are pushing lawmakers for federal privacy rules. But the catalyst is an increasing need for federal preemption in the face of California’s new law, and the Dems who are expected to take the House will be hard to sell on preemption. So despite the emerging consensus, a log jam that lasts years could still be in our future.

The sentencing of an NSA employee for taking sensitive tools home – and getting them compromised by Kaspersky – leaves Nick with plenty of additional questions about the source of the tools compromised by Russian proxies in recent years.

Evan Abrams gives us a summary of the NY AG’s report on virtual markets and cryptocurrency. Bottom line: New York is likely to pursue regulation with vigor.

Meanwhile, West Virginia embraces a mobile voting app for the 2018 election. Remarkably, despite the deployment of blockchain buzzwords, none of us thinks the system is secure.

And in quick hits:

  • The GRU is taking the “P” in APT way too seriously.
  • A content moderator has sued Facebook, claiming that her job gave her PTSD.
  • India’s Supreme Court has upheld, with limits, the government’s massive Aadhaar digital ID program.
  • Facebook suffered a breach affecting 50 million user accounts and probably 40 million “log on with Facebook” accounts. We’re getting these facts piecemeal thanks to the EU’s dumb 72-hour deadline for reporting breaches under GDPR.
  • President Trump says China is interfering in the 2018 elections. But unlike Russia in 2016, all of China’s fake news is on actual newsprint.
  • Finally, a quick report roundup:

Download the 233rd Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: TheCyberlawPodcast-233.mp3
Category:general -- posted at: 5:15pm EDT

Our guest is Peter W. Singer, co-author with Emerson T. Brooking of LikeWar: The Weaponization of Social Media. Peter’s book is a fine history of the way the Internet went wrong in the Age of Social Media. He thinks we’re losing the Like Wars, and I tend to agree. It’s a deep conversation that turns contentious when we come to his prescriptions, which I see as reinstating the lefty elite that ran journalism for decades, this time empowered by even less self-doubt – and AI that can reproduce its prejudices at scale and without transparency.

In the News Roundup, Dr. Megan Reiss and Peter Singer join me in commenting on the White House and DOD cyber strategies. Bottom line: better than last time, plenty more room to improve.

“God Bless the Dutch.” They’ve pwned Putin’s GRU again. In a truly multinational caper, as Nick Weaver explains, Dutch intel caught Russian spies planning cyberattacks on the Swiss institute investigating Russia’s nerve agent attack in Britain.

The downside of sanctions. China has joined with Russia in protesting sanctions on Russian weapons sellers that spilled over to the Chinese military. Maury Shenk and I worry about the risk that overuse of sanctions will create a powerful alliance of countries determined to neutralize the sanctions weapon.

Is it reckless to speculate that the gas fires in Massachusetts could be a cyberattack? I think it’s a fair question, to which we may not have the answer. Nick Weaver (mostly) persuades me I’m wrong.

Amazon finds itself in the sights of the European Commission over its dual role in hosting third party sellers. Maury explains why.

Putin’s enemies list, or a part of it, is disclosed when Google warns Senate staffers that their Gmail has been attacked. Maury and I congratulate Steptoe alum Robert Zarate for making the cut. Looks like the Mirai botnet kids will be sentenced to help the FBI on cyber investigations. And Megan sees the hand of Robert Zarate – now officially the Zelig of cyber conflict – in Marco Rubio’s letter to Apple asking why it was so slow to stop an app from sending American user data to China.

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-232.mp3
Category:general -- posted at: 10:33am EDT

Our interview this week is with Hon. Michael Chertoff, my former boss at Homeland Security and newly minted author of Exploding Data: Reclaiming Our Cyber Security in the Digital Age. The conversation – and the book – is wide ranging and shows how much his views on privacy, data, and government have evolved in the decade since he left government. He’s a little friendlier to European notions of data protection, a little more cautious about government authority to access data, and even a bit more open to the idea of letting the victims of cyberattacks leave their networks to find their attackers (under government supervision, that is). It’s a thoughtful, practical meditation on where the digital revolution is taking us and how we should try to steer it.

The News Roundup features Paul Rosenzweig, Matthew Heiman, and Gus Hurwitz – whom we congratulate for his move to tenured status at Nebraska. We all marvel at Europe’s misplaced enthusiasm for regulating the Internet. This fall the Europeans returned from their August vacation to embrace a boatload of gobsmackingly unrealistic tech mandates – so unrealistic that you might almost think they’re designed to allow the endless imposition of crippling fines on Silicon Valley.

In the last week or so, European institutions have pretty much shot the regulatory moon: Matthew sets out the European Parliament’s expensive and wrongheaded copyright rules. Paul covers the European Commission’s proposal that social media take down all terror-inciting speech within one hour, on pain of massive fines. Gus discusses the European Court of Human Rights’ ruling that GCHQ’s bulk data collection practices fail to meet human rights standards, though they can be fixed without dumping bulk collection. And I marvel that France is urging the European Court of Justice, which needs little encouragement to indulge its anti-Americanism, to impose Europe’s “right to be forgotten” censorship regime on Americans and on other users around the world. That’s a position so extreme that it was even opposed by the European Commission. Gus explains.

In other news, Paul outlines the National Academy of Sciences’ report, offering a sensible set of security measures for American voting systems. We all unpack the new California IoT security bill, which is now on the governor’s desk. I predict that, flawed though it is, ten more state legislatures could adopt the bill in the next year.

This Week in Social Media Bias: Paul tells us that Twitter has found a deep well of hate speech in … the United States Code. I tell the ambiguous story of offering up my Facebook account to verify claims of social media censorship.  And Gus reports that the Left has discovered a problem with fact checking for social media posts; to their surprise, it doesn’t always work in their favor.

In closing, we quickly touch on the meltdown of the world’s biggest identity database and The Intercept’s endlessly tendentious article trying to make a scandal out of IBM’s face recognition software, which can apparently search footage by skin color.

Download the 231st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-231.mp3
Category:general -- posted at: 5:07pm EDT

We are fully back from our August hiatus, and leading off a series of great interviews, I talk with Bruce Schneier about his new book, Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. Bruce is an internationally renowned technologist, privacy and security commentator, and someone I respect a lot more than I agree with. But his latest book opens new common ground between us, and we both foresee a darker future for a world that has digitally connected things that can kill people without figuring out a way to secure them. Breaking with Silicon Valley consensus, we see security regulation in the Valley’s future, despite all the well-known downsides that regulation will bring. We also find plenty of room for disagreement on topics like encryption policy and attribution.

In the News Roundup, I ask Jamil Jaffer, Nate Jones, and David Kris for the stories that people who took August off should go back and read. Jamil nominates the fascinating-as-a-slow-motion-car-wreck story of Maersk’s losing battle with NotPetya. We speculate on whether the Russians caused $10 billion in worldwide damage by mistake or on purpose, and whether anyone other than a US government lawyer would call that indiscriminate attack a war crime.

David nominates the 179-page complaint against a North Korean hacker behind most of that country’s famous hacks. And, as a palate cleanser, the remarkable, score-settling, where-are-they-now story of the companies that challenged the FBI’s attribution of the Sony hack to North Korea.

Finally, I suggest spending some time with what might be called DCLeaks for good guys: Intrusion Truth, a website devoted to outing personal details about the government hackers who have been attacking Western companies. It (and Crowdstrike) provides an old-fashioned pantsing of China’s Ministry of State Security (MSS) – the sort of embarrassing doxing that allowed the MSS to take over much of China’s cyberespionage portfolio from the hapless People’s Liberation Army after it was outed several years ago.

In other news, a Five Country Ministerial (homeland security and immigration ministers from the US, UK, Australia, Canada, and New Zealand) issued a statement on encryption that seemed to threaten action, saying that if tech companies don’t address the ministers’ concerns, “we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.” While this group isn’t really the “Five Eyes” of SIGINT fame, that’s not very comforting for Big Tech, since the statement suggests a wider coalition and another step forward in the effort to bring Big Tech to heel on the issue.

Download the 230th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-230.mp3
Category:general -- posted at: 12:05pm EDT

On September 4th, Alan Cohn hosted the 229th episode of The Cyberlaw Podcast. We took a deep dive into all things blockchain and cryptocurrency discussing recent regulatory developments and best practices for users of exchanges.

Our episode begins by looking at the landmark decision coming out of the New York Eastern District Court in favor of the Commodity Futures Trading Commission (CFTC). Charles Mills provides an overview of the recent New York federal court decision and CFTC victory against Cabbage Tech, Corp. d/b/a Coin Drop Markets and Patrick K. McDonnell of Staten Island, New York, ordering McDonnell to pay over $1.1 million in civil monetary penalties and restitution in connection with a lawsuit brought by the CFTC alleging fraud in connection with virtual currencies, including Bitcoin and Litecoin. In addition, Charles presents a more general overview of CFTC regulations.

Claire Blakey presents a timeline of the US Securities and Exchange Commission’s (SEC) recent actions regarding ETFs. On August 23, 2018, SEC announced that it would reconsider a decision to reject nine Bitcoin-based exchange traded funds. Earlier this month, SEC staff delayed a decision on the SolidX proposal, stating it needs more time to consider the proposal – the deadline for this decision is September 30, 2018. Claire also discusses CBOE’s filing with SEC for a bitcoin ETF.

Evan Abrams highlights the four takeaways from the Department of Treasury’s Financial Enforcement Network (FinCEN) director’s speech on cryptocurrency. On August 9, 2018, FinCEN Director Kenneth Blanco delivered a speech on the agency’s approach to cryptocurrency where he made a few unexpected remarks. Evan states that this speech offered helpful clarifications and insights, but also left a number of important questions unanswered. In addition, Evan discusses the Office of the Comptroller of the Currency’s proposed charter for online lenders and other FinTech companies in the coming months.

Finally, Maury Shenk covers the recent reports about the EU finance ministers’ plan to discuss the possibility of cryptocurrency regulation at a meeting in early September. As part of a leaked confidential note, it is expected that EU ministers will discuss anti-money laundering issues amongst other things. Alan and Maury note that while the EU takes a heavier regulatory approach than the US in this area, the process is slow moving but steadily developing. In addition, Maury discusses the European Blockchain Partnership, describing it as an integrated effort for a great blockchain future.

In our interview, the Steptoe team was joined by Sarah Compani, Legal Counsel at Bitfinex. Bitfinex is a full-featured spot trading platform for major digital assets and cryptocurrencies, including Bitcoin, Ethereum, and many more. Bitfinex offers leveraged margin trading through a peer-to-peer funding market, allowing users to securely trade with up to 3.3-times leverage. Sarah took us through the best security practices for users of exchanges, particularly focusing on security settings that users can customize, such as Google Authenticator 2FA, Universal 2nd Factor (U2F), and IP address whitelisting. Finally, Sarah provides listeners with three takeaways as she responds to Alan’s questions regarding the future of exchanges, the Bitfinex platform, and potential challenges going forward.

Download the 229th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: TheCyberlawPodcast-229.mp3
Category:general -- posted at: 12:06pm EDT

We’re still on hiatus, but we’re back again this week with another bonus episode. Our next season will feature an interview with Bruce Schneier, cryptography, computer science, and privacy guru, about his latest book, Click Here to Kill Everybody: Security and Survival in a Hyper-connected World. So it only seems appropriate to revisit my May 2015 interview with Bruce about his earlier work, the best-selling Data and Goliath – a book I annotated every few pages of with the words, “Bruce, you can’t possibly really believe this.” And that’s pretty much how the interview goes, as Bruce and I mix it up over hackbacks, whether everyone but government should be allowed to use Big Data tools, Edward Snowden, whether “mass surveillance” has value in fighting terrorism, and whether damaging cyberattacks are really infrequent and hard to attribute. We disagree mightily – and with civility.

 

We’ll be back in September with another edition of Blockchain Takes Over the Cyberlaw Podcast, followed by the new interview with Bruce Schneier.

 

Download the Bonus Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-65-Rerun.mp3
Category:general -- posted at: 4:07pm EDT

We’re officially on hiatus this month, but we just couldn’t stay away that long. If you can’t live without The Cyberlaw Podcast in your life, then you’re in luck. We’re releasing a couple bonus episodes with some of my favorite past interviews.

This week I revisit my April 2015 interview with Joseph Nye, former dean of the Kennedy School at Harvard and three-time national security official for State, Defense, and the National Intelligence Council. We get a magisterial overview of the challenge posed by cyberweapons, how they resemble and differ from nuclear weapons, and (in passing) some tips on how to do cross-country skiing in the White Mountains.

We’ll be back in September with another edition of Blockchain Takes Over the Cyberlaw Podcast. I’ll return the following week with an interview with Bruce Schneier, so be sure to tune in.

Download the Bonus Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: TheCyberlawPodcast-61-Rerun.mp3
Category:general -- posted at: 3:35pm EDT

Our guest for the interview is Noah Phillips, recently appointed FTC Commissioner and former colleague of Stewart Baker at Steptoe. Noah fields questions about the European Union, privacy, and LabMD, about whether Silicon Valley suppression of conservative speech should be a competition law issue, about how foreign governments’ abuse of merger approvals can be disciplined, and much more.

The imminent passage of the must-pass National Defense Authorization Act yields a deep dive on the bill. Most important for business lawyers, the bill will include a transformative rewrite of CFIUS’s investment-review procedures and policies.

Gus Hurwitz lays out many of the cyber issues addressed by the NDAA, while Dr. Megan Reiss explains the act’s creation of a “Solarium” commission designed to force serious strategic thinking about cybersecurity and cyberweapons. I offer my contribution to that debate—an effort to think the unthinkable and come up with tougher options for responding to serious cyberattacks. Since we’re trying to think the unthinkable, I argue, we’re really rooting for the itheberg, so I’ve dubbed it the Itheberg Project. (There must be a Robert Frost reference in there somewhere—about the world ending in solarium or in ithe—but I can’t find it.) I do, however, make an unusual double-barreled offer to those who might want to participate in the Itheberg Project.

 

All that pales next to a surprisingly lively discussion of circuits splitting over insurance coverage of cyber-related fraud losses. Gus and Matthew Heiman predict that the Supreme Court (or an insurance contract rewrite) will be necessary to resolve the issue – and both of them think the issue is well worth the Court’s time. No one tell Judge Kavanaugh or he may just decide to stay on the DC Circuit!

In a “lightning” round that the FTC may soon investigate for deceptive labeling:

Download the 228th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-228.mp3
Category:general -- posted at: 7:45am EDT

In our 227th episode of The Cyberlaw Podcast, Stewart Baker interviews Bobby Chesney (@BobbyChesney), who recently co-authored a paper with Danielle Citron (@DanielleCitron) titled, “Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security.” Stewart and Bobby are joined by Maury Shenk, Nick Weaver (@ncweaver), and Patt Cannaday to discuss:

  • Is the EU’s $5 billion fine on Google a bad idea grounded in anti-Americanism? President Trump seems to think so;
  • The DOJ cyber digital report (PDF) sets sensible new standards for avoiding partisanship while naming foreign states trying to influence US opinion – but if DOJ gives Big Tech special access to intelligence, will Big Tech use the intel in a nonpartisan way?
  • Recent speculative execution attacks on Intel and ARM processors (Spectre et al.);
  • Overdoing it wrong? Senate doesn’t just cave on ZTE penalties for violating export control law – it also caves on US supply chain worries;
  • The FISA document dump on Carter Page – sure, it undercuts Devin Nunes, but what are the ramifications for FISA applications that rely heavily on news media articles?
  • All 50 states have taken federal funds (PDF) to improve election cybersecurity – now it’s up to them to deliver a secure election in November;
  • EU and Japan agree on mutual adequacy findings allowing personal data transfers – but will the findings meet the European Court of Justice’s absurdly solipsistic requirements?

You can also find Bobby Chesney on the National Security Law Podcast(@NSLpodcast), which he co-hosts with Steve Vladeck (@steve_vladeck). If you want to learn more about deep fakes, check out the Heritage Foundation’s recent discussion in which Bobby participated.

Download the 227th Episode (mp3).

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-227.mp3
Category:general -- posted at: 3:08pm EDT

In Episode 226 of the Cyberlaw Podcast, Stewart departs for the wilderness, and the news-roundup team (Brian Egan with Matthew Heiman, Jim Lewis, and Megan Reiss) muddles through without him.

Matthew and Jim discuss Friday’s indictment of 12 Russian GRU personnel by the Department of Justice and Special Counsel Robert Mueller. Matthew explains that, while we shouldn’t expect extradition proceedings to take place any time soon (or ever), the Justice Department has a theory for pursuing these types of indictments in selected cases. Stewart weighs in by Twitter, bemoaning somewhat surprisingly (given the source) that the indictments reflect a poor interagency coordination process and a lack of appreciation for diplomacy. From Jim’s perspective, these indictments are about as good as diplomacy is going to get on this issue…

Matthew walks through the continued bipartisan work in the Senate on the Secure Elections Act, which would facilitate information sharing amongst the states on election threats and take other steps in an attempt to improve election cybersecurity. Matthew explains that federalism may well end up limiting what can be done (or what Congress will agree to do) on this issue.

Megan weighs in on Commerce’s announcement on Friday that it lifted the Denial Order against ZTE after ZTE paid an additional $1.4 billion in penalties and took other steps pursuant to the new settlement agreement reached in June. Megan forecasts continued pressure on ZTE from Capitol Hill, even if the additional penalties against ZTE are generally seen as significant. Jim thinks that the U.S. government’s approach to ZTE is shortsighted and may end up harming national security interests down the road.  

Megan and Jim also discuss the efforts of another Chinese company – the video surveillance camera company Hikvision—to fight back against U.S. government concerns related to espionage. We ask ourselves: Is there anything that a Chinese company can do to rebut US espionage and related concerns? And Jim weighs in on the “state of the state” of the 2015 "no commercial cyberespionage" handshake agreement between the U.S. and China, which the State Department confirms is the rare international deal entered into under President Obama that has not yet been ripped up by President Trump.

Elsewhere, Matthew explains why Twitter follower numbers dropped precipitously last week after Twitter’s latest attempts to clean up suspicious accounts. (Justin Bieber and Katy Perry were hit hard, but Stewart’s account may be down to zero.) Luckily, Jim has some practical tips for maintaining one’s Twitter follower numbers.

And finally, Jim weighs in on a workmanlike Government Accountability Office report on the Committee on Foreign Investment in the United States, the Department of Defense, and national security concerns—which concludes, among other things, that (1) technology transfers should be an area of concern for the U.S. government and (2) the U.S. government is poorly situated to identify the areas of technology transfer that should be of concern. Over to you, Congress!

Stewart takes over for the interview of Woody Hartzog, author of “Privacy’s Blueprint: The Battle to Control the Design of New Technologies,” and a professor of law and computer science at Northeastern. Woody’s thesis is that traditional privacy law has focused unduly on notice and consent, yielding unreadable privacy notices and consents that mean nothing but have great legal impact. Instead, he suggests a focus on how platforms design their user interfaces, borrowing from consumer protection and products liability law. Stewart’s skeptical of the open-ended nature of the obligations Woody would like Silicon Valley to undertake, but they both at least agree that designers and government are surprisingly well-matched bedfellows.

Download the 226th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: 176084.mp3
Category:general -- posted at: 4:41pm EDT

Our interview is with Gen. Michael Hayden, author of "The Assault on Intelligence: American National Security in an Age of Lies." Gen. Hayden is a former head of the CIA and NSA, and a harsh critic of the Trump Administration. We don’t agree on some of his criticisms, but we have a productive talk about how intelligence should function in a time of polarization and foreign intervention in our national debates.

In the news, David Kris reports that ZTE has gotten a limited life-support order from the Commerce Department. Meanwhile, Nate Jones tells us that China Mobile’s application to provide telecom service to Americans is also likely to bite the dust – after nearly seven years of dithering. On Facebook, Tony Rutkowski suggests we call this the revenge of the “neocoms.” So we do.

Remarkably, the European Parliament fails to live down to my expectations, showing second thoughts about self-destructive copyright maximalism. Nick Weaver thinks this outbreak of common sense may only be a temporary respite.

Paul Rosenzweig confesses to unaccustomed envy of EU security hardheadedness. Turns out that Europe has been rifling through immigrants’ digital data in a fashion the Trump Administration probably wouldn’t dare to try. More predictably, the Israelis are digging deep into social media to combat the stabbing attacks that afflicted the country until recently.

The DNC is trying to improve security, and it has trained 80% of its staff not to click on bad links. But as Nick Weaver and Paul Rosenzweig point out, that’s not good enough – even though there are few institutions that can get much above the DNC’s 80%. The answer? Nick says it’s two-factor authentication. We join forces to nudge Firefox toward offering the same level of support for 2FA as Google Chrome.

The feds are getting wise to the Dark Web, Nick tells us. They’re focusing on compromising the money launderers – and then their customers. This looks like a strategy that could work for the long haul.

Finally, David Kris revisits NSA’s still-troubled metadata program, asking whether “the juice is worth the squeeze.”

We’re going to keep tweeting and posting some of the week’s stories that look like candidates for the News Roundup. Please reply to or retweet those you think we should cover. Relevant feeds: @stewartbaker on Twitter, Stewart Baker on LinkedIn, and stewart.a.baker on Facebook. 

Download the 225th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-225.mp3
Category:general -- posted at: 12:14pm EDT

I interview Duncan Hollis, another Steptoe alumnus patrolling the intersection of international law and cybersecurity. With Matt Waxman, Duncan has written an essay on why the U.S. should make the Proliferation Security Initiative a model for international rulemaking for cybersecurity. Since “coalition of the willing” was already taken, we settle on “potluck policy” as shorthand for the proposal. To no one’s surprise, Duncan and I disagree about the value of international law in the field, but we agree on the value of informal, agile, and “potluck” actions on the world stage. In support, I introduce Baker’s Law of International Institutions: “The secretariat always sees the United States as its natural enemy.” 

At the end, Duncan mentions in passing his work with Microsoft on international rulemaking, and I throw down on “Brad Smith’s godforsaken proposal.” Brad, if you are willing to come on the podcast to defend that proposal, I’ve promised Duncan a highly coveted Cyberlaw Podcast mug. 

California has a new privacy law, Laura Hillsman explains—though what it will look like when it finally takes effect in 2020 remains to be seen. (Laura is a Steptoe Summer Associate.)

Chris Conte reports that the SEC has charged a second Equifax manager with insider trading. I ask whether he shouldn’t have been charged with lousy site design too.

 The White House draws a line in the sand over ZTE in a letter to the Hill—but Maury and I suspect the real message is in the lack of a veto threat. Maury thinks President Trump’s “go big, then go deal” negotiating strategy is also at work in his decision only to beat up Chinese investments once rather than twice over trade tensions. 

NSA’s metadata program was restructured to rely on telecom companies rather than NSA’s own programmers. The ideologues who insisted on the formalism of leaving the metadata with the companies rather than in NSA’s computers predictably produced a private-sector meltdown. Which they’ll probably blame on NSA as well. Jamil Jaffer and I discuss. 

What do you know? Reality does win in the end, and Reality Winner finally got the hint (as well as a pretty good plea deal). 

Nextgov reveals an unimpressive showing for the Cybersecurity Information Sharing Act’s (CISA) information-sharing provisions, at least as far as sharing with the Department of Homeland Security goes. Jamil and I agree, though, that private-sector information sharing may be a better measure of CISA’s value.

In other news, the Intercept continues to pioneer relevance-free journalism. And trust in social media is collapsing, especially among Republicans, who (remarkably) also think tech companies need more regulation. 

Finally, in an experiment we may abandon at any moment, I’m going to start tweeting and posting some of this week’s stories that look like candidates for the News Roundup. Please reply to or retweet those you think we should cover. Relevant feeds: @stewartbaker on Twitter, Stewart Baker on LinkedIn, and stewart.a.baker on Facebook.

Download the 224th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: PC_224.mp3
Category:general -- posted at: 9:50am EDT

I interview David Sanger in this episode on his new book, “The Perfect Weapon – War, Sabotage, and Fear in the Cyber Age.” It is an instant history of how the last five years have transformed the cyberwar landscape as dozens of countries follow a path first broken by Stuxnet. And then, to our horror, branch out into new and highly successful ways of waging cyberwar. Mostly against us.  David depicts an Obama administration paralyzed by the Rule of Lawyers and a fear that our opponents would always have one more rung than we did on the escalation ladder. The Trump administration also takes its lumps, sometimes fairly and sometimes not. At center stage in the book is Putin’s uniquely brazen and uniquely impactful use of information warfare, but the North Koreans and the Chinese also play major roles.  It is as close to frontline war reporting as cyber conflict is likely to get.

Stewart Baker with David Sanger.

Stewart Baker with David Sanger

Cyberlaw news this week is dominated by a couple of Supreme Court decisions: In Carpenter the Court held 5-4 that warrants are required to collect a week of location data from cell phone companies. Michael Vatis lays out the ruling, and I complain that the Court has kicked off a generation of litigation over the issues this decision opens up but fails to address. Tune in as Michael invokes James Madison and I counter with Ben Franklin. Who knew that the founding fathers had so much to say about the third-party doctrine?

Speaking of Court decisions that write checks for others to redeem, the 5-4 Wayfair decision is equally insouciant about triggering a generation of litigation about when internet companies must collect sales tax. After 50 years of waiting for Congress to decide a question that is clearly better resolved by legislation than judicial rule, the Court gave up and struck down the holding that a physical presence was required before sales tax had to be collected. Pat Derdenger explains just how much litigation he’ll be involved in. To his plea that Congress step in, I repeat a line I first used 25 years ago: Why should a Republican Congress enable the collection of taxes it can’t spend?

North Korea may be our president’s best bud these days, but it’s still hacking banks and conducting cyberespionage, Matthew Heiman points out. Jim Lewis advances a Darwinian justification for letting the North Koreans keep it up.

Matthew and Jim also agree that Chinese hackers are getting stealthier—probably in part because they’re chiseling around the edges of their agreement not to steal commercial secrets from US firms. We also ask whether the Chinese have begun releasing data from their OPM hack to criminal actors.

David Sanger thinks not.

Our lack of a coherent cyberwar strategy is becoming apparent not just to adversaries but also to Congress, which is in the process of mandating a new commission on cyberwar strategy. Whether calling it Project Solarium, a hallowed name in defense thinking, will make the commission more successful remains to be seen.

The Administration is struggling to come up with privacy principles that can compete with GDPR. Matthew and I predict that it won’t succeed.

One last note: David Sanger is on a book tour—if you’re in the Washington, D.C. area, he will be hosting a talk and book signing at Politics & Prose on Thursday, June 28, at 7pm.

Download the 223rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-223.mp3
Category:general -- posted at: 10:21am EDT

Our interview is with Megan Stifel, whose paper for Public Knowledge offers a new way of thinking about cybersecurity measures, drawing by analogy on the relative success of sustainability initiatives in spurring environmental consciousness. She holds up pretty well under my skeptical questioning. 

In this week’s news, Congress and the executive branch continue to fight over the bleeding body of ZTE, which has already lost nearly 40 percent of its market value. The Commerce Department has extracted a demanding compliance and penalty package from the Chinese telecom equipment manufacturer. The Senate, meanwhile, has amended the NDAA to overturn the package and reimpose what amounts to a death penalty (see Section 1727). Brian Egan and I dig into the Senate’s language and conclude that it may do a lot less than the senators think it does—that may be the best news ZTE is going to get from Washington this year. 

Judge Richard Leon has approved the AT&T-Time Warner merger. Gus Hurwitz puts the ruling in context. His lesson: Next time, the Justice Department needs better evidence.

Brian gives us an update on what’s not in the CFIUS reform bill now that the CFIUS reform bill is in the NDAA and on its way to adoption. I suggest that the bill is a symptom of a new “Cool War,” and the beginning of a long, slow process of breaking the commercial world back into competing blocs. Complete with mirror-imaging, as both China and Pentagon start publishing lists of the technologies they expect to use in the burgeoning competition.

Kaspersky Labs is getting a lesson in Cool War-bloc dynamics, as the EU Parliament trashes the company as a malicious actor and the company acts out, terminating its cybersecurity arrangements with EU institutions.

Megan Stifel and I explore what it means that Chinese hackers are apparently back to their old tricks—stealing competitive secrets for commercial advantage. 

Given a choice between EFF and the EU, I come down on the EFF’s side, at least when the EU is snuggling up to Big Copyright and forcing internet companies to automatically scan customer-uploads for copyright violations. This is bad news for users, of course, since the tools are never perfect, and the incentives will be to err on the side of preventing speech. But, really, EU, if you were wondering why you’ll never have a vibrant tech startup scene, it’s time to look in the mirror. This measure may sound as though it will be tough on YouTube, but it will be fatal to its smaller competitors.

But surely, you say, the owners of intellectual property will be constrained by the need to keep their consumers happy. Yeah, right. If you believe that, you might want to take a closer look at the astonishing surveillance system that intellectual-property owners have dreamed up in Spain. At least nothing so intrusive could be done in Europe, where GDPR has created a privacy utopia …

More Cool War casualties: U.S. sanctions on Russia have hit a couple of companies that Silicon Valley thought of as friends and neighbors. This dividing-into-blocs business has some surprising costs. Brian, of course, wants to know how to square these sanctions with President Trump’s view of Russia. I supply the answer (two, actually), but you’ll have to listen to find out what they are.

Gus Hurwitz plugs his new privacy paper, which pantses privacy campaigners for hypocrisy. 

Gus also comments on Apple’s new USB-restricted mode, which law-enforcement support-contractors say they’ve already defeated.

In the good news of the week, the Southern Poverty Law Center gets a comeuppance in the form of an unconditional apology and $3.4 million libel settlement for including Maajid Nawaz in its nasty and irresponsible 2016 “Field Guide to Anti-Muslim Extremists.” If you’re keeping score at home, that’s $3.37 million down, $429 million to go before SPLC’s grotesquely swollen endowment is used up.

Speaking of comeuppances, I get mine for correcting Jennifer Quinn-Barabanov’s pronunciation of cy près as “sigh pray.” I’m a “see pray” guy. Alert listener Tim White decided to call up Brian Garner of “Garner’s Dictionary of Modern Legal Usage” for a ruling. In a moment straight out of a Woody Allen film, Garner responds through an editor that “Professor Garner is editing the entries in Black’s and Garner’s Dictionary of Legal Usage to reflect that /sigh/ is the traditional anglicized pronunciation and that /see/ is a repatriated French pronunciation. So both pronunciations will be listed, but /sigh/ will be listed first as the preferred one.” Short version: I’m condemned as an egregious grammar snob who doesn’t know a repatriated French pronunciation when he sees one. I think I owe Jennifer Quinn-Barabanov an apology—and $3.37.

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: PC222.mp3
Category:general -- posted at: 3:21pm EDT

The 11th Circuit’s LabMD decision is a dish served cold for Michael Daugherty, the CEO of the defunct company. The decision overturns decades of FTC jurisdiction, acquired over the years by a kind of bureaucratic adverse possession. Thanks to the LabMD opinion, practically all the FTC’s privacy and security consent decrees are at risk of being at least partly unenforceable—and if the dictum holds, the FTC may have to show that everything it views as an “unfair” lack of security is actually a negligent security practice.

Commerce says it has a deal with ZTE. Nate Jones wonders whether the bipartisan opposition to the deal from Congress is too late.

David Kris introduces a remarkable week for Justice Department responses to leaks of classified information. A long-time security director at the Senate intelligence committee succumbs first to the wiles of an aspiring reporter, and then to the temptation to lie about the romance to the FBI. James Wolfe will pay a heavy price for his leaks of classified information—without ever being tried for leaking classified information.

I can’t help asking how the FBI gathered as much information as they did from supposedly secure services like Signal and WhatsApp. Nick Weaver and David point to metadata as the fatal flaw in Wolfe’s security—and to cloud backup as the fatal flaw in Manafort’s (along with the problem that any secret shared with another is a hostage to that party’s inclinations).

The Chinese are having a hell of a run at U.S. secrets, David also reports, as evidenced by an espionage arrest, another espionage conviction, and a major story about another Chinese hack of Pentagon technology. The arrest of Hansen, who was in money trouble, may turn out to be the first fruits harvested by the Chinese from their trove of Office of Personnel Management files listing all the weaknesses of U.S. clearance holders.

The Departments of Justice and Homeland Security want new authority to regulate drones. Nick is supportive and offers some exciting and chilling video to support his view that drones will soon pose a wide variety of threats.

Nate reports on the Democrats’ effort to get a threat assessment of President Trump’s phone use.

Speaking of things we really need to worry about more, Nick tells us the Russian’s VPNFilter is worse than we thought, and we already thought it was bad. It’s time to take the security of your home router very seriously. 

I close with a quick rant, calling out Twitter, Facebook, Google, and Amazon for all accepting advice on who is a “hate” group from the irresponsible and irredeemably biased Southern Poverty Law Center. Really, guys, if you want half the country to hate Silicon Valley, this is exactly what you should be doing.

Download the 221st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm. 

Direct download: PC221.mp3
Category:general -- posted at: 4:17pm EDT

GDPR has finally arrived, Maury Shenk reminds us, bringing both expected and unexpected consequences. Among the expected: New Schrems lawsuits for more money from the same old defendants; and the wasting away of the cybersecurity resource that is the WHOIS database, as German courts ride to the rescue of insecurity—in the name of privacy.

Also probably to be expected, at least for those who have paid attention to the history of technology regulation: The biggest companies are likely to end up boosting their market dominance.

Less expected: The decision of some big U.S. media to just say no to European readers, recognizing them as the Typhoid Marys of the internet, carrying a painful and stupid regulatory infection to every site they visit.

In other unsurprising news, Gus Hurwitz and Megan Reiss note, Kaspersky has now lost both its lawsuits against U.S. government bans in a single district court ruling.

In genuinely troubling news, Iran is signaling a willingness to attack U.S. industrial controls, which run the electric grid and pipelines and sewage systems, using the same malware it used against the Saudis. Since Iran was willing to launch DDoS attacks on U.S. banks the last time negotiations over its nuclear program hit a snag, this is a threat that needs to be taken seriously.

The good news is that the U.S. government released two reports this week on how to we’ll respond to both threats—cyberattacks on our grid and to DDoS attacks on our web companies. The bad news is that both reports suck. If you were feeling optimistic before this, I argue, a close reading of the reports will leave you with a sinking feeling that this is the fourth administration in a row without a clue about how to deal with such attacks.

Quick Hits

Russia wants Apple’s help in subduing Telegram, Maury reports. I predict that Tim Cook will fold like a cheap lawn chair. I’m guessing that it’s really only American law enforcement that he’s willing to thwart.

North Korea is getting credit for peacemaking while spreading malware to U.S. infrastructure. A lot of the attacks are enabled by phishing emails with news about the Trump-Kim summit. Which, come to think of it, may be the real reason Kim keeps turning the summit off and on: He’s got to generate clickbait for all those phishing emails.

Trump wants to relieve ZTE of its company-killing Commerce sanctions, but Congress may not let him. Hardest hit? Paul Ryan, who’ll have to decide whether to let the House take a free vote to thwart the President on national security grounds. At least that’s my quick assessment.

Gus takes us quickly through the next big security issueIMSI catchers and SS7 exploitation. This is a big problem, or really two big problems, that is bound to get real media attention—just as soon as civil liberties groups figure out how to blame it on Trump.

In other news, I’ll be hosting a Reddit AMA on r/legaladvice on June 6 starting at 2 p.m. EST. The best questions may be read in the next episode, so be sure to contribute. You can find more information in the announcement here.

You can subscribe to The Cyberlaw Podcast using iTunesPocket CastsGoogle Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: PC_220.mp3
Category:general -- posted at: 11:32am EDT

This episode features a conversation with Nick Bilton, author of “American Kingpin: The Epic Hunt for the Criminal Mastermind Behind the Silk Road.” His book, out in paperback, tells the story of Ross Ulbricht, the libertarian who created the hidden Tor site known as the Silk Road and rode it to massive wealth, great temptation, and, finally, a life sentence. It’s a fine read in its own right, but for those who know the federal government, the most entertaining parts concern the investigators who brought Ulbricht down. Each one has ambitions and flaws that mirror the stereotypes of their agencies, even—or perhaps especially—when the agents go bad. It’s got everything: sales of body parts, murder (maybe!), rogue cops, turf fights, and justice in the end.

Sadly, I predict this episode will generate more hate mail than any other. Why? You’ll have to listen to find out. Feel free to question my judgment with emails to CyberlawPodcast@steptoe.com.

You can subscribe to The Cyberlaw Podcast using iTunesPocket CastsGoogle Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions and suggestions for topics or interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-219.mp3
Category:general -- posted at: 6:24pm EDT

In this episode, Markham Erickson highlights the Mugshots.com prosecution. The site had a loathsome business model, publishing mugshots for free and charging hundreds of bucks to people who wanted the record of their arrests taken down. Now the owners are being prosecuted in a case that combines the worst of European crazy (“surely criminals have a right to be forgotten”) and California crazy (“profits are being earned here—surely that calls for a criminal investigation”). Markham explains why this may be a hard case for California to win—and then joins me in expressing schadenfreude for the owners, whose mugshots are even now spread all across the internet.

Meanwhile, the ZTE mess gets messier as Congress moves to block President Trump’s proposed sanctions relief. Democrats are joining national security Republicans to move legislation on the topic. Who says President Trump is the divider in chief?

Michael Vatis digs into the FBI’s latest high-profile problem: it grossly overstated the number of encrypted phones it encountered last year. Was it a mistake or a misrepresentation? Our panel leans toward mistake.

Michael and I also criticize President Trump’s decision to dump government security for his phone. Michael reminds us of the President’s scathing treatment of Hillary Clinton’s insecure email server and asks why an insecure cell phone is different.

And in a new feature that we still haven’t made up our mind about, we do a lightning round of stories we couldn’t get to:

Download the 218th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunesPocket CastsGoogle Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions and suggestions for topics or interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm. 

Direct download: Cyberlaw_Podcast_218.mp3
Category:general -- posted at: 2:27am EDT

In our 217th episode of the Cyberlaw Podcast, the blockchain and cryptocurrency team takes over the podcast again.

Alan Cohn hosts another of the podcast’s periodic deep dives into all things blockchain and cryptocurrency to discuss recent regulatory developments and the current state of play of the industry.

Our episode begins by looking at the Treasury Department’s letter regarding initial coin-offerings (“ICOs”). Jack Hayes tells us the key takeaways from the letter, including that persons engaged in ICOs could be considered a Money Transmitter under FinCEN’s regulations. Not only does the letter address companies based in the U.S. that are issuing tokens, but also those based outside of the U.S. that may have a substantial part of their business in the U.S. or be issuing tokens to U.S. persons. The idea that FinCEN can reach outside of the U.S. border is not a new one. Last summer we saw a civil enforcement action against BTC-e, a foreign cryptocurrency exchange.

Jack and Alan also discuss the New York Attorney General’s recent voluntary transparency questionnaire sent to both U.S. and non-U.S. cryptocurrency exchanges. New York has seen its fair share of controversy with respect to cryptocurrency with the implementation of the BitLicense and the resulting exodus of a number of cryptocurrency companies.

Lisa Zarlenga provides an expert overview of the Internal Revenue Service’s (“IRS”) activity in the space starting with IRS Notice 2014-21. For tax purposes, convertible virtual currency (“CVC”) is treated as property, which means that every time you buy or sell CVC you are engaging in a taxable event and need to report capital gains or losses. The notice did not provide much guidance on accounting for and determining basis of cryptocurrency. Lisa also discusses whether exchanging one cryptocurrency for another cryptocurrency is a like-kind exchange and how the 2018 Tax Reform Bill changes things. With the increasing popularity of airdrops, Lisa and Alan tell us about the tax treatment of tokens received during an airdrop.

Chelsea Parker discusses trends coming out of New York Blockchain Week 2018. Consensus 2018 was three times bigger than Consensus 2017 and there were almost three dozen other official conferences and events that were part of NY Blockchain Week. Needless to say, interest in blockchain appears to be at an all-time high, and there was a particularly high international presence. Government officials from countries such as Gibraltar and Bermuda highlighted their proactive steps to implement regulation while still encouraging innovation and protecting consumers. This idea of balancing regulation while still encouraging innovation was a common theme across panels.

Alan highlights Steptoe’s panel “Blockchain in Supply Chain, Navigating the Legal Waters” and the key questions discussed during Alan Cohn and Lisa Zarlenga’s presentations on the tax treatment of digital currencies and tokens at the Accounting Blockchain Coalition’s conference. Finally, the panelists highlight where they see the industry going next in terms of adoption and regulation. Lisa discusses the possibility of additional guidance from the IRS while Jack discusses the future of sovereign cryptocurrencies and the resulting regulatory challenges.

Chelsea Parker, Lisa Zarlenga, Alan Cohn, and Jack Hayes (left to right)

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 217th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-217.mp3
Category:general -- posted at: 11:51am EDT

The Cyberlaw Podcast has now succumbed to an irresistible media trend: We begin the episode with a tweet from President Trump. In this one, he promises to get ZTE “back in business, fast.” Paul Rosenzweig and Nick Weaver provide the backstory on and a large helping of dismay at the president’s approach to the issue.

I question the assumption that this will make the life of Chinese telecom equipment makers easier in the U.S. If anything it could be worse. The 2019 National Defense Authorization Act being drafted in the House will make it very difficult for telecom companies that do business with the Pentagon to rely on Chinese (or Russian) equipment. (See Page 259). If anything, the president probably ensured a unanimous Democratic vote for the measure.

The cyber coordinator position in the White House is on the endangered list. Paul explains why it should survive. His take is not completely snark-free. Summing up the first two stories, I suggest that every president gets the White House he deserves.

Nick explains how badly American democracy could be harmed by a relatively trivial Russian (or Iranian, or North Korean) cyberattack on voter registration databases later in 2018. Indeed, they had a chance to launch such an attack in 2016, according to the Senate intelligence committee. This is an avoidable disaster if election officials take action now, I point out, but Paul doubts they will.

Paul and I lament the insouciance and ahistoricity of the Fourth Circuit’s new ruling adding half a dozen new judicial constraints to border searches of cell phones.

Speaking of cyberattacks, you’d better buckle up, because Iranian retribution for U.S. withdrawal from the Joint Comprehensive Plan of Action is probably being prepared as you read this. And according to a highly educational Recorded Future/Insikt report, Iran’s semi-privatized hacking ecosystem is likely to err on the side of escalation.

The Iranians aren’t the only ones upping their game. Nick reports on an excellent Crowdstrike report on the new sophistication of Nigerian scammers.

We close with Nick’s dissection of the troubling code decisions underlying a pedestrian death caused by Uber’s autonomous vehicle.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 216th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-216.mp3
Category:general -- posted at: 9:46am EDT

Our interview is with Nick Schmidle, staff writer for the New Yorker. His report on cybersecurity work that goes to the edge of the law and beyond turns up some previously unreported material, including the tale of Shawn Carpenter, a cybersecurity researcher with a talent for showing up in all the best hackback stories.

In the news, Jamil Jaffer reports on domain fronting, a weird form of protection for people hiding the site they’re connecting to behind some bland Google or AWS site. Some of those people are dissidents in authoritarian lands; many are authoritarian governments hacking secrets out of corporate networks. In any event, domain fronting is disappearing before it had even made an impression on the public’s mind. I say good riddance, bolstered in my opinion by the wailing of professional privacy groups that (Do I have to remind you?) don’t care about your security at all.

The Supreme Court takes a case of great interest to social media and other tech firms who attract class actions. Jennifer Quinn-Barabanov explains the law and the likely outcome. I mostly quibble about how to pronounce “cy pres.”

Move fast and break things probably isn’t the best motto if the thing you’re likely to break is, um, you. Megan Reiss talks about the death of Aaron Traywick, and the risks of bringing the hacking ethic to genetic engineering.

Europol and a host of allies were bragging last week about taking down ISIS’s online recruiting and propaganda infrastructure. But this week they’ve had to admit that ISIS is back on line. Jamil and I talk about what lessons can be drawn from cyber-whac-a-molery.

For Chinese phone makers, it never rains but it pours. Fresh off a ban on Chinese phones from US military retail stores, there may be even more pain in the works for ZTE and other Chinese mobile infrastructure providers.

Finally, Megan Reiss and I dig deep into Rep. Ruppersberger’s thoughtful take on cybersecurity, information sharing and DHS.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices.

Jennifer Quinn-Barabanov with Dr. Megan Reiss

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm

Direct download: TheCyberlawPodcast-215.mp3
Category:general -- posted at: 12:04am EDT

This episode features a new technology-and-privacy flap. The police finally catch a sadistic serial killer, and the press can’t stop whining about DNA privacy. I argue that DNA privacy is in the running for “Dumbest Privacy Issue of the Decade.” Because privacy is all about making sure the police can’t use your data to catch killers. Paul Rosenzweig refuses to take the other side of that debate.

Ray Ozzie has released a technical riposte to the condescending Silicon Valley claim that math proves the impossibility of securely accommodating law-enforcement access to encrypted data. Paul and I muse on the aftermath, in which Silicon Valley will actually have to win the debate rather than claiming that there is none.

Jim Lewis and I note the likelihood that ZTE is contemplating litigation against the U.S. ban on technology sales to the company. What really bothers Jim, though, is the likelihood that the U.S. sanction will accelerate China’s move to complete self-sufficiency in the technology sphere. That’s something that neither the U.S. government nor U.S. industry is really ready for.

The House intelligence committee’s report on Russia and the election is out. It finds no scandal, other than Russia’s shocking attack on our institutions, though it does criticize “ill-advised” action by Trump campaign officials. The minority report says that the investigation should have gone on even longer. Paul and I have different takes on the value of the exercise.

Gen. Paul Nakasone is about to take over at NSA after a remarkably easy ride to confirmation. Jim Lewis finds comfort and diversion in the effort of privacy campaigners to add some bumps to the general’s road.

Finally, Paul and I debate whether Donald Trump, Jr. committed a Computer Fraud and Abuse Act felony by logging on to an opposition website with “guessed” credentials supplied by WikiLeaks. Actually, there isn’t much debate about whether that’s a crime, but I question whether criminalizing such a trivial violation of network mores raises more questions about the CFAA than about Don Jr.

And a bit of special pleading: How can there possibly not be any reviews of The Cyberlaw Podcast on Stitcher Radio? Yet it appears to be true. Please get out there and comment, loyal Stitcher listeners to the podcast!

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 214th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-214.mp3
Category:general -- posted at: 9:43am EDT

In a news-only episode, we get a cook’s tour of the RSA conference from attendees Paul Rosenzweig, Jim Lewis, and Stewart Baker. Top trends we saw at RSA: more nations attacking cybersecurity firms over attribution, more companies defending themselves outside their own networks ("hacking back"), and growing (if still modest) respect for the Department of Homeland Security's role in cybersecurity. Oh, and Microsoft’s Digital Geneva Convention is still a mashup of profound naïveté and deep cynicism, but Microsoft’s Cyber Tech Accord may do better—at least until the Federal Trade Commission gets hold of it.

In other news, ZTE is going to be hammered for showing contempt for U.S. export control enforcement. But the back-splatter on U.S. suppliers will be severe as well. The United States is picking a big, big fight with China on the future of technology, and it’s going to need a strategy. Xi Jinping reads the writing on the wall.

Speaking of big fights, Telegram is in a doozy with Russia over its refusal to supply crypto keys to the government. It looks as though Telegram’s use of Google and other domains as proxies (“domain fronting”) is making it hard for Russia to work its will without harming other internet companies. So far, it looks as though Russia is willing to bring the pain, but the ban isn’t completely effective.

In what may be related news, Google is engineering domain fronting out of its products. The press whining about the civil liberties implications of Google’s moves triggers a classic Baker rant about how privacy zealots don’t really care about security—since domain fronting is a principal method by which network security is defeated and crime facilitated.

And while my rant is rolling, why not include the EU’s shameful drive-by execution of the WHOIS database. I call on the Obama NTIA officials who killed off our last leverage over ICANN to apologize to Ted Cruz for the debacle.

Maury lays out the remarkable parallelism between the U.S. Cloud Act and a new EU regulation on cross-border data sharing for law enforcement.

Finally, or nearly so, Paul unpacks the way in which liability for the SWIFT hacks may drive cybersecurity standards for banks.

And in closing, I note that China is now the clear leader in face recognition, having found a single suspect in a crowd of 60,000 concertgoers. It’s the leader not because of China’s technical strength, though that’s impressive, but because of Silicon Valley political correctness. Remember that when law enforcement agencies end up buying Chinese tech and paying the cybersecurity price.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices. If you are interested, click here.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 213th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-213.mp3
Category:general -- posted at: 11:19am EDT

In episode 212 of the podcast, Stewart Baker is at RSA, and Brian Egan, Maury Shenk, and Pete Jeydel of Steptoe are joined by David Kris and Nate Jones of Culper Partners LLC to cover the good, the bad and the ugly of the week that was.

In U.K. cyber issues: Brian, Maury, David and Nate discuss the U.S.-U.K.-France weekend airstrikes against Syria’s chemical weapons program, and reported threats of Russian “cyber retaliation” against the British. We also note the continued trends of intelligence disclosures reflected in last week’s speech by the GCHQ director condemning Russia over the Skripal attack and disclosing U.K. offensive cyber operations against the Islamic State.

David provides insights into the government’s proposed use of a U.S. government “taint team” to conduct a privilege review of the materials seized during the FBI’s raid of Michael Cohen’s offices. Bottom line: (1) Warrants to seize evidence from attorneys are relatively rare but not unprecedented, (2) President Trump and Michael Cohen’s requests to conduct their own screening of the materials probably won’t fly, and (3) a scenario in which an independent special master oversees the review is quite possible (but has been delayed for the moment).

Maury discusses the latest in the Schrems data protection litigation against Facebook: last week’s unsurprising decision by the Irish high court to refer questions related to the EU Standard Contractual Clauses to the European Court of Justice. Maury explains why he remains skeptical that the EU court will invalidate the use of these clauses.

Pete explains why Treasury is probably considering its (very broad) options under the International Emergency Economic Powers Act in answering President Trump’s call for more restrictions on Chinese investments.

And David and Nate discuss the latest in the encryption debates, including a Justice Department inspector general's report criticizing the FBI’s mishandled attempts to break the encryption of the San Bernadino shooter’s iPhone, and the latest in encryption-decryption litigation before the lower courts.

Steptoe Partner Brian Egan (right) with Nate Jones

The Cyberlaw Podcast is hiring a part-time intern for our Washington, D.C. offices. If you are interested, click here.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 212th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-212.mp3
Category:general -- posted at: 11:14pm EDT

Our interview is with Chris Bing and Patrick Howell O’Neill of Cyberscoop. They’ve broken two cyberscoops in the last week or so. First, an in-depth look at Kaspersky’s outing of a U.S. cyberespionage program aimed at foreign terrorists. Hint to Kaspersky: Bringing out a brass band to warn terrorists that they’re being tracked by the US government is not likely to help you win your PR and legal battles in the United States. Chris Bing also covers his other scoop—the surprisingly advanced talks among the leaders of the Senate judiciary committee on a bill to address the FBI’s “going dark” problem.

In the news, Jennifer Quinn-Barabanov and I debate the impact of two recent incidents on the future of self-driving cars. She thinks they’ll weather these events and that the lives such cars save will outweigh the deaths. I’m less sure, mainly because the mistakes that lead to autonomous vehicle deaths are so different from the usual human-driver error and therefore inherently compelling and disquieting.

Nick Weaver and I cover the Grindr security flap and the company's transmission of HIV status without complete encryption protection. I think there’s less to the story than meets the eye and that Grindr is getting more heat than it deserves.

Sens. Ed Markey (D.-Mass.) and Blumenthal (D.-Conn.), on the other hand, deserve a lot more heat than they’ve gotten so far. How clueless can they be to send thirteen “when did you stop beating your husband” questions to Grindr’s CEO and not notice that he’s based in Hong Kong? In fact, Grindr was bought last year by a Chinese company. Neither senator, though, bothers to ask where the database of gay Americans is stored and what access the Chinese government has to it? Or how that deal got through CFIUS. Sad! To coin a phrase.

Nick covers the big new internet-of-things botnet’s tryout and asks why it was the banks that got attacked. I’ve got some theories, as does Nick. Along the way, he dispenses advice for people who have just realized that their router is probably the weakest link in their home network’s security.

When does the first amendment allow researchers to violate websites’ terms of service? Judge John Bates has some preliminary answers in the Sandvik case, says Brian Egan, who thinks the case may turn into an important and perhaps unhappy ruling for websites in the future.

In other topics, Softbank is getting a CFIUS workout. YouTube’s demonetization policy leads to a mass shooting and suicide at company headquarters. Stingrays blanket the District of Columbia. And Keeper can’t even get through a news cycle about its lame lawsuit without another story about its lame security.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, D.C. offices.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 211th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: TheCyberlawPodcast-211_1.mp3
Category:general -- posted at: 11:48am EDT

In the news roundup, Nick Weaver, Ben Wittes and I talk about the mild reheating of the encryption debate, sparked not just by renewed FBI pleading but by the collapse of the left-lib claim that building in access is impossible because math. The National Academy report on encryption access has demonstrated that access is practicable, with support from a group of prominent tech experts, such as Ray Ozzie, all of whom know math.

Speaking of law enforcement, it was a good week for cybercrime enforcement. Nick and I touch on two victories for the good guys, with the Carbanak mastermind busted in Spain and Yevgeny Nikulin extradited to the U.S. over Russian objections.

Meanwhile, the Department of Homeland Security is moving forward on one of the more significant efforts to prevent terrorist travel across borders by using social media data effectively. The agency will be requiring social media names (but not passwords) from visa applicants, according to a proposed rule now gathering comments. Maury Shenk, Ben, Nick, and I talk about the privacy and first amendment issues implicated by the policy. We don’t agree on most of those issues.

But we find surprising unanimity in mocking Julian Assange for deservedly losing his internet access at the Ecuador embassy. The panel even endorses Matt Green’s wicked suggestion for trolling Assange from the sidewalk outside Assange’s Ecuadoran squat.

We close with a quick sack dance over the prone form of Keeper Security, which has dropped its libel suit against Dan Goodin and Ars Technica, probably because it was going to lose; the defendants’ coverage of Keeper’s serious security problems was straight and fair. Bottom line: there are plenty of good password managers; why use one whose management sues to suppress news of its product’s security holes? When that sinks in, Keeper won’t just be a loser; here’s hoping it will be a weeper too.

Our interview with David Sanger covers the vulnerability of the US grid, the psychic income and electoral popularity that Vladimir Putin gets from crossing the West’s red lines, and whether we’d be better off sparking an escalating set of cyberattacks now or later.

If the last question reminds you that John Bolton will soon be the national security adviser, you’re not alone. We take a few minutes off from plumbing cyberlaw to exploring just what kind of national security adviser Bolton will be. My bottom line: better than his reputation, and maybe much better.

 

Maury Shenk, Ben Wittes and Stewart Baker (left to right)

 

Steptoe partner Stewart Baker with David Sanger

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices. If you are interested, visit our website at Steptoe.com/careers.

Download the 210th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-210.mp3
Category:general -- posted at: 9:33am EDT

It was a cyberlaw-packed week in Washington. Congress jammed the CLOUD Act into the omnibus appropriations bill, and boom, just like that, it’s law. Say goodbye to the Microsoft Ireland case just argued in the Supreme Court. Maury Shenk offers a view of the Act from the United Kingdom, the most likely and maybe the only beneficiary of the Act. Biggest losers? For sure, the ACLU and EFF and their ilk, who were more or less rendered irrelevant when they lost the funding and implicit backing of Silicon Valley business interests.

But wait, there’s more congressional action, and it is bad news for Silicon Valley business interests. For the first time, the immunity conferred on social media platforms by Section 230 of the Communications Decency Act has been breached. Jamil Jaffer and I discuss FOSTA/SESTA, adopted this week. In theory, the act only criminalizes media platforms that intentionally promote or facilitate prostitution, but any platforms that actually read their own content are likely at risk. Which is what Craigslist concluded, killing its personals section in response to the act. Worse for Silicon Valley, this may just be the beginning, as its unpopularity with left and right alike starts coming home to roost.

Not to be upstaged by Congress, President Trump announces a plan to impose $60 billion in tariffs on Chinese goods and new investment limits on Chinese money. Sue Esserman explains the plan and just how serious an issue it’s addressing.

Jim Lewis tells us about the FCC’s rumored plan to pile on Chinese telecom manufacturers, adopting a rule to bar the use of Universal Service funds to purchase Chinese telecom infrastructure gear. If we want to keep China out of our telecom infrastructure, he says, we should be prepared to pay a hefty price.

In any other week, Jim and Jamil would get to spend quality time chewing over the indictment and sanctioning of Iranian hackers charged with massive thefts of intellectual property. Not this week. They give their bottom line up front: Indictments and sanctions are a good first step but can’t be our only response.

Speaking of hating Silicon Valley, there’s a wave of criticism—and a lawsuit—building against Uber in what may be a self-driving car accident that better tech could have prevented. Jamil urges caution in reaching conclusions.

We barely have time for the massive flap over Facebook and Cambridge Analytica. Still, I can’t help noting that in 2012, when the Obama campaign bragged about stripping the social graph of its Facebook followers, there was no privacy scandal. Today, after Cambridge Analytica made dubious claims to have done something similar, the EU’s Vera Jourova sees a “threat to democracy.” If you’re a conservative who supports new privacy attacks on Facebook, don’t blame me when it turns out that the new privacy law is weaponized against the right, just as the old one has been.

And, as a token bit of international news, China’s social credit system is being implemented in a totalitarian fashion that reminds me of Lyft’s embrace of the McCarthyite Southern Poverty Law Center, in that both systems deny transportation to those suffering from wrongthink. Maury Shenk says it also tells us something about the efficiency and clarity of authoritarian uses of new technology.

Speaking of wrongthink, Google’s YouTube is banning firearms demo videos. Some of the banned videos may soon be hosted on Pornhub, which at least allows all those guys who used to read Playboy “for the articles” to visit pornhub “for the gun instructional videos.”

Finally, for our interview, Cyberlaw Podcast joins forces with the hosts of National Security Law Today, a podcast of the ABA Standing Committee on Law and National Security.

We interview Michael Page of OpenAI, a nonprofit devoted to a nonprofit devoted to developing safe and beneficial artificial intelligence. It’s a deep conversation, but lawyers will want to spend time with the latest study suggesting that AI reads contracts faster and better than most lawyers. Brrr!

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices. If you are interested, visit our website at Steptoe.com/careers.

Download the 209th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm

 

Direct download: TheCyberlawPodcast-209.mp3
Category:general -- posted at: 10:29am EDT

All of Washington is mad at Silicon Valley these days, as our news roundup reveals. Democrats and the media have moved on from blaming Hillary Clinton’s loss on Vladimir Putin; now they’re blaming Facebook and Cambridge Analytica. Gus Hurwitz and I have doubts about the claims of illegality, but I reprise my frequent critique of privacy laws: They are uniquely likely to be enforced against those who annoy governing elites (because they’re so vague and disconnected from objectionable conduct that they can be enforced against almost anyone).

Alan Cohn describes the many regulatory agencies now feeling emboldened to take a whack at cryptocurrencies. He’s hopeful that only bad actors will actually feel the blow.

I lay out the remarkably aggressive and novel enforcement philosophy behind CFIUS’s rejection of the Broadcom-Qualcomm deal—and the steadily advancing congressional effort to regulate Silicon Valley’s Chinese connections more closely. That effort has featured some remarkably harsh political attacks on tech giants like IBM and General Electric.

Is all this hate for techies good or bad for the effort to re-impose net neutrality through the courts? The states? Stephanie Roy maps the terrain, which turns out to be every bit as muddled as you thought the last time you read about it.

Need another reason to hate technology? How about this: It’s soon going to kill someone. I explain the latest scary reports from Saudi Arabia’s industrial control system—and America’s.

Pressed for time, we do quick hits on stories that deserved more but got crowded out:

  • Twitter suspends comedian Steven Crowder for a video in which an intern crashed an LGBTQ meeting in SXSW claiming to identify as a computer.
  • YouTube follows suit.
  • Yet somehow Louis Farrakhan keeps both his Twitter account and its coveted blue check while tweeting crap like this: “the FBI has been the worst enemy of Black advancement. The Jews have control over those agencies of government.”
  • At the same time that it’s broadcasting Farrakhan, Twitter seems to be blocking much of the Drudge Report.
  • And Western Journal (WJ) says Facebook’s new algorithm for “giving a boost to quality news” reduced lefty site traffic by 2 percent and righty site traffic by 14 percent. As an example, comparing two New York tabloids with very different politics, WJ says the change boosted Facebook’s traffic to the lefty New York Daily News by 24 percent and cut the righty New York Post’s traffic by 11 percent. (Similar claims were made by another conservative site using a different methodology.

Finally, our interview is with Pete Chronis, Turner’s Chief Information Security Officer and author of a new book, The Cyber Conundrum. Pete lays out his vision for a cybersecurity moonshot, and the two of us explore particular cybersecurity remedies that make up the effort. We take detours to explore the vulnerabilities equities process, bot in the U.S. and in China. We also touch on the unwise purist stand being taken by IETF on TLS 1.3, which seems determined to offer internet users what might be called “Privacy and Insecurity—By Design.” (And to bring this post full circle, if you were wondering why ordinary people are getting sick of dancing to the tune of Silicon Valley engineers, the IETF’s stiff-necked and counterproductive position on security for corporate network users would be a good place to start.)

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices. If you are interested, visit our website at Steptoe.com/careers.

Download the 208th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: TheCyberlawPodcast-208.mp3
Category:general -- posted at: 7:43pm EDT

Our interview this week is with Amb. Nathan Sales, the State Department’s counterterrorism coordinator. We cover a Trump administration diplomatic achievement in the field of technology and terrorism that has been surprisingly under covered (or maybe it’s not surprising at all, depending on how cynical you are about press coverage of the Trump administration). We also explore new terrorism technology challenges and opportunities in social media, State’s role in designating terrorists, the difference a decade can make in tech and terror policy, and how the ambassador lost his cowboy boots.

In the news roundup, China seems to be hiding behind half our stories this week. Brian Egan and I sift through the entrails of CFIUS’s pronouncements on the Qualcomm-Broadcom takeover fight charts, where Chinese competition in 5G is an ever-present subtext.

More broadly, we point to a flood of stories suggesting that the U.S. government is just beginning to struggle with the challenge posed by an economically strong adversary nation. These include accusations of “weaponized capital,” naïve and compromised US academic institutions, and what amounts to a Chinese intelligence-industrial-unicorn complex.

The SEC says digital coin exchanges may be unlawful; bitcoin takes a market hit. But Matthew Heiman, in his first appearance on the podcast, expresses some doubt about the SEC’s authority over many of the businesses the agency called out.

The SEC wants something else to worry about, maybe it should be paying more attention to the Internet Engineering Task Force, where techno-privacy zealots are getting ready to cripple the ability of business enterprises to secure their networks and comply with employee monitoring requirements. Living down to my rock-bottom view of privacy campaigners, the IETF seems to be saying that in order to signal their virtue on privacy issues, they are happy to sacrifice our security – and compliance with law.

Part of the problem may be a lack of technically sophisticated staffers in government; Matthew and Jamil Jaffer chew over the cyber staffing crisis in government, and what can be done about it.

Finally, Jamil and Matthew comment on FBI director Wray’s statement that the FBI is not looking to blow a regulatory whistle on data-breached companies that ask for the Bureau’s help.

Our guest interview is with Nathan Sales, ambassador-at-large and coordinator for counterterrorism at the State Department.

As always, the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices. If you are interested, visit our website at Steptoe.com/careers.

Download the 207th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-207.mp3
Category:general -- posted at: 8:14pm EDT

Our interview features an excellent and mostly grounded exploration of how artificial intelligence could become a threat as a result of the cybersecurity arms race. Maury Shenk does much of the interviewing in London. He talks to Miles Brundage, AI Policy Research Fellow at the Future of Humanity Institute at Oxford and Shahar Avin of the Centre for the Study of Existential Risk and Research Associate at Cambridge. They are principal authors of a paper titled “The Malicious Use of Artificial Intelligence: Forecasting, Prevention and Mitigation.” The discussion was mostly grounded, as I said, but I did manage to work in a reference to the all-too-plausible threat of a hacking, bargaining AI sent by aliens from other star systems.

In the news roundup, semi-regular contributor Gus Hurwitz does a post-mortem on the oral argument in the Microsoft-Ireland case. Maury notes that Google has issued its most detailed report yet on how it’s implementing the right to be forgotten. My takeaway: Apart from censoring media in their own countries, everyone’s favorite censorship targets seem to be U.S. sites. I am not comforted that 90 percent of the censorship stays home, since the rest of it seems aimed at keeping true facts from, well, me.

Gus evaluates the latest Securities and Exchange Commission cybersecurity guidance. Bottom line: no surprises, but a good thing nonetheless. I do a quick recap of the CFIUS butcher’s bill for Chinese deals. It’s every bit as ugly as you’d expect. The Xcerra and Cogint deals have collapsed over chip and personal data worries. The Genworth deal is on the bubble. And CFIUS is taking unprecedented action to intervene in the Qualcomm-Broadcom proxy fight.

A new contributor, Megan Reiss of the R Street Institute, unpacks a couple of new security industry reports covering the emergence of false flags at the Olympics and the increasingly blurred line between criminal and state cyberespionage.

Maury covers the latest EU effort to wrongfoot Big Tech over scrubbing terrorist content. And I try to broaden the point, noting that the idea of a tech “platform” immunity has begun to fray even in the US, the land of its birth.

For those listeners afraid to traverse the feverswamps of conservative media, I bring back a story that shows why the loss of Big Tech platform immunity is shaping up as a bipartisan issue. Would you believe that CNN has bought an industrial washing machine so that it can spin stories more efficiently before airing them?  Do you need Snopes.com to tell you that’s satire? Does anyone need an anonymous Big Tech finger-wagger to tell you it’s fake news and threaten the site with penalties for repeat offenses? If not, you can see the right is uncomfortable with Big Tech as media gatekeeper.

Finally, as a bit of comic relief, last week Edward Snowden took to Twitter to criticize Apple for posing as a protector of privacy while actually cozying up to a dictatorship. Really. You can’t make this stuff up.

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The Cyberlaw Podcast is thinking of hiring a part-time intern for our Washington, DC offices. If you are interested, visit our website in the next week or so at Steptoe.com/careers.

Download the 206th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-206.mp3
Category:general -- posted at: 9:16pm EDT

Today’s news roundup begins with Maury Shenk and Brian Egan offering their views about the Supreme Court oral argument in the Microsoft-Ireland case. We highlight some of the questions that may tip the Justices’ hand.

Brian and I dig into the Democrats reply memo on the Carter Page FISA applications. I’m mostly unshocked by the outcome of the dueling memos, though I find one sentence of the application utterly implausible. I also foresee a possible merging of the Clinton-Obama Trump-smearing scandal with the Trump-Russia collusion scandal—call it the scandularity!

In other Russia news, the Justice Department is standing up a task force on all things cyberJim Lewis and I disagree about whether Russian hacking of the electoral infrastructure is likely to be a serious problem in 2018. We agree that the Twitter bot war on the American body politic will continue, since it seems to be a pretty cheap hobby for Putin’s favorite supplier of catered meals. Indeed, he seems to have gotten into the business as a way of squelching online protests that his school lunches were lousy. I suggest that Michelle Obama probably wishes she’d heard about that tactic sooner.

Google has announced an Advanced Protection program for people who think they may be high value targets for government cyberespionage. In a Cyberlaw Podcast first, I offer a product review. Short version: I’m still using it, despite some flaws in what looks like a beta program, but as a supply chain buff, I can’t help wondering who the hell Feitian Technologies is and what ties they have to the Chinese government.

March 1 is D-Day for Apple moving the crypto keys for Chinese iPhones' cloud data to China.

And Keeper continues to pursue its misguided libel suit against Ars Technica. Ars Technica’s answering brief is here. While security researchers have been wasting their time on politically correct whining about the Computer Fraud and Abuse Act, libel suits are turning into far more effective tools for chilling security research.

Finally, for fans of the podcast in the Washington area, Steptoe is thinking of hiring a part-time intern to handle much of the organizational work associated with the podcast. If you’re interested, keep an eye on Steptoe.com/careers, which is where we’ll post the position if this idea bears fruit.

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 205th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-205.mp3
Category:general -- posted at: 7:51pm EDT

In our 204th episode of The Cyberlaw Podcast, the team bumbles forward without Stewart Baker, who is spending the week racing his offspring down mountain slopes somewhere in Utah. Brian Egan and Jamil Jaffer begin by covering a few implications of Special Counsel Robert Mueller’s indictment from Friday—the legal theories of the case and what the indictment does and doesn’t cover—as well as the follow-on false statement indictment against a former associate of a major law firm. In an amazing convergence of viewpoints, everyone, from Presidents Obama and Trump to Brian and Jamil—agrees that Russia appears to be winning, and the U.S. is losing, on the topic of interference with U.S. elections.

At the same time, the state secretaries of state gathered in Washington last week to discuss cybersecurity and U.S. elections—coming in the face of a fairly damning report published by the Center forAmerican Progress on shortcomings in U.S. election-related cyber defenses. In light of these threats, we ponder whether a return to the old paper ballots, or even the  “mail-only” approach that is operative in a few states, is better than an electronic ballot.

In other Russia-related news, Kaspersky turned to (literally) one of the oldest pages in the book—the Bill of Attainder clause in the U.S. Constitution—in suing to block the application of a provision in the NDAA that prohibits federal agencies from using Kaspersky products. Jamil posits that the case seems less frivolous than may appear at first blush, while Brian muses about the history of Bill of Attainder litigation in the United States.

Finally, Jamil and Brian discuss the U.S. and U.K. decision to attribute the NotPetya attack to Russia and the continued trend in the Obama and Trump Administrations to publicly identify perpetrators of state-sponsored cyber attacks (along with the risks inherent in this approach). Notwithstanding the NotPetya attribution, as well as a recent White House report on the increased economic costs of cyberattacks and Congressional hearings on data breaches, we explain why we believe it to be unlikely that Congress will pass federal data breach/data notification legislation any time soon.

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 204th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-204.mp3
Category:general -- posted at: 6:43pm EDT

This episode consists of Jamil Jaffer and me interviewing Glenn Gerstell, the general counsel of the National Security Agency. Glenn explains what it was like on the inside of the effort to reauthorize section 702 of the Foreign Intelligence Surveillance Act. Jamil and I ask him whether the Foreign Intelligence Surveillance Court has the authority to deal with material omissions in FISA applications, and he actually answers. Glenn also touches on how it feels to discover that data subject to a judicial retention order has been inadvertently deleted, his secret exercise regime, his future plans, and how the United States should respond to the cybersecurity crisis.

Download the 203rd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-203.mp3
Category:general -- posted at: 5:09pm EDT

Cyberlaw Podcast alumnus Marten Mickos was called before the Senate commerce committee to testify about HackerOne’s bug bounty program. But the unhappy star of the hearings was Uber, which was heavily criticized for having paid out a large bonus under cloudy circumstances. Sen. Richard Blumenthal and others on the Hill treated the payment as more ransom than bounty and pilloried Uber for not disclosing what they called a breach. Even Uber, under new management, was critical of its performance.

As the only cyberlaw podcast with a Davos correspondent, we ask Alan Cohn to give highlights of the event from a cybersecurity point of view. I bring the color commentary and snark.

With the Microsoft Ireland case heading to argument, the Justice Department and Big Tech are hoping to head the court off with a legislative solution. Jamil Jaffer explains what the CLOUD Act will do. I point out who’s missing from the Grand Coalition and question whether Big Privacy has the clout to stop the act.

Fancy Bear hackers seeking high-tech weapons data from U.S. defense contractors get lucky—up to 40% of their phishing links strike paydirt. Michael Mutek explains what this likely means for the Defense Department—more regulation, probably. Whether more regs and more compliance will produce more security is the question no one can answer.

A cyber-diplomacy office is back from the dead, sort of: Secretary of State Rex Tillerson now says he’ll create a bureau for cyberspace headed by an assistant secretary. And, as Jamil explains, the fight switches to which undersecretary will oversee the office.

Nick Weaver and Jamil comment on the news that the Justice Department has pulled in an impressive haul of cyber-fraudsters, bookended by doubts whether any hackers can ever be extradited from places like the UK and Ireland. Because, face it, how many can’t claim to be on the spectrum?

I close with a tribute to John Perry Barlow, who died last week. If you wanted to know how many women would fall for a combination Grateful Dead lyricist, technologist, and cowboy, John could tell you. Exactly.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 202nd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-202.mp3
Category:general -- posted at: 2:13pm EDT

The crypto wars return to The Cyberlaw Podcast in episode 201, as I interview Susan Landau about her new book on the subject, ‘Listening In: Cybersecurity in an Insecure Age.’ Susan and I have been debating each other for decades now, and this interview is no exception.

In the news roundup, Brian Egan and Nick Weaver join me for the inevitable mastication of the Nunes memo. (My take: The one clear scandal here is the way Glenn Simpson and Chris Steele treated the U.S. national security apparatus, including the national security press, as just another agency to be lobbied – and the success they had in milking it for partisan advantage and private profit.)

Meanwhile, if you needed a reminder of just how enthusiastically and ham-handedly China conducts its espionage, just ask the African Union, whose Chinese-built headquarters is pwned from top to bottom.

Brian lays out a significant Ninth Circuit Anti-Terrorism Act case absolving Twitter of liability for providing “material assistance” to ISIS by requiring a more direct relationship between Twitter’s acts and the harm suffered by the private plaintiffs. Not a surprise, but a relief for Silicon Valley.

Nick fulminates about the security threat that a sophisticated recent malvertising campaign poses and wonders when enterprises will start requiring ad-blockers on corporate internet software. In a related story, we wonder how much incentive Twitter really has to kill off its armies of fake followers.

Are the Dutch paying the price for punching above their weight in the cyberespionage game? And did American leaks kill their success? All we can do is speculate, unfortunately.

You know you’ve missed This Week in Sex Toy Security, so we bring it back to cover yet another internet-connected vibrator company trying to shake off a privacy class action. 

Finally, as a sign that we’ve finally reached peak cybersecurity and peak privacy, both topics are ending up on the agendas of international trade negotiators. The EU says its privacy rules are untouchable in negotiations (although other countries’ overly protectionist data flow policies are fair game) and the NAFTA negotiators have reportedly agreed to add to NAFTA cyber security “principles” based on the NIST Cyber Security Framework.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 201st Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-201.mp3
Category:general -- posted at: 11:51am EDT

Whether they call it the fitbit or the “Ohsh*t!bit,” governments are learning that the exercise internet of things is giving away their geospatial secrets at a rapid clip. Nick Weaver walks us through what most in the U.S. would call a security disaster—and how it could become an intelligence bonanza. As an example of what can be done, Jeffrey Lewis highlights Taiwan's secret cruise missile command center.

Of course, as soon as authoritarian governments learn to use fitbits to oppress their people, we can expect the European Union and the Wassenaar export control group to slap export controls on them.  Meredith Rathbone reports on the effort to persuade Europe and Wassenaar not to throw the security industry out with the intrusion software. Turns out that progress is being made on both fronts.

Nick and I talk through the latest stories on Russian cyberspying. Meduza and Buzzfeed have a persuasive and dispiriting story about how Eugene Kaspersky might have been forced to cooperate with the Russian FSB. Looking at questions being raised about U.S. firms allowing the Russians to inspect their source code, we conclude that Balkanization of cybersecurity products is a near certainty, with the only question being how many markets there will be.

Speaking of Russia, the Dutch, not prominent among hacking intelligence agencies until now, have apparently counted cybercoup on the Russians.

Meredith and I dig into the latest round in the European Court of Justice between Max Schrems and Facebook. We call it a draw, with special props to Facebook for creativity in arguing that Schrems is no longer a consumer because he’s obviously turned suing Facebook into a profession.

And, in an overdue event, jackpotting coming to an ATM near you.

Finally, in the interview, we talk to Tim Maurer, co-director of the Cyber Policy Initiative and author of the new book, “Cyber Mercenaries: The State, Hackers, and Power.” Tim tells us the hidden story behind his book’s title and then jumps into a fascinating comparative study of how different governments try (or don’t try) to control the hackers they recruit, because it turns out that they all recruit hackers, just in very different ways. Tim points out an increasing fad for having hackers from one country move to another country to ply their trade. (North Koreans to China; Chinese to Africa) and the additional deterrence options this offers the U.S. government.

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 200th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: TheCyberlawPodcast-200.mp3
Category:general -- posted at: 8:10am EDT

In this guestless episode, Michael Vatis, Markham Erickson, and Nick Weaver join me to round up the news. I explore the final results of the intense jockeying that led to passage of S. 139, which gave Section 702 of Foreign Intelligence Surveillance Act a new lease on life. The administration did well, weathering the president’s tweets, providing a warrant process for backend searches that will likely be used once a year if that, and—almost without anyone noticing—pulling the unmasking reform provisions from the bill and substituting an Office of the Director of National Intelligence rule. My guess? This was a tactic to make it easier for Dems to support the bill; if so, it worked.

And just in time, as the days after passage brought new whiffs of scandal, from the four-page House Republican memo alleging improprieties in the FBI’s FISA application to wiretap a Trump campaign hanger-on to two cases in which the FBI and NSA destroyed evidence they were supposed to be preserving. Michael Vatis and I cross sword over whether the FISA abuse memo is worth taking seriously or just partisan flak.

Nick and I delve into the gigabytes of hacked data mislaid by another player in the phone hacking game—Lebanese intelligence. Nick wonders whether the data obtained Electronic Frontier Foundation and Lookout violated the Computer Fraud and Abuse Act. I don’t.

The first known death by SWATting has yielded charges; the egregious SWATter for hire, SWauTistic, has been charged with involuntary manslaughter.

Almost as scary is the news that electric system malware is getting remarkably sophisticated, and common.

The Supreme Court will hear argument in the Microsoft Ireland case next month, and there are dozens of amici briefs, including one by Michael Vatis, who lays out his direct appeal to Justice Neil Gorsuch’s property-based view of the fourth amendment.

Matt Green (and Nick Weaver) have some questions for Apple about its moving China cloud data to a third party Chinese cloud provider. I’ve got one too. If treating Taiwan as a separate country from China leads to humiliating penalties for Western companies, does that mean Apple can’t store Taiwanese and Hong Kong users outside China?

And, for once on the podcast, a sweet life-long love story, spelled out cryptographically.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 199th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-199_1.mp3
Category:general -- posted at: 8:21am EDT

It turns out that the most interesting policy story about Kaspersky software isn’t why the administration banned its products from government use; it’s why the last administration didn’t. Shane Harris is our guest for the podcast, delving into the law and politics of the Kaspersky ban. Along the way, I ask why the Foreign Sovereign Immunities Act, which allows suits against foreign governments for some torts committed in the United States, shouldn’t allow suits against foreign governments that hack computers located in the United States.

In the news, the House comfortably adopts a bill to reauthorized 702 surveillance; the Senate is expected to act today as well. While the House bill makes some changes to the law, it endorses the most moderate of the reform proposals.

In case you haven’t heard, Apple is handing off its iCloud operations to a local cloud storage company – with none of the histrionic civil liberties posturing the company displays in the United States. Whose data is being transferred to the tender mercies of Chinese authorities? Who knows? Not Apple, which can’t even send out notices to its customers without getting confused about who’s covered by the new policy.

It’s a “three-peat” for state authority to make online companies collect sales tax from their customers. The Supreme Court has agreed to reconsider a dormant commerce clause doctrine that it has already affirmed twice.

I apologize to Uber for snarking on their “bounty” payment of $100,000 to a hacker who exposes a serious security flaw and gained access to large amounts of personal data. A good New York Times article demonstrates that the decision to pay up was at least plausibly justified. But as if to demonstrate why the company never gets the benefit of the doubt, Bloomberg reports on Uber’s latest scofflaw-ware scandal. Luckily for journalists everywhere, Uber continues to adopt colorfully damaging nicknames for its scofflaware. In this case their product locked or deleted data sought by local law enforcement with the touch of a panic button. It was named, of course, after Sigourney Weaver’s character, Ripley, who declared that the only way to deal with an alien-infested installation was to “nuke it from orbit.”

Sheila Jackson-Lee gets an admiring mention for winning House passage of a cyber vulnerability disclosure bill that is probably nuanced enough to be adopted by the Senate as well.

And Deputy Attorney General Rosenstein makes a short pitch for “responsible” encryption that actually manages to move the debate forward a step.

Talk about 21st century warfare. Russia is claiming it fought off swarms of drones with cyberweapons. As Nick Weaver points out, that’s just the beginning.

Brian assesses the state of CFIUS reform legislation and the claim that Sen. Cornyn’s bill would result in CFIUS’s regulation of technology transfers that would be better addressed through export controls.

Finally, having already critiqued Apple and Uber, I feel obliged to offer equal time to Twitter, which remarkably can’t even identify advertisements that invite users to log on to fake Twitter sites and steal their credentials. If you want to understand the worst of Silicon Valley, I argue, you shouldn’t look to the big rich companies; it’s the struggling would-be unicorns who show what the Valley really cares about. And security ain’t it. Speaking of which, where is that Ad Transparency Center that Twitter promised any day now back in the fall of 2017?

 

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 198th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: TheCyberlawPodcast-198.mp3
Category:general -- posted at: 9:50pm EDT

While the U.S. was transfixed by posturing over the Trump presidency, China has been building the future. Chances are you’ll find one part of that future–social credit scoring–both appalling in principle and irresistible in practice. That at least is the lesson I draw from our interview of Mara Hvistendahl, National Fellow at New America and author of the definitive article on the allure, defects and mechanics of China’s emerging social credit system.

In the news roundup, Nick Weaver dives deep on the Spectre and Meltdown security vulnerabilities while I try to draw policy and litigation implications from the debacle. TL;DR -this is bad, but the class actions will settle for pennies. Oh, and xkcd has all you need to know.

I note that U.S. Customs and Border Protection under Trump has imposed new limitations on border searches of electronic devices. So naturally the press is all “Trump has stepped up border searches aggressively.” No good deed unpunished, as they say.

Maury Shenk explains President Emmanuel Macron’s latest plans to regulate cyberspace in the name of fighting Russian electoral interference and fake news. The Germans, meanwhile, have begun implementing their plan to fight hate speech on the internet. Predictably, it looks as though hate speech is winning.

In the litigation outrage of the month, a company called Keeper, a password manager developer, got caught distributing software with a security flaw. So they did what any security-conscious company would–they sued the website that publicized the flaw for libel. It’s a crappy suit, and we should all hope they end up assessed with costs and fees. But the real question is this: Google found and disclosed the flaw, while Microsoft distributed Keeper to its users. When will they file as amici to say that no company with a mature security model files STFU libel suits against people who point out legitimate security problems? TL;DR–Keeper: Loser.

Finally, Hal Martin pleads guilty to one of twenty-plus counts and takes a ten-year sentence. So far, so ordinary in the world of plea bargaining. But as Nick points out, this wasn’t a bargain. Martin can still be tried and sentenced on all the other counts. And it effectively stipulates the maximum sentence for the one count he’s pleading guilty to. There must be a strategy here, but we can’t say for sure what it is.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 197th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-197.mp3
Category:general -- posted at: 4:51pm EDT

In this episode, I interview Elsa Kania, author of a Center for a New American Security report on China’s plan for military uses of artificial intelligence—a plan that seems to have been accelerated by the asymmetric impact of AlphaGo on the other side of the Pacific.

In the news, Brian Egan notes that China’s perspective on “sovereignty in cyberspace” was further elaborated at China’s World Internet Conference, and I point out that China continues its “two steps forward, one step back” process of bringing U.S. companies to heel on security issues.

Nick Weaver explains that the U.S. financial institutions’ “project doomsday” could just as easily be cast as “fire hydrant standardization.” It could be, but it won’t, at least not by headline writers.

Nick also calls out Apple for failing to follow U.S. law in responding to pen/trap and wiretap orders.

I take a victory lap, as the director of national intelligence promises to apply the Gates procedures to unmasking of transition officials. As recommended by me (well, and the House intelligence committee). No need to call them the Baker procedures, though, guys.

Bleeping Computer says Germany is planting backdoors into modern devices. Maybe so, I offer, but whether that includes encryption is not at all clear. 

Finally, Nick digs into the remarkable work that Citizen Lab and Bill Marczak continue to do on authoritarian government hacking. He says, with evidence, that efforts to control sales to untrustworthy governments are actually working.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-196.mp3
Category:general -- posted at: 8:04am EDT

Episode 195 features an interview with Susan Hennessey of Lawfare and Andrew McCarthy of the National Review. They walk us through the “unmasking” of US identities in intelligence reports—one of the most divisive partisan issues likely to come up in the re-enactment of Section 702 of FISA. I bask momentarily in the glow of being cast as a civil liberties extremist. And Thidwick the Big-Hearted Moose offers insights into 702 reform.

In the news roundup, I try to count votes after the Supreme Court argument in Carpenter v. United States. I count at least four likely votes to require a warrant for cell phone location data and only two likely votes for the United States (and the preservation of the third party doctrine). The other justices didn’t exactly wear their votes on their sleeve, but the smart money favors a whole new ballgame for criminal discovery. The court’s biggest problem will be finding a rationale that doesn’t open up decades of litigation. Justice Gorsuch distinguishes himself with a rationale that is creative, libertarian-conservative, and, well, cockamamie.

Phil West provides the tech angle on the biggest Congressional news—tax reform and what it means for Silicon Valley

Nick Weaver and Jamil Jaffer walk us through the Justice Department’s impressive haul of indictments and guilty pleas in the world of cyberespionage. Yet another NSA exploit hoarder has been caught and pled guilty. And for the first time, Justice has the goods on cyberespionage by Boyusec, a Chinese “security” firm tied to China’s Ministry of State Security. The company has conveniently gone out of business after being outed, but the indictment does raise the question whether the US-China agreement on commercial cyberespionage was really just about which Chinese cyberspies would be allowed to steal U.S. commercial secrets.

There’s yet another flashpoint in China-US cyber relations—drones. A DHS analyst has publicly trashed the dominant drone maker, China’s DJI, as providing the Chinese government with access to data collected by its drones and as targeting sensitive US infrastructure for its sales. The DJI response is not exactly nuanced: A DJI spokesman called the report “insane.”

Meanwhile, Uber's problems seem neverending. The latest disaster focuses on the company’s use of quick-to-vanish messaging services like Wickr and Telegram. Such services are popular among “Technorati” who like to fancy themselves as targets of government surveillance. Problem is, when they are under surveillance, or just a discovery obligation, the use of evanescent messaging is often seen as a sign of guilt. This messaging movement could turn out to be extremely costly—first for Uber and then for Silicon Valley in general. I'm not sure that putting employees on the honor system not to use those services for company business is going to be enough.

Apple was in the news for giving up root access to anyone who insisted. And its attempt to rush out a patch wins the Equifax Prize for Breach Fixes That Create New Security Problems. Perhaps the security team was off providing support to Tim Cook for his keynote speech at the celebration of the Chinese internet (“We are proud to have worked alongside many of our partners in China to help build a community that will join a common future in cyberspace.”) Nick Weaver suggests as a result that we take a closer look at Facetime intercept capability.

Finally, it’s down to the wire on Section 702. Jamil Jaffer, Susan Hennessey and our other commentators think we may escape without too much damage to the intelligence program.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 195th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-195.mp3
Category:general -- posted at: 11:09am EDT

Our interview this week is with Rob Reid, author of “After On” and “Year Zero,” two books that manage to translate serious technology nightmares into science fiction romps. We cover a lot of ground: synbio and giving eighth graders the tools for mass human extinction, the possibility that artificial intelligence (AI) will achieve takeoff and begin to act counter to humanity’s interests in a matter of hours. Along the way, we consider the possibility that the first AI will arise from a social media behemoth and will devote its exponential power to maximizing human hookups.

In the news, we explore the massive public relations disaster that is the Uber data breach and reach the surprising conclusion that the whole thing may turn out worse in the media than in the courts. Except in the EU, Maury Shenk reminds me. Europe just hates Uber viscerally. So much so that Jim Lewis suggests the company’s EU subsidiary will soon have to be renamed Unter.

Actually, it’s not just Uber that the EU hates. It’s all things technological, at least to judge by the European Parliament’s latest plan to use export controls to cripple technology companies whose products can be misused by authoritarian governments.

I note the release of the ODNI’s report on the intelligence community’s "masking" of U.S. identities in intel reports. We talk about the temptation to weaponized unmasking during transitions, and I ask why the “Gates procedures” that provide special protection for unmasking of Congressional identities shouldn’t also be used to protect Presidential transition teams.

Jim and I discuss Russia’s imposition of constraints on Radio Free Europe that match the new restrictions on RT in the United States. Jim and I struggle toward a Universal Theory of Putin as Overrated Global Troll.

Remember those Chinese "security" cameras deployed by US agencies that we covered in the last episode? Yeah, it's worse than you thought: the Chinese are getting close to identifying everyone caught on camera using gait and facial recognition.

I note that Sen. Ron Wyden (D-OR) has another campaign underway to imply that the Justice Department is imposing decryption assistance requirements under FISA without judicial review. In fact, if there is such an effort, the company on the receiving end already has a judicial remedy. And Maury explains that the head of Germany's new cybersecurity agency is joining the German government chorus arguing for "hack back," but only by the German government.

My candidate for “Dumbest Public Policy Battle of the Season”: The complaint that someone faked a bunch of meaningless, content-free comments on net neutrality. The problem is really the idea that the policy debate should be influenced by counting votes in the World’s Skeeviest Online Poll, an idea that seems to have sparked a kind of bot arms race between supporters and opponents of the FCC’s policy.

And my candidate for Coolest Technology Story of the Season: Feeding graphene to spiders and discovering that it greatly strengthens their webs. Every fifteen-year-old science fair participant should take heart: It turns out that with great quantities of graphene comes great responsibility.

As always, The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 194th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-194.mp3
Category:general -- posted at: 7:27pm EDT

We celebrate the holiday season by interviewing David Ignatius, Columnist and Associate Editor at The Washington Post and the author of multiple spy thrillers, including his most recent, "The Quantum Spy." David and I discuss themes from the book, from quantum computing to ethnic and gender tensions at the Agency, while managing to avoid spoilers. It’s a fun and insightful work.

 

Steptoe partner Stewart Baker with David Ignatius.

In the news, I flag Twitter’s weird journey from the free speech wing of the free speech party to the censorship wing of the Censor’s Party. Twitter is now revoking the verification checks for people whose speech it disapproves of. It’s even de-checking people based on its assessment of their off-line conduct. So maybe that should be the Stasi wing of the Censor’s Party. And, not surprisingly, given Silicon Valley’s steep leftward-tilt, the censorship seems to fall far more harshly on the right than on less PC targets.

Markham Erickson and I treat Twitter’s wobbly stance as a symptom of the breakdown of the Magaziner Consensus, as both left and right for their own reasons come to view Big Tech with suspicion. Markham has shrewd observations about what it all means for the (questionable) future of social media’s section 230 immunity.

We dive into a surprising new analysis of China’s “50c Army.” Turns out that the Chinese government strategy for flooding the internet is 180 degrees off from Russia’s. Instead of a Trollfest, Chinese government-funded social media is saccharine sweet. Cheerleading and changing the subject are what its army does best.

Markham, Brian Egan, and I give broadly positive reviews to the US government’s recently announced Vulnerability Equities Process. And, in a correction to those who’ve said that other countries don’t have such a process, I point to evidence that China has one–in which all the equities seem to point to exploit, exploit, exploit.

All of which ought to turn the story of US agencies using Chinese “security” cameras from disquieting to positively frightening. Speaking of which, the Chinese company that made your drone has provided a case study on how not to do a bug bounty program. Read it and weep.

On a lighter note, we talk backflipping robots and a surprising peril of traveling with your family this holiday season–thumbprint phone security failure followed by titanic spousal air rage. Where is Tim Cook’s privacy schtick when we really need it?

Download the 193rd Episode (mp3).

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-193.mp3
Category:general -- posted at: 5:23pm EDT

With the Texas church shooting having put encryption back on the front burner, I claim that Apple is becoming the FBI's crazy ex-girlfriend in Silicon Valley—and offer the tapes to prove it. When Nick Weaver rises to Apple's defense, I point out that Apple responded to a Chinese government man-in-the-middle attack on iCloud users with spineless obfuscation rather than a brave defense of user privacy. Nick asks for a citation. Here it is: https://support.apple.com/en-us/HT203126 (Careful:  don't click without a chiropractor standing by.)

Nick provides actual news to supplement the New York Times' largely news-free front page storyabout leak and mole fears at NSA.

I gloat, briefly, over hackback's new respectability, as the Active Cyber Defense Certainty Act acquires new cosponsors, including Trey Gowdy, and hacking back acquires new respectability. But not everywhere.

Michael Sulmeyer finally gets a word in edgewise as the conversation shifts to the National Defense Authorization Act. He discusses the Modernizing Government Technology Act, the growing Armed Services Committee oversight of cyberoperations, and the decision to lift—and perhaps separate—Cyber Command from National Security Agency. I take issue with any decision that requires that a three-star NSA director to argue intelligence equities with a four-star combatant commander

We end with Michael Sulmeyer and I walking through the challenges for the Pentagon in deterring cyberattacks. We both end up expressing skepticism about the current path. 

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 192nd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-192.mp3
Category:general -- posted at: 1:48pm EDT

Episode 191 is our long-awaited election security podcast before a live, and lively, audience. Our panel consists of Chris Krebs, formerly of Microsoft and now the top cybersecurity official at DHS (with the longest title in the federal government as proof), and Ed Felten, formerly the deputy chief technology officer of the federal government and currently Princeton professor focused on cybersecurity and policy. We walk through the many stages of election machinery and the many ways that digitizing those stages has introduced new insecurities into our election results.

When all is said and done, however, the entire panel ends up more or less in one place: Election security is not to be taken for granted; it will be hard to achieve, but it’s not impossible, or even unaffordable. With sufficient will and focus, and perhaps a touch of Ned Ludd, we may be able to overcome the risk of foreign hackers interfering in our elections. At least outside of New Jersey.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 191st Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-191.mp3
Category:general -- posted at: 9:51am EDT

In our 190th episode, Stewart Baker has a chance to interview Sen. Sheldon Whitehouse (D-RI), who has a long history of engagement with technology and security issues. In this episode, we spend a remarkably detailed half-hour with him, covering the cybersecurity waterfront, from the FBI’s problems accessing the Texas church shooter’s phone, and what Silicon Valley should do about that, to Vladimir Putin’s electoral adventurism and how to combat it. Along the way, we touch (skeptically) on the NIST Cybersecurity Framework and more enthusiastically on allowing private citizens to leave their networks to track the hackers who’ve attacked them.  Plus: botnet cures, praise for Microsoft, a cybersecurity inspector general (or, maybe, bug bounties), DHS’s role in civilian cybersecurity, and how much bigger Rhode Island really is at low tide!

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 190th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-190.mp3
Category:general -- posted at: 1:34pm EDT

In our 189th episode Stewart Baker has a chance to interview United States Representative Tom Graves, co-sponsor of the Active Cyber Defense Certainty (ACDC) Act, which allows those whose networks are under persistent attack to leave their network to conduct investigative action.  Representative Graves offers a measured but deeply felt defense of the proposal and is optimistic about its reception.  And, with the hard-hitting investigative approach The Cyberlaw Podcast is known for, I ask the tough question:  “Is this bill a tribute to AC/DC – and if so, which song?”  (Hint in the title of the blog post.)

Mark your calendars for November 7th when we will gather for a live taping of a special episode on Election Cybersecurity at our Dupont Circle offices here in DC. To register please visit the Events page of our website at steptoe.com.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 189th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-189.mp3
Category:general -- posted at: 2:38pm EDT

In this episode, Brian Egan and I deconstruct the endlessly proliferating “FISA 702 Reform” bills, from the irresponsible House Judiciary bill to the “I’ll see your irresponsible and raise you crazy” bipartisan extremist bill beloved of Sens. Wyden and Paul (and talk about truth in advertising: what else would you call a bill that takes us back to the pre-9/11 status quo but S.1997?). Even the relatively restrained Senate Intelligence bill takes fire for its, ahem, “creative” approach to FBI searches of 702 data. Brian does not share my distaste for all of the options, but agrees that the cornucopia of 702 proposals makes it even more unlikely that anything other than a straight-up short-term reauthorization can be passed before the end of the year.

In other legislative news, CFIUS reform is also in the air, and Sen. Cornyn's carefully scripted rollout has begun. In her podcast debut, Alexis Early unpacks this complex bill. Need a one-word explanation? China. The bill tries to block all of the avenues China is believed to have traveled in its pursuit of US technology over the last decade. We also discuss how the bill would remove the veneer of “voluntariness” from at least part of the CFIUS process, which could impact a range of filers – particularly US technology companies seeking foreign investment.

Meanwhile, if you’re looking for confirmation that privacy is really just another word for protecting privilege, Twitter is apparently eager to provide it. Even as criticism and warnings about Russian misuse of Twitter to divide Americans and “diss” Hillary Clinton were rolling in last summer, the Russians were busily deleting their phony posts, and Twitter was right there to help. The company told even independent researchers who had saved Russian posts that the researchers had to delete any post that Twitter was deleting (which seems to be anything that the Russians deleted). This of course made it hard to criticize Twitter’s policies on foreign government trolling, since the evidence was gone, but the justification that Twitter offered was, naturally, privacy. Maybe the company’s privacy policy should come with a slogan: “Privacy: Good for you. Better for us.”

Of course, Twitter claims that it has to force the deletion of inconvenient tweets because of EU data protection policy. And indeed, European exceptionalism on the privacy front was front and center last week, with the European Parliament’s approval of a draft ePrivacy directive that law enforcement will hate, an unfavorable opinion on how many data protection authorities can regulate Facebook (clue: all of them), and an absolutely undecipherable explanation from the Article 29 working party of European restrictions on automated decision-making (my translation: “If you use AI in your business and we don’t like you, you’re toast.”). Maury Shenk provides a less jaundiced summary of these developments.

We do quick hits on Kaspersky’s defense, which looks more like it was designed to embarrass the US than to exonerate the company, on Microsoft’s eagerness to drop its gag order lawsuit in response to a change in DOJ policy, and on the FBI’s claim that encryption is now defeating half of the phone searches it tries to do. 

Our interview is with Chris Painter, the State Department’s top cyber diplomat under President Obama. He offers candid views about the Tillerson reorganization, which pushes his old office deeper into “deep State” (the State bureaucracy). He also assesses what went right and wrong for cyber diplomacy on his watch, and what the US should be doing going forward. Brian Egan referees as Chris and I have what the State Department might call a “frank and candid exchange of views.”

Mark your calendars for November 7th when we will gather for a live taping of a special episode on Election Cybersecurity at our Dupont Circle offices here in DC. To register please visit the Events page of our website at steptoe.com.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 188th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-188.mp3
Category:general -- posted at: 4:37pm EDT

I had a chance to talk to Tom Bossert, President Trump’s Homeland Security Adviser, on the record, and we’re releasing the conversation as a bonus episode of the Cyberlaw Podcast. The talk ranges from Peggy Noonan’s observations on White House staff work to the vast improvement in the West Wing’s carpeting before turning to our main topic – the looming deadline for renewing authority for FISA section 702. Tom is deeply familiar with the issues in the debate over 702. He stands by the administration’s position that 702 should be renewed without amendment and without a sunset but he discusses with nuance the many legislative proposals for changing the program as well. Finally, we talk about the executive order that unleashed a flood of internal reports on empowering DHS to protect the US government’s systems, measures to protect critical infrastructure, and the administration’s hunt for a new cyberspace deterrence strategy.

Mark your calendars for November 7th when we will gather for a live taping of a special episode on Election Cybersecurity at our Dupont Circle offices here in DC. To register please visit the Events page of our website at steptoe.com.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 187th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-187.mp3
Category:general -- posted at: 7:56am EDT

Our interview is another in our series on Section 702 reform, featuring Mieke Eoyang of the National Security Program at Third Way and Jamil Jaffer of George Mason University and IronNet Security. They begin with the history of the program but quickly focus on proposals to require warrants for FBI criminal searches of already collected 702 data, which Mieke broadly supports and Jamil broadly opposes. The Las Vegas shooter's case raises the question—are we really going to make the FBI wait for a warrant before checking its own 702 database to see whether Paddock has been in communication with terror groups and what he's been saying? 

In the news roundup, Jim Lewis of the Center for Strategic and International Studies and Brian Egan nerd out with me on the DOD's objections to section 1621(f) of the National Defense Authorization Act. Neither Jim nor Brian finds them persuasive.                 

I give a preview of my plans to celebrate Halloween as a Russian Twitter troll, and Jim predicts that the main fallout from the entirely predictable Russian use of Twitter will be on Silicon Valley, as what I call the Magaziner Consensus, already dying abroad starts to look a little peaked here at home.  

Meanwhile, the North Korean hackers are still robbing banks, semi-successfully. And, remarkably, they're also finding studios even more willing to cave to cyber blackmail than Sony, as it turns out the hackers apparently killed a BBC show they found objectionable. Jim insists that these kinds of attacks tell us more about the calculating rationality of Kim Jong Un than his craziness. And, since Kim's getting away with both, maybe Jim is right.

I riff on the latest in sex toy security, introducing our audience to an entirely new internet vocabulary.

Also, the medical profession seems to be putting its collective head in the sand about medical device security. Jim is sure that liability for producers—and for doctors—will solve that problem before Congress. Knowing the FDA's shaky grasp of the issue, I’m not so sure. 

Finally, Brian reports that the EU's first Privacy Shield report found US data protection practices "adequate" under EU law. He thinks it's because the administration is taking the EU process seriously; I think it's because the EU is taking President Trump seriously—and has decided he's not someone whose adequacy you want to question lightly.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 186th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-186.mp3
Category:general -- posted at: 11:23pm EDT

This episode features an interview with Mårten Mickos, the CEO of HackerOne. HackerOne administers bug bounty and vulnerability disclosure programs for a host of private companies as well as DOD’s “Hack the Pentagon” program. He explains how such programs work, how companies and agencies typically get started (with “vulnerability disclosure” programs), the legal and other assurances that companies need to provide to ensure participation, and the role that bounty administration firms play – from hacker reputation management to providing a kind of midnight basketball tournament for otherwise at-risk fourteen-year-old boys. (And they are boys, at least 98% of them, an issue we also explore.) Along the way, there’s even unexpected praise for the Justice Department’s Computer Crime Section, which has produced a valuable framework for vulnerability disclosure programs.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 185th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-185.mp3
Category:general -- posted at: 8:04pm EDT

Today’s news roundup features Shane Harris of the Wall Street Journal, Brian Egan, and Alan Cohn discussing stories that Shane wrote last week. Out of the box, we work through the hall of mirrors that the Kaspersky hacking story has become.

The Russian hacking story is biting more companies than just Kaspersky. Turns out that Twitter deleted all the Russian trolling accounts and tweets when the Russians asked them to. Because privacy! I put in a plug for the rule that privacy always somehow ends up protecting the powerful – in this case Vladimir Putin and, of course, Twitter itself.

We also cover another Wall Street Journal story detailing North Korea’s use of (another) antivirus product to hack South Korea’s military – and US war plans. 

Alan unpacks the Trump Administration’s most detailed statement to date on law enforcement and technology -- Deputy AG Rosenstein’s far-ranging speech on the topic.

Alan and I also touch on the emerging fight over 702 – and the media’s evergreen and credulous “discovery” that the far left and far right are surprisingly close on surveillance issues.

Alan spells out the case for Kirstjen Nielsen as Homeland Security Secretary, along with what some of her detractors are saying.

While Brian lays out the explosive theory behind the latest effort to tag Google and other social media giants with liability for assisting ISIS.

We close with two short hits.

I ask why, if Pornhub’s technology is that good, they’re starting with facial recognition.

And I can’t help noting that, for a while at least, security icon Apple thought that the best password hint was … the password itself! Thanks, Tim Cook! We’ll keep that in mind the next time you argue that the ability to hack every iPhone on the planet should be left with you and not the FBI.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 184th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-184.mp3
Category:general -- posted at: 11:49am EDT

Richard Danzig, former Navy Secretary and a serious defense and technology thinker, speaks to us about the technology tsunami and what it means for the Pentagon.  Among the risks:  lots more accidents, some of them catastrophic, and “emergent” interactions among systems that no one predicts or prepares for.  He calls for the Department of Defense to spend more time thinking about ways in which our weapons might kill us without any enemy action.  Along the way, we ask the hard questions, including whether Kim Jung Un will use gene therapy to make his people smarter, dumber, or better basketball players.

In our news roundup, the House Judiciary Committee has struck the first blow in the 702 renewal debate. Paul Rosenzweig and I assess its bill and end up concluding that it does less damage to national security than expected, except for the unfortunate decision to sacrifice the possibility of conducting “about” collection.

Meanwhile, a turf fight inside Treasury has gotten vicious, with FinCEN lobbing (and leaking) “intelligence scandal” epithets at its sister Office of Intelligence and Analysis.  Brian Egan doesn’t seem surprised about the fighting, while expressing skepticism about the likelihood of a real scandal. In the words of our President, “Sad!”

Irish courts have unsurprisingly punted on the use of standard contracts clauses to export data to the US, Michael Vatis tells us.  The court has referred the hard issues to the European Court of Justice.

Speaking of sad, a third (or maybe a fourth) NSA staffer has taken Top Secret material home with disastrous results.  Kaspersky’s software seems to have been great at spotting the classified malware on the staffer’s machine. The result, Paul notes, is that the malware ended up in Russian government hands, and Kaspersky’s reputation is toast in the West.  Maybe it’s just a coincidence or maybe Kaspersky has given up wooing the West, but its latest report outs an unknown power that has been “piggybacking” on intrusions aimed at or run by Russian and Chinese hackers.

Finally, Brian discusses USTR’s use of the WTO to put a shot across China’s bow on that nation’s cybersecurity law.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 183rd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-183.mp3
Category:general -- posted at: 6:11pm EDT

Episode 182 features a panel of experts on attribution of cyberattacks. I moderated the panel at the Georgia Tech 15th Annual Cyber Security Summit in Atlanta on September 27, 2017.  Panel members included Cristin Goodwin of Microsoft, Rob Knake of the Council on Foreign Relations, Hannah Kuchler of the Financial Times, and Kim Zetter, author of a 2014 book on the Stuxnet attack.

It’s a wide-ranging and compelling discussion of how we’re doing in attributing cyber intrusions and what more is needed in the field. Special thanks to Michael Farrell, Co-Director of Georgia Tech’s Institute for Information Security & Privacy (IISP) and the organizer of the Summit, for all the work and assistance that made this episode possible.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 182nd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-182.mp3
Category:general -- posted at: 5:38pm EDT

Episode 181: Equifax and the Upside of Nation-State Cyberattacks

Was the Equifax breach a nation-state attack? Nick Weaver parses the data, and I explore the surprising upside for Equifax if it was.

Twitter comes to Capitol Hill to talk Russian election interference; it goes home with a flea in its ear and plenty of homework to do. Stephen Heifetz and I ask why the Foreign Agent Registration Act could not be used to discipline nation states' use of social media.

Twitter isn't alone in getting sideways with the government. The Justice Department says that Google is defying court orders on disclosure of data -- while building a system to make compliance impossible.  Nick gives the company a chutzpah award.

Jim Comey is still taking hits from the Hill, months after his departure from public life. Sens. Wyden and Lee are hoping to call him a liar, and they'd like the DNI's help. The good news for Jim Comey is bad news for Section 702, since the attack on Comey is really a way of paving the ground for a major reduction in the kinds of intelligence collection the government can conduct using section 702.

Bet you never thought you'd hear the phrase "Bush-Obama Consensus," but the Trump administration's CFIUS policies are turning "BushObama" into a single word summary of the ancien regime. Stephen Heifetz makes these and other observations in laying out the latest from CFIUS's (2015!) annual report. What can we tell from it?

Finally, Nick and I explore his latest essay viewing the vulnerability equities process through a Vault7 and ShadowBrokers lens: What should the government do when it's pretty sure its critical hacking tools have fallen into enemy hands?

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 181st Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-181.mp3
Category:general -- posted at: 4:49pm EDT

In a delightfully iconoclastic new book, Jeremy Rabkin and John Yoo take the air out of 75 years of inflated claims about the law of war. They do it, not for its own sake, though God knows that would be enough, but as a prelude to discussing how to use the new weapons–robots, space, and cyber–that technology makes possible. Brian Egan and I interview Jeremy Rabkin about these and other aspects of “Striking Power: How Cyber, Robots, and Space Weapons Change the Rules for War."

In the news roundup, cell tower simulators, aka stingrays, take another hit as a divided DC Court of Appeals says warrants are required before they can be used.

Maury Shenk sees good news for industry in the recent meetings between Commissioner Jourova and Secretary Ross; the European Commission is giving every sign of wanting to avoid yet another fight over Privacy Shield, though hotter heads in Europe may yet prevail.

Brian Egan opines on Robert Strayer’s appointment as deputy assistant secretary of state for cyber and international communications and information policy–and the reorganization that his appointment cements for now.

Stewart and Jeremy unpack the implications of the CCleaner attack, and its lessons for advocates of hacking back.

The FTC took a hit–but not a fatal one–from Judge Donato in the D-Link case.

And the OPM breach suits have been dismissed; I conclude that the grounds for dismissal raise questions, but it was, in the end, a mercy killing, since maintaining a class was likely to be impossible.

Julian Assange’s effort to rebrand himself as something other than a Russian stooge spurs skepticism from the panel. As Maury points out, the (only) Russian data leak Wikileaks has posted is more marketing release than a blown whistle.

Embarrassingly, the SEC admits that it was hacked and that the stolen data was likely used for insider trading.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 180th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe partner Stewart Baker (right) with Jeremy Rabkin.

Direct download: SteptoeCyberlawPodcast-180.mp3
Category:general -- posted at: 8:46am EDT

Our interview is with Jeanette Manfra, DHS’s Assistant Secretary for Cyber Security and Communications. We cover her agency’s binding directive to other civilian agencies to purge Kaspersky software from their systems, and her advice to victims of the Equifax breach (and to doctors who think that Abbott Labs’ heart implants don’t need a security patch because no one has been killed by hackers yet). I also ask how she’s doing at expanding civilian agency security from intrusion prevention to monitoring inside networks – and the future of her agency at DHS.

CFIUS is back in the news as President Trump kills his first deal on national security grounds. Stephen Heifetz explains what he did and what it means for roughly 15 more deals caught in CFIUS’s toils.

For those who are following the 702 Upstream issue from last week’s episode, a bipartisan group of House Judiciary members have come down on Liza Goitein’s side of the debate, saying they’ll abolish upstream collection “about” terrorists. Whether they can sell the moderates of both parties on that, especially in the Senate, remains to be seen.

Jennifer Quinn-Barabanov explains how bad things have gotten for Equifax: a delayed patching process that will be cast as negligent, dozens of class actions, an FTC investigation, multiple Congressional committee hearings, possible SEC inquiries, and the state attorneys general too. I point out that no one has suffered harm from the breach yet and question whether this disaster will look quite so bad in three or four months.

The Trump administration imposes its first cyber attack sanctions, against Iranian hackers. Stephen and I note that three astonishingly different Presidents have managed to pursue cyber policies that are more or less indistinguishable from each other.

I suggest a surprising likely victim of the Russian probe: the effort to enshrine in law the requirement that electronic provider content only be provided in response to a search warrant, not a subpoena. The social media companies that dealt with Russian advertisers have provided less information to the Senate intelligence committee than to Robert Mueller. Why? Because the Senate doesn’t issue search warrants. So if Congress adopts a statutory warrant requirement to get electronic content, it will doom Congressional committees to perennial second-class status in future investigations. I doubt Congress is going to want to do that.

In fact, I predict, Silicon Valley is in for a bad half decade in Washington, as left and right grow increasingly suspicious of the power of social media companies.

Finally, to close out the news on a legal note, Jennifer unpacks two recent and, ahem, “divergent” opinions of the Eighth Circuit on breach lawsuit standing.

Download the 179th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-179.mp3
Category:general -- posted at: 8:03am EDT

The Cyberlaw Podcast kicks off a series exploring section 702 – the half-US/half-foreign collection program that has proven effective against terrorists while also proving controversial with civil liberties groups.  With the program due to expire on December 31, we’ll examine the surveillance controversies spawned by the program. Today, we look at the “upstream” collection program under section 702.  We talk to Becky Richards, NSA’s Civil Liberties and Privacy and (whew!) Transparency Officer as well as Liza Goitein of the Brennan Center for Justice.

In the news, Equifax is taking a beating both for a massive and serious data breach and for a series of missteps in its mitigation effort.  Michael Vatis lays out the gory details.

Speaking of ugly, the climate for the online ad business is getting a lot worse, or so I predict, as Russia's use of social media ads and trolls gets attention in Washington.

Had enough?  Nope.  Now the European Court of Human Rights is piling on, limiting employers' right to monitor employees.  Maury Shenk explains the law; and I marvel at the court’s ability to take an obligation imposed on governments and turn it into a code of conduct for private employers.

But wait, it gets worse.  Symantec says that a hacker who looks a lot like the Russian government has installed sophisticated hacking tools on the networks that directly control US electric grid systems.  I predict that the Trump administration will do, well, nothing, following an Obama administration tradition in grid hacking cases.

OK, it’s not the power grid, but would you really want hackers to be able to tell your Echo, “Alexa, send me two metric tons of garbanzo beans overnight?”  Now, thanks to what I call the Evil Dolphin attack, they can do exactly that – with you in the room.  Quick, get all the Echos out of Marine World!

OK, here’s a bit of good news, or at least man-bites-dog news.  Maury reports that the European Court of Justice has sent Intel's $1.26 billion monopolization fine back to the European General Court.  Any time a European court doesn’t reach out to arbitrarily smack a US tech company, it’s cause for wonder.

In other news, Michael reports that Lenovo has settled (and pretty cheaply) with the FTC and a batch of states for installing spyware on its laptops.

To follow up on last week’s podcast, Best Buy has dumped Kaspersky software, so the mistrust virus is spreading from government to the private sector.

Finally, Uber, not content with God mode, also invented Hell, a program that fooled Lyft drivers into chasing fake customers.  Now Hell seems to have come for Uber, as it turns out the now-abandoned escapade might have violated the Computer Fraud and Abuse Act and is the subject of an SDNY/FBI probe.

Download the 178th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-178_1.mp3
Category:general -- posted at: 9:51am EDT

In Episode 177, fresh from hiatus, we try to summarize the most interesting cyber stories to break in August. Paul Rosenzweig kicks things off with the Shunning of Kaspersky. I argue that the most significant–though unsupported–claim about Kaspersky is Sen. Shaheen’s assertion that all of the company’s servers are in Russia. If true, that’s certainly an objective reason not to let Kaspersky install sensors in non-Russian computers. The question that remains is how much due process companies like Kaspersky should get. That’s a question unlikely to go away, as DOD is now comprehensively shunning DJI drones, issuing guidance that sounds a lot like Edward Snowden demanding that users uninstall all DJI apps and remove all batteries and storage media.

Speaking of companies the US government can’t trust, Paul and I note that Apple has lost control of its secure enclave software. At the same time, Apple has pulled VPN apps from the Apple store at the direction of the Chinese government. Tim Cook explains that this makes perfect sense because Chinese law is on the Chinese government’s side but US law was not on the US government’s side. Right. Sounds like Tim is as good at lawyering as he is at coding, or at finding new breakthrough products for that matter.

Alan Cohn offers a potentially groundbreaking IOT security act.

Maury Shenk lays out the future of UK data protection law after Brexit.

And Paul and I look for ways in which DNA malware could be used.

To everyone’s surprise, election hacking is still making news. I use the item to tease our latest plan–an open house Election Day special where a panel of experts debates election security in front of a live Steptoe audience.

Finally, in our long interview, Alan and Maury talk Bitcoin, blockchain, and distributed ledgers with Michael Mainelli, Co-Founder and Chairman of Z/Yen, a think-tank and venture firm in the City of London; Emeritus Professor and Chairman at Gresham College; an alderman of the City of London; and a founder of Long Finance.

Download the 177th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-177.mp3
Category:general -- posted at: 5:30pm EDT

Everybody’s a critic, and everybody’s a censor, at least if you judge by today’s episode: Maury Shenk tells us the European Court of Justice will soon rule on its authority to censor what Americans read. Markham Erickson discusses the Ninth Circuit decision upholding national security letter gag orders. And Maury says that China is getting impressively good at deleting images it doesn’t like from citizens’ phones in real time.

In other news, Congressional sanctions on Russia look like a done deal; Anthony Rapa explains (contra the NYT) that the sanctions weren’t watered down in the House – and the fuss they’re likely to cause among our European trading partners.

Speaking of sanctions, how long before Putin decides to sanction the extended Trump family by going after their property, either with legal decrees or illegal hacks? The Trump hotels are already prime targets for credit card hacks; adding doxing and bricking to the mix wouldn’t be hard.

In fact, that’s a lesson Hollywood seems to have absorbed. To keep from getting hacked a la Sony, it looks as though other studios are airbrushing Vladimir Putin from their upcoming films.

Meanwhile, Reuters and others report that Silicon Valley’s Big Tech seems to be AWOL in the fight over section 702 renewal. Not necessarily out of patriotism but possibly also because the EU has tried to tie the fate of 702 with the Privacy Shield, which is the agreement that allows for free data flows between the regions.

As antidote, Stephanie Roy describes one profile in corporate courage – Microsoft’s lawsuit against Russia’s GRU (though they don’t of course name the intelligence agency). Microsoft is using trademark rights to take back some of the GRU’s command and control infrastructure.  It may not change the world, but it’s the best use of trademark enforcement in years.

Finally, our guest for the episode is Dave Aitel, Founder and CEO of Immunity, Inc. Dave combines deep cyber security expertise with a willingness to weigh in on policy issues.  A VEP expert (and contrarian), Dave thinks the recent Belfer Center paper on the topic is embarrassingly wrong and will have to be withdrawn. We cover other issues as well, from when a cyberweapon should be condemned as an indiscriminate violation of international humanitarian law to Kaspersky’s defenestration and the wisdom and proper regulation of private sector hacking back.  It’s a great tour of current issues in cybersecurity.

As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 176th Episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-176.mp3
Category:general -- posted at: 6:34pm EDT

This episode is dominated by IT procurement news.  And it’s as irresistible as a twelve-car pileup on the Beltway.  We open the news with an exploration of the federal de-listing of Kaspersky Labs, and how seriously government contracts lawyers take such an action (h/t to Michael Mutek for that).

Then, in the interview, Eric Hysen, formerly of the DHS Digital Service, lays out his view of how DHS’s effort to bring agility and speed to big IT contracts came a cropper, with plenty of color commentary from procurement law guru, Michael Mutek.  If you care about reforming federal IT purchasing (and you should), this interview is a cautionary tale.

In other news, as Steptoe summer associate Quentin Johnson lays out, the Knight First Amendment Institute has brought a lawsuit to declare @realDonaldTrump a public forum from which trolls and griefers may never be excluded.  Gus Hurwitz overcomes his inclination to snark and instead treats the claim seriously, which only makes it sound more ridiculous.  Still, I’m looking forward to seeing White House press briefings moved to the Rose Bowl.

Alan Cohn and I note that Booz Allen has come up with the best explanation yet for NotPetya’s weirdly self-defeating ransomware pose.  The purpose wasn’t to cause Shamoon-style destruction or to collect ransom; the goal was to cover tracks left in earlier intrusions.

Meanwhile, Alan Cohn describes a remarkably functional homeland and cyber security White House and DHS process, including Jeanette Manfra’s swift appointment and Rob Joyce’s sober assessment of the value of norms talk.

China continues to crack down on its citizens, and to get cooperation from at least some US tech companies.   You want cyber norms as the tech sector would write them?  It’s easy:  the norm is whatever the government in the companies’ biggest markets wants.  That, at least, goes a long way to explain Apple’s conduct.

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-175.mp3
Category:general -- posted at: 7:06pm EDT

In this episode, we interview Jim Miller, co-chair of a Defense Science Board panel that reported on how the US is postured for cyberconflict and the importance of deterrence. The short answer: deterring cyberconflict is important because our strategic cyberconflict posture sucks. The DSB report is thoughtful, detailed, and troubling. Jim Miller manages to convey its message with grace, good humor, and clarity.

In the news, Brian Egan and I find ourselves unable to turn away from the Trump-Putin meeting in Warsaw. Bottom line: by raising concerns with election hacking, Trump did and said more or less what any President would have said and done – except he failed to stick the landing with a self-serving debrief. Or if the President’s short-lived establishment of a “joint computer security unit” was self-serving, we missed it.

File this under dog bites man: Europeans are beating up on Google. The UK data protection commissioner says it was unlawful for the National Health Service to share medical data with Google’s DeepMind subsidiary, even if the goal was to provide new medical insights.

And the EU’s massive fine for Google’s abuse of its dominant position leads to musings on the regulatory foundations of some competition law doctrines – plus an enthusiastic book recommendation.

Speaking of regulating cyberspace, China’s regulatory association is demanding “core socialist values” and in-house auditors for internet content sites.

Finally, in a first, we invite Steptoe summer associate Josh Holtzman on the podcast. Josh does a fine job breaking down the issues in a court fight over warrants-and-gag-orders served on Facebook, probably as part of an investigation into violence accompanying Donald Trump’s inauguration.

As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-174.mp3
Category:general -- posted at: 8:48pm EDT

Today we deliver the second half of our bifurcated holiday podcast with an interview of Richard Ledgett, recently retired from his tour as NSA’s deputy director. We cover much recent history, from Putin’s election adventurism to questions about whether NSA can keep control of the cyberweapons it develops.  Along the way, Rick talks about the difference between CIA and NSA approaches to hacking, the rise of NSA as an intelligence analysis force, the growing effort to keep Kaspersky products out of sensitive systems, and the divergence among intelligence agencies about whether Putin’s attack on the American election was intended mainly to hurt Hillary Clinton or to help Donald Trump.

As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Subscribe to the Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-173.mp3
Category:general -- posted at: 2:55pm EDT