Steptoe Cyberlaw Podcast (general)

This week’s episode is a news roundup without interview.  We lead with the Senate’s overwhelming adoption of unexpectedly tough Russia sanctions along with the Iran sanctions bill.  The mainstream press has emphasized that the bill will lock the Obama sanctions into legislation, but Anthony Rapa explains that the bigger story is just how tough the bill will be on investors in Russia’s energy sector, including European and other third-country firms.  This is going to put heavy pressure on the House and its Republican majority, where enthusiasm for punishing Russia has been more tepid.

In other legislative news, the Freedom Caucus has announced that it doesn’t know what it wants from 702 renewal, but it wants something.  At least that’s how I read the Caucus’s two sentence press release on Section 702 renewal.  In its entirety, the release says, “Government surveillance activities under the FISA Amendments Act have violated Americans’ constitutionally protected rights.  We oppose any reauthorization of the FISA Amendments Act that does not include substantial reforms to the government’s collection and use of Americans’ data.” In a rare show of Cyberlaw podcast consensus, Michael Vatis agrees.

Meanwhile, NSA and GCHQ are now linking WannaCry to North Korea.  The bad news is that North Korea is bringing the same spirit to cyberattacks that it has brought to nukes and missiles.  The good news is that the North Koreans are still bad at cyberattacks.  But they were bad at nukes and missiles once as well.

And we circle back to put the boot in on Reality Winner – the self-proclaimed “pretty, white, and cute” dingbat who leaked an NSA memo on Russia’s election hacking to the Intercept, which then managed to match her opsec cluelessness with its own.  

The export of exploits for internal security purposes is getting plenty of press, as the BBC goes after exports from Denmark to the Arab world while the New York Times exposes misuse of exploits to compromise critics of the Mexican government

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-170.mp3
Category:general -- posted at: 4:47pm EDT

In the news roundup, Benjamin Wittes makes a cameo appearance, defending Jim Comey (but not the FBI) from my suggestion that leaking has a long and unattractive history at the FBI.  Brian Egan takes us deep on federal records law.

Next, Ben actually finds himself to my right as we try to negotiate a quick resolution to the growing impasse over section 702.

I will never live it down. Nor will Ben.

Maury Shenk explains what the UK election means for tech.  Who knew?  The Unionists actually have a tech platform.

Maury and Brian muse on what the Qatar crisis tells us about cyberattacks – they may turn out to be much more effective as short-term one-offs than as sustained campaigns.

China has found a way to use its new cybersecurity law — to investigate Apple, naturally.  A better target would be the Chinese company Rafotech, which has installed something that looks a lot like spyware on 250 million machines.  I’ll be at the Irish government’s Data Protection Summit later this week, and I’ll be asking why the EU is wasting its human rights capital on fights with the US instead of China.

Finally, we cover Ukraine’s unusual new sanctions aimed at Russian social media companies, which are also Ukraine’s main social media companies?  No doubt there are censorship issues lurking in that program, but I can’t help wondering why human rights groups are riding the first amendment to the rescue of companies that dance to Vladimir Putin’s tune.

To close the episode, I interview Ben Buchanan, Fellow of the Cyber Security Project at the Harvard Kennedy School of Government.  I challenge the thesis of his book, The Cyber Security Dilemma: Hacking, Trust and Fear, and he holds up under the challenge pretty well.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-169.mp3
Category:general -- posted at: 6:05pm EDT

Episode 168 features the Tinkers-to-Evers-to-Chance of global censorship, as Filipino contractors earning minimum wage delete posts in order to satisfy US tech companies who are trying to satisfy European governments.  In addition to Maury Shenk, our panel of interlocutors includes David Sanger, Chief Washington Correspondent for The New York Times, and Karen Eltis, Professor of Law at the University of Ottawa. Even if you think that reducing Islamic extremist proselytizing online is a good idea, I conclude, that’s not likely to be where the debate over online content ends up.  Indeed, even today, controls on hate speech are aimed more at tweets that sound like President Trump than at extremist recruiting.  Bottom line:  no matter how you slice it, the first amendment is in deep trouble.

In other news, I criticize the right half of the blogosphere for not reading the FISA court decision they cite to show that President Obama was spying illegally at the end of his term. Glenn Reynolds, I’m talking about you!

The EU, in a bow to diplomatic reality, will not bother trying to improve the Safe Harbor deal it got from President Obama.  Instead, it will try to get President Trump to honor President Obama’s privacy promises. Good luck with that, guys!

Wikimedia’s lawsuit over NSA surveillance has been revived by the court of appeals, and I find myself unable to criticize the ruling.  If standing means anything, it seems as though Wikimedia ought to have standing to sue over surveillance; whether Wikimedia should be wasting our contributions on such a misconceived cause is a different question.

China’s cybersecurity law has mostly taken effect Maury explains how little we know about what it means.

Finally, David Sanger, in his characteristic broad-gauge fashion, is able to illuminate a host of cyber statecraft topics: whether the North Koreans are getting better at stopping cyberattacks on their rocket program; how good a job did Macron really did in responding to Russian doxing attempt; and what North Korean hackers are up to in Thailand.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-168.mp3
Category:general -- posted at: 2:02pm EDT

 

Episode 167 sees blockchain take over the podcast again.  With Stewart traveling, Alan Cohn hosts another of the podcast’s periodic deep dives into all things blockchain and digital currency.  Our guest is Meltem Demirors, Director of Development at Digital Currency Group.  Podcast regular Maury Shenk joins members of Steptoe’s Blockchain and Digital Currency Practice, including financial regulation practitioner Matt Kulkin, tax guru Cameron Arterton, and author of several recent smart contracts blog posts Jared Butcher, in breaking down the current state of affairs in the blockchain world.

Our episode begins by looking at the brewing controversy in the tax world.  Cameron skillfully takes us through IRS Notice 2014-21, which provided initial guidance for how virtual currencies would be treated for tax purposes, as well as the charmingly-named TIGTA Virtual Currency Report, released in September 2016, which told the IRS that it hadn’t done much beyond issuing this guidance to flesh out what it actually meant to consumers and businesses.  The IRS responded with the notorious Coinbase Summons, a John Doe summons that requested records of over 500,000 Coinbase subcribers.  Needless to say, this led to Coinbase users challenging the summons in court and moving to quash, while Congressional leaders question the wisdom of the IRS summons.  Cameron and Alan consider this an opportune moment for the IRS to work with the industry to develop additional guidance.

We then take on the emerging phenomenon of token sales, nicknamed Initial Coin Offerings or ICOs.  Matt and Alan tell us what in the world this is, how token sales work, and some of the legal challenges, including whether ICOs constitute sales of securities under the Howey test and the question of fiduciary duties.  Matt and Alan conclude that ICOs can vary significantly from each other and that ultimately virtual currencies and tokens may simply be a new asset class.

Steptoe has done a lot of writing lately on smart contracts, and Jared takes us through several recent Steptoe Blockchain Blog posts on reasons to put an arbitration clause in your company’s smart contracts, tips for drafting arbitration clauses in smart contracts, and best practices for limiting liability arising from smart contract vulnerabilities. Jared and Alan discuss the new approach companies need to take in considering issues like dispute resolution and liability limitations in the context of smart contracts.

We then go across the pond to Europe, where Maury gives us the status of the delayed EU proposal to extend AML regulation to virtual currencies.  Maury predicts that the legislation will pass this year forcing companies that provide virtual currency related services, such as exchanges and wallets, to comply with very burdensome requirements.

Finally, in the lightning round, Alan tells us about the recent surge in the price of bitcoin and other cryptocurrencies; Matt tell us about the future of leadership at the Commodity Futures Trading Commission and gives us an update on the Office of the Comptroller of the Currency’s proposed Fintech Charter, including a lawsuit by state regulators to head off this initiative.

In our interview, Meltem takes us through the current landscape of virtual currencies, including DCG’s recent launch of blockchain accelerator DCG Connect.  Meltem tells us about the current state of play for blockchain use cases and blockchain companies, and gives her thoughts on the ICO craze.  Meltem shares her thoughts on what she thinks are the most interesting things that she sees coming in the future, and she tells us what we should be looking for as signals that we’ve moved to the next stage of technical adoption of blockchain technology.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-167.mp3
Category:general -- posted at: 11:37am EDT

In episode 166, we interview Kevin Mandia, the CEO and Board Director of FireEye, an intelligence-led security company.  FireEye recently outed a new cyberespionage actor associated with the Vietnamese government.  Kevin tells us how FireEye does attribution and just how good the Vietnamese are (short answer:  surprisingly good but apparently small in scale).  Along the way, we also cover questions such as whether China has its own set of forensic cybersecurity firms, how confident we should be about the attribution of WannaCry to North Korea, and whether PLA Unit 61398 should treat its designation as APT1 as a prestige designation, sort of like having “bob@microsoft” as your email address.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: SteptoeCyberlawPodcast-166.mp3
Category:general -- posted at: 10:09am EDT

Episode 165 is a WannaCry Festivus celebration, as The Airing of Grievances overtakes The Patching of Old Machines. Michael Vatis joins me in identifying all the entities who’ve been blamed for WannaCry, starting with Microsoft for not patching Windows XP until after the damage was done.  (We exonerate Microsoft on that count.)

Another candidate for WannaCry Goat of the Year is (of course) NSA for allegedly letting a powerful hacking tool fall into the hands of the Shadow Brokers, who released it in time for WannaCry’s authors to drop it into their worm. Private industry’s fingerpointing at NSA has led to introduction of the PATCH Act, which tries to institutionalize (and tilt) the vulnerability equities process.  I raise a caution flag about trying to prevent harmful vulnerability leaks by spreading information about the vulnerabilities to a new batch of civilian agencies.  I also ask whether a rational equities process should require that companies  get the benefit of the process only if they agree to patch their products promptly and if they cooperate to the extent possible with law enforcement rather than forcing agencies to hack their products just to carry out lawful searches.  Somehow I’m guessing that will cool Silicon Valley’s enthusiasm for the whole idea.

Meanwhile, Shadow Brokers, widely thought to be Russian intelligence, may be having an equally awkward Festivus celebration with their masters, since the exploit they released seems to be causing more widespread discomfort in Russia than in the West, probably because of Russia’s high usage of unpatched pirate software.

The North Koreans should be on the carpet as well, since there is increasing reason to believe that WannaCry was a mostly failed effort by Kim Jong Un to raise money through cybercrime. The worm seems to have collected only $100 thousand in bitcoin for its authors, and the worst of its impact was likely felt in China, the world capital of pirated unpatched software.  Since North Korea seems to rely on China’s internet infrastructure to launch and control its cyberattacks, launching one that mainly hurts its host is typically shortsighted.

Finally, the victims don’t escape blame. The SEC unveiled its latest criticism of private sector security practices in the financial industry as the WannaCry publicity reached a peak.

Meanwhile, our own Jon Sallet joins the Oliver-Pai debate on net neutrality, and through the magic of radio, he is able to coffee-cup-shame both of them.  (Sound effects credit to www.zapsplat.com.)  As an encore, Jon explains why the European Commission fined Facebook $122 million over its acquisition of WhatsApp – without undoing the deal.

As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: Episode_165.mp3
Category:general -- posted at: 10:48am EDT

With our sound system back online, episode 163 is already a big step up from Lost Episode 162.  (Transcripts of 162 are available for those who wish by sending email to CyberlawPodcast@steptoe.com.)

Our interview is with Susan Munro, of Steptoe’s Beijing office.  Susan unwinds the complex spool of cyberlaw measures promulgated by the Chinese government.

In the news, Maury Shenk and I note that Putin reran his U.S. playbook in the French election, but the French were ready for him.  Indeed, what we originally thought to be crude Russian forgeries may actually be Macron “honey docs” meant to look like crude Russian forgeries. If so, my hat is off to Macron’s I.T. team. 

Meanwhile, Jennifer Quinn-Barabanov spots a new trend in cybersecurity litigation.  It’s nuts, but that’s not the new part.

The intelligence community’s latest transparency report reveals a shocking stat about “backdoor” FBI searches of 702 for criminal cases.  The bureau did that all of … one time.  Those who want to clog our security services with ever more burdensome processes are going to have to find a bigger scandal.  

The Republicans complaining about Susan Rice and “unmasking” can find more to work with in the report. Turns out that Americans were identified in masked or unmasked form in about 4000 reports last year, but by the time the report writers and the intelligence consumers were done, about 3000 reports had seen their Americans unmasked. With numbers like that, if the issue hadn’t been raised first by Republicans, every newspaper in America would be calling for an investigation of unmasking standards.

Okay, this is getting embarrassing.  The White House has now spent more time drafting a cyber EO calling for urgent reports from the departments than it’s giving the departments to write the urgent reports.  And so far, as Alan Cohn points out, all we have to show for it is … another leaked draft.

Jennifer explains why the latest Home Depot settlement is both good and bad for the plaintiffs’ bar. 

Alan dives deep for substance in the White House’s EO creating an American Tech Council.  He comes up empty.  The EO is purely procedural.

Maury explains the UK’s draft surveillance obligations, concluding there’s not much new in them.  And Germany’s intelligence service is complaining both about Russian hacking and about its lack of authority to, uh, hack back to destroy third party servers.  Chris Painter, call your office!

Alan tells us that DHS cybersecurity did pretty well in budget deal, but only if your point of comparison is EPA’s budget. 

At least DHS is making the right enemies.  Jennifer explains DHS backpedaling on the privacy rights of non-Americans.  And Alan and I flag the ABA’s interest in border searches of lawyers’ electronics.

Finally, in cybersecurity news, the Guardian plays the world’s smallest violin for billionaire superyacht owners, and the recent defeat of a common form of two-factor authentication will put new cybersecurity pressure on SS7.   

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-163.mp3
Category:general -- posted at: 4:52pm EDT

In this episode, I debate Michael Schmitt, a prime mover in two Talinn Manuals on international law and cyber operations. We are joined by an expert on the topic and a new Steptoe partner, Brian Egan, who was formerly the State Department legal adviser, among other accomplishments. And among the hypotheticals is indeed a DDOS attack on the United States by internet-enabled vibrators with unchangeable default passwords. Because, as the news roundup covers, the FTC may soon be wrestling with the question of how to regulate such security violations.

Meanwhile, Michael Vatis and I clash over the meaning of the NSA’s decision to abandon productive intelligence collection. I think it’s risk aversion and a return to September 10. Michael thinks it’s too early to make that judgment.

Stephanie Roy gives an overview of Ajit Pai’s plan to undo the last two Federal Communications Commissions’ net neutrality strategies.

Michael reports on two Silicon Valley giants who fell prey to $100 million (each) cyberscams. I wonder if this means that technologists will stop gloating that Snowden and Shadowbrokers show that only private companies can be trusted to do security right.

This week in news that isn’t news at all: The Russians who hacked Clinton are going after Emmanuel Macron in France, says Trend Micro.  

Finally, vigilante justice seems to be sweeping the internet, as the spousal spyware firm, Flexispy, is doxed, and Brickerbot starts securing insecure IOT devices the hard way—by bricking them.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-162.mp3
Category:general -- posted at: 4:55pm EDT

In this episode, Alan Cohn and Maury Shenk look at questions in Europe and elsewhere in Stewart’s absence. Maury delves into why Google was ordered to turn over foreign data accessible from U.S., a decision that seems at odds with the Microsoft Ireland case. Alan considers claims made by David Sanger and William Broad in The New York Times that U.S. blew up North Korea’s most recent missile test, and Jeffrey Lewis’s rebuttal in Foreign Policy.  Alan and Maury both remain skeptical.

Leaving the Korean peninsula, Maury discusses the current effort by EU data protection regulators to enact e-privacy regulations that would, among other things, put in place detailed standards for location tracking and content associated with metadata.  No surprises, but potentially more headaches for US industry.   And back on U.S. soil, Alan comments on the U.S. Justice Department’s apparent decisions to reconsider criminal charges against Wikileaks for the CIA cyber-tools leak.  Maury provides some color on the Trump Administration’s (lack of) views on Privacy Shield.

Finally, Alan reviews the bidding on dual-use export controls and cyber technologies, explaining both the most recent negotiations under the Wassenaar Arrangement and the EU’s efforts to amend its dual-use export controls to include cyber-surveillance technologies. 

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-161.mp3
Category:general -- posted at: 2:16pm EDT

This week the podcast features an extended news roundup with two guest commentators—Julian Sanchez of the Cato Institute and Gus Hurwitz of Nebraska Law School.  

We talk about the latest, mostly overhyped, Shadowbrokers dump, and whether Google Translate can be taught to render plain text into Shadowbrokerese as well as Klingon.

Stephanie Roy kicks off speculation about the future of net neutrality in the Pai FCC. The future looks bright for litigators.

Abbott Labs takes a short but brutal session in the woodshed from the FDA. Looks like Abbott’s now-subsidiary, St. Jude Medical, knew for years that its backdoor could be found by outsiders, but it stuck to the view that hardcoded access was a feature not a bug. Too bad Uber has already trademarked the name, because if ever there were a feature that deserved to be called “God mode,” this is it.

Burger King triggers a technical battle with Google and an editing war with Wikipedia with a commercial that begins, “Okay, Google, what’s a Whopper burger?” But, law nerds that we are, all we can talk about is whether Burger King is liable under the Computer Fraud and Abuse Act.  

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-160.mp3
Category:general -- posted at: 12:00pm EDT