Steptoe Cyberlaw Podcast (general)

Everybody’s a critic, and everybody’s a censor, at least if you judge by today’s episode: Maury Shenk tells us the European Court of Justice will soon rule on its authority to censor what Americans read. Markham Erickson discusses the Ninth Circuit decision upholding national security letter gag orders. And Maury says that China is getting impressively good at deleting images it doesn’t like from citizens’ phones in real time.

In other news, Congressional sanctions on Russia look like a done deal; Anthony Rapa explains (contra the NYT) that the sanctions weren’t watered down in the House – and the fuss they’re likely to cause among our European trading partners.

Speaking of sanctions, how long before Putin decides to sanction the extended Trump family by going after their property, either with legal decrees or illegal hacks? The Trump hotels are already prime targets for credit card hacks; adding doxing and bricking to the mix wouldn’t be hard.

In fact, that’s a lesson Hollywood seems to have absorbed. To keep from getting hacked a la Sony, it looks as though other studios are airbrushing Vladimir Putin from their upcoming films.

Meanwhile, Reuters and others report that Silicon Valley’s Big Tech seems to be AWOL in the fight over section 702 renewal. Not necessarily out of patriotism but possibly also because the EU has tried to tie the fate of 702 with the Privacy Shield, which is the agreement that allows for free data flows between the regions.

As antidote, Stephanie Roy describes one profile in corporate courage – Microsoft’s lawsuit against Russia’s GRU (though they don’t of course name the intelligence agency). Microsoft is using trademark rights to take back some of the GRU’s command and control infrastructure.  It may not change the world, but it’s the best use of trademark enforcement in years.

Finally, our guest for the episode is Dave Aitel, Founder and CEO of Immunity, Inc. Dave combines deep cyber security expertise with a willingness to weigh in on policy issues.  A VEP expert (and contrarian), Dave thinks the recent Belfer Center paper on the topic is embarrassingly wrong and will have to be withdrawn. We cover other issues as well, from when a cyberweapon should be condemned as an indiscriminate violation of international humanitarian law to Kaspersky’s defenestration and the wisdom and proper regulation of private sector hacking back.  It’s a great tour of current issues in cybersecurity.

As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 176th Episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-176.mp3
Category:general -- posted at: 6:34pm EDT

This episode is dominated by IT procurement news.  And it’s as irresistible as a twelve-car pileup on the Beltway.  We open the news with an exploration of the federal de-listing of Kaspersky Labs, and how seriously government contracts lawyers take such an action (h/t to Michael Mutek for that).

Then, in the interview, Eric Hysen, formerly of the DHS Digital Service, lays out his view of how DHS’s effort to bring agility and speed to big IT contracts came a cropper, with plenty of color commentary from procurement law guru, Michael Mutek.  If you care about reforming federal IT purchasing (and you should), this interview is a cautionary tale.

In other news, as Steptoe summer associate Quentin Johnson lays out, the Knight First Amendment Institute has brought a lawsuit to declare @realDonaldTrump a public forum from which trolls and griefers may never be excluded.  Gus Hurwitz overcomes his inclination to snark and instead treats the claim seriously, which only makes it sound more ridiculous.  Still, I’m looking forward to seeing White House press briefings moved to the Rose Bowl.

Alan Cohn and I note that Booz Allen has come up with the best explanation yet for NotPetya’s weirdly self-defeating ransomware pose.  The purpose wasn’t to cause Shamoon-style destruction or to collect ransom; the goal was to cover tracks left in earlier intrusions.

Meanwhile, Alan Cohn describes a remarkably functional homeland and cyber security White House and DHS process, including Jeanette Manfra’s swift appointment and Rob Joyce’s sober assessment of the value of norms talk.

China continues to crack down on its citizens, and to get cooperation from at least some US tech companies.   You want cyber norms as the tech sector would write them?  It’s easy:  the norm is whatever the government in the companies’ biggest markets wants.  That, at least, goes a long way to explain Apple’s conduct.

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-175.mp3
Category:general -- posted at: 7:06pm EDT

In this episode, we interview Jim Miller, co-chair of a Defense Science Board panel that reported on how the US is postured for cyberconflict and the importance of deterrence. The short answer: deterring cyberconflict is important because our strategic cyberconflict posture sucks. The DSB report is thoughtful, detailed, and troubling. Jim Miller manages to convey its message with grace, good humor, and clarity.

In the news, Brian Egan and I find ourselves unable to turn away from the Trump-Putin meeting in Warsaw. Bottom line: by raising concerns with election hacking, Trump did and said more or less what any President would have said and done – except he failed to stick the landing with a self-serving debrief. Or if the President’s short-lived establishment of a “joint computer security unit” was self-serving, we missed it.

File this under dog bites man: Europeans are beating up on Google. The UK data protection commissioner says it was unlawful for the National Health Service to share medical data with Google’s DeepMind subsidiary, even if the goal was to provide new medical insights.

And the EU’s massive fine for Google’s abuse of its dominant position leads to musings on the regulatory foundations of some competition law doctrines – plus an enthusiastic book recommendation.

Speaking of regulating cyberspace, China’s regulatory association is demanding “core socialist values” and in-house auditors for internet content sites.

Finally, in a first, we invite Steptoe summer associate Josh Holtzman on the podcast. Josh does a fine job breaking down the issues in a court fight over warrants-and-gag-orders served on Facebook, probably as part of an investigation into violence accompanying Donald Trump’s inauguration.

As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-174.mp3
Category:general -- posted at: 8:48pm EDT

Today we deliver the second half of our bifurcated holiday podcast with an interview of Richard Ledgett, recently retired from his tour as NSA’s deputy director. We cover much recent history, from Putin’s election adventurism to questions about whether NSA can keep control of the cyberweapons it develops.  Along the way, Rick talks about the difference between CIA and NSA approaches to hacking, the rise of NSA as an intelligence analysis force, the growing effort to keep Kaspersky products out of sensitive systems, and the divergence among intelligence agencies about whether Putin’s attack on the American election was intended mainly to hurt Hillary Clinton or to help Donald Trump.

As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Subscribe to the Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-173.mp3
Category:general -- posted at: 2:55pm EDT

In this news-only episode, we cover the irresistible story of the week: Trump, Russia, and the Media.  It’s especially irresistible for us because we’ve had two of the protagonists on as guests.  I make the bold prediction that Shane Harris’s stories on Russia collusion and the Trump campaign will be seen as the moment when the media OCD fascination with Russia collusion finally jumped the shark.  Though in this case, the shark had already consumed at least one Pulitzer-prize winning journalist, Eric Lichtblau.  (And for the record, CNN, I am not advocating that more journalists should be eaten by sharks, and I refuse to accept the blame when they are.)

Unfortunately, journalists chasing nonstories can’t devote any attention to some very real stories involving government and IT.  So we do it for them.  Stephen Heifetz reports on the CFIUS logjam that is blocking close to a dozen transactions because the administration has not filled the subcabinet positions that could sort through the filings with a coherent policy in mind.

In other cyberwar logjam news, the UN Government Group of Experts (GGE) has failed to produce a consensus report following up on earlier reports endorsing some application of the law of war to cyberattacks.  Brian Egan explains what that means for the UN, the Trump administration, and the future of international cooperation on cyber norms.

Finally, Stephanie Roy explains the significance of the latest spat between Ajit Pai and Mignon Clyburn over online privacy regulation.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-172.mp3
Category:general -- posted at: 5:13pm EDT

Our guest, Ellen Nakashima, was coauthor of a Washington Post article that truly is a first draft of history, though not a chapter the Obama administration is likely to be proud of.  She and Greg Miller and Adam Entous chronicle the story of Russia’s information operations attack on the 2016 presidential election.

Want to know how it feels to have Donald Trump tweeting your article and taunting the last administration?  Don’t worry, we ask.  Also why was the NSA only moderately confident that Putin was trying to help Trump win, and how did the Obama administration manage to “choke” at every turn.  Jim Comey makes a cameo appearance, ironically refusing to go public with his agency’s assessment of the hack because it might look like he was trying to influence the election — whew! – that’s a bullet dodged!

We dwell on the Obama administration’s bad luck in announcing its judgment on Putin’s hack half an hour before the Access Hollywood story broke and an hour before Podesta’s emails were released.  Sometimes you win the news cycle; sometimes the news cycle wins you.

Finally, Ellen talks about the plan to implant cyberweapons in Russian infrastructure and where it stands.  What infrastructure, you ask?  Infrastructure so serious it was approved by a phalanx of Obama administration lawyers, of course.  It’s an echt-Obama moment, the kind of thing that is bound to be in history’s second draft as well.

We begin the news roundup, as our fans demand, with the latest in sex toy cybersecurity law.  On a more serious note, Jennifer Quinn-Barabanov asks whether the Seventh Circuit has stuck a fork in the data breach class action tactic of offering full damages to the named plaintiff.

Jon Sallet reviews the remarkable success of the Obama Justice Department in challenging mergers in court and argues that it’s likely to continue, if not with the same frequency.

Michael Vatis and I pan Justice Kennedy’s gassy ode to the “Cyber Age” in Packingham v. North Carolina, an opinion that is sure to be cited far more often for its overblown dicta than for its unsurprising holding.

Speaking of the Court, the Solicitor General is seeking review of the Microsoft Ireland case.  Michael and I assess the odds of an affirmance.

Meanwhile, Maury Shenk reports, European angst over the internet continues to force the pace of government action.  Despite a leak revealing its spying on the US Government, Germany is doubling down, expanding law enforcement’s authority to hack suspects’ phones.   And the European Council is calling on Member States to prepare to impose sanctions in response to cyberattacks.

And where will those attacks come from?  Ask the Western IT companies that have recently been forced to disclose their source code to Russian intelligence agencies.  Strictly for cybersecurity purposes, naturally.

And LabMD has at last had a judicial hearing for its objections to the FTC’s handling of its data security case.  Michael and I agree:  it was such a bad day for the FTC that the Commission’s decision to override its own ALJ opinion now looks like hubris of the first order.

And, finally, we cover the equally hubristic decision of some CIA staff to demonstrate their hacker cred by spoofing the Agency’s snack machines.  It may be some consolation to them in unemployment that their exploit was pretty clever.  Or, who knows, maybe they’ve been brought back to help the agency implant the Kremlin’s snack machines.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-171.mp3
Category:general -- posted at: 7:22pm EDT

This week’s episode is a news roundup without interview.  We lead with the Senate’s overwhelming adoption of unexpectedly tough Russia sanctions along with the Iran sanctions bill.  The mainstream press has emphasized that the bill will lock the Obama sanctions into legislation, but Anthony Rapa explains that the bigger story is just how tough the bill will be on investors in Russia’s energy sector, including European and other third-country firms.  This is going to put heavy pressure on the House and its Republican majority, where enthusiasm for punishing Russia has been more tepid.

In other legislative news, the Freedom Caucus has announced that it doesn’t know what it wants from 702 renewal, but it wants something.  At least that’s how I read the Caucus’s two sentence press release on Section 702 renewal.  In its entirety, the release says, “Government surveillance activities under the FISA Amendments Act have violated Americans’ constitutionally protected rights.  We oppose any reauthorization of the FISA Amendments Act that does not include substantial reforms to the government’s collection and use of Americans’ data.” In a rare show of Cyberlaw podcast consensus, Michael Vatis agrees.

Meanwhile, NSA and GCHQ are now linking WannaCry to North Korea.  The bad news is that North Korea is bringing the same spirit to cyberattacks that it has brought to nukes and missiles.  The good news is that the North Koreans are still bad at cyberattacks.  But they were bad at nukes and missiles once as well.

And we circle back to put the boot in on Reality Winner – the self-proclaimed “pretty, white, and cute” dingbat who leaked an NSA memo on Russia’s election hacking to the Intercept, which then managed to match her opsec cluelessness with its own.  

The export of exploits for internal security purposes is getting plenty of press, as the BBC goes after exports from Denmark to the Arab world while the New York Times exposes misuse of exploits to compromise critics of the Mexican government

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-170.mp3
Category:general -- posted at: 4:47pm EDT

In the news roundup, Benjamin Wittes makes a cameo appearance, defending Jim Comey (but not the FBI) from my suggestion that leaking has a long and unattractive history at the FBI.  Brian Egan takes us deep on federal records law.

Next, Ben actually finds himself to my right as we try to negotiate a quick resolution to the growing impasse over section 702.

I will never live it down. Nor will Ben.

Maury Shenk explains what the UK election means for tech.  Who knew?  The Unionists actually have a tech platform.

Maury and Brian muse on what the Qatar crisis tells us about cyberattacks – they may turn out to be much more effective as short-term one-offs than as sustained campaigns.

China has found a way to use its new cybersecurity law — to investigate Apple, naturally.  A better target would be the Chinese company Rafotech, which has installed something that looks a lot like spyware on 250 million machines.  I’ll be at the Irish government’s Data Protection Summit later this week, and I’ll be asking why the EU is wasting its human rights capital on fights with the US instead of China.

Finally, we cover Ukraine’s unusual new sanctions aimed at Russian social media companies, which are also Ukraine’s main social media companies?  No doubt there are censorship issues lurking in that program, but I can’t help wondering why human rights groups are riding the first amendment to the rescue of companies that dance to Vladimir Putin’s tune.

To close the episode, I interview Ben Buchanan, Fellow of the Cyber Security Project at the Harvard Kennedy School of Government.  I challenge the thesis of his book, The Cyber Security Dilemma: Hacking, Trust and Fear, and he holds up under the challenge pretty well.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-169.mp3
Category:general -- posted at: 6:05pm EDT

Episode 168 features the Tinkers-to-Evers-to-Chance of global censorship, as Filipino contractors earning minimum wage delete posts in order to satisfy US tech companies who are trying to satisfy European governments.  In addition to Maury Shenk, our panel of interlocutors includes David Sanger, Chief Washington Correspondent for The New York Times, and Karen Eltis, Professor of Law at the University of Ottawa. Even if you think that reducing Islamic extremist proselytizing online is a good idea, I conclude, that’s not likely to be where the debate over online content ends up.  Indeed, even today, controls on hate speech are aimed more at tweets that sound like President Trump than at extremist recruiting.  Bottom line:  no matter how you slice it, the first amendment is in deep trouble.

In other news, I criticize the right half of the blogosphere for not reading the FISA court decision they cite to show that President Obama was spying illegally at the end of his term. Glenn Reynolds, I’m talking about you!

The EU, in a bow to diplomatic reality, will not bother trying to improve the Safe Harbor deal it got from President Obama.  Instead, it will try to get President Trump to honor President Obama’s privacy promises. Good luck with that, guys!

Wikimedia’s lawsuit over NSA surveillance has been revived by the court of appeals, and I find myself unable to criticize the ruling.  If standing means anything, it seems as though Wikimedia ought to have standing to sue over surveillance; whether Wikimedia should be wasting our contributions on such a misconceived cause is a different question.

China’s cybersecurity law has mostly taken effect Maury explains how little we know about what it means.

Finally, David Sanger, in his characteristic broad-gauge fashion, is able to illuminate a host of cyber statecraft topics: whether the North Koreans are getting better at stopping cyberattacks on their rocket program; how good a job did Macron really did in responding to Russian doxing attempt; and what North Korean hackers are up to in Thailand.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-168.mp3
Category:general -- posted at: 2:02pm EDT

 

Episode 167 sees blockchain take over the podcast again.  With Stewart traveling, Alan Cohn hosts another of the podcast’s periodic deep dives into all things blockchain and digital currency.  Our guest is Meltem Demirors, Director of Development at Digital Currency Group.  Podcast regular Maury Shenk joins members of Steptoe’s Blockchain and Digital Currency Practice, including financial regulation practitioner Matt Kulkin, tax guru Cameron Arterton, and author of several recent smart contracts blog posts Jared Butcher, in breaking down the current state of affairs in the blockchain world.

Our episode begins by looking at the brewing controversy in the tax world.  Cameron skillfully takes us through IRS Notice 2014-21, which provided initial guidance for how virtual currencies would be treated for tax purposes, as well as the charmingly-named TIGTA Virtual Currency Report, released in September 2016, which told the IRS that it hadn’t done much beyond issuing this guidance to flesh out what it actually meant to consumers and businesses.  The IRS responded with the notorious Coinbase Summons, a John Doe summons that requested records of over 500,000 Coinbase subcribers.  Needless to say, this led to Coinbase users challenging the summons in court and moving to quash, while Congressional leaders question the wisdom of the IRS summons.  Cameron and Alan consider this an opportune moment for the IRS to work with the industry to develop additional guidance.

We then take on the emerging phenomenon of token sales, nicknamed Initial Coin Offerings or ICOs.  Matt and Alan tell us what in the world this is, how token sales work, and some of the legal challenges, including whether ICOs constitute sales of securities under the Howey test and the question of fiduciary duties.  Matt and Alan conclude that ICOs can vary significantly from each other and that ultimately virtual currencies and tokens may simply be a new asset class.

Steptoe has done a lot of writing lately on smart contracts, and Jared takes us through several recent Steptoe Blockchain Blog posts on reasons to put an arbitration clause in your company’s smart contracts, tips for drafting arbitration clauses in smart contracts, and best practices for limiting liability arising from smart contract vulnerabilities. Jared and Alan discuss the new approach companies need to take in considering issues like dispute resolution and liability limitations in the context of smart contracts.

We then go across the pond to Europe, where Maury gives us the status of the delayed EU proposal to extend AML regulation to virtual currencies.  Maury predicts that the legislation will pass this year forcing companies that provide virtual currency related services, such as exchanges and wallets, to comply with very burdensome requirements.

Finally, in the lightning round, Alan tells us about the recent surge in the price of bitcoin and other cryptocurrencies; Matt tell us about the future of leadership at the Commodity Futures Trading Commission and gives us an update on the Office of the Comptroller of the Currency’s proposed Fintech Charter, including a lawsuit by state regulators to head off this initiative.

In our interview, Meltem takes us through the current landscape of virtual currencies, including DCG’s recent launch of blockchain accelerator DCG Connect.  Meltem tells us about the current state of play for blockchain use cases and blockchain companies, and gives her thoughts on the ICO craze.  Meltem shares her thoughts on what she thinks are the most interesting things that she sees coming in the future, and she tells us what we should be looking for as signals that we’ve moved to the next stage of technical adoption of blockchain technology.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-167.mp3
Category:general -- posted at: 11:37am EDT