Wed, 2 March 2016
Due to technical difficulties, the interview for the 103rd episode will be released as a separate post next week. In the news roundup, we explore Apple’s brief against providing additional assistance to the FBI in its investigation of the San Bernardino killings. Michael Vatis finds good and bad in the brief – some entirely plausible arguments about burden mixed with implausible ones aimed more at the public than at the magistrate judge. I suggest that the burden argument may be weaker than it seems, both because the costs can be spread over many requests for assistance and because the accounting of work to be done feels “as padded as a no-bid government contract offer.” Which, now that the FBI has offered to pay Apple’s costs, is pretty much exactly what it is.
In other news, Michael and Jason Weinstein look at the California AG’s breach report, and its unlikely suggestion that the states adopt a unified approach to breach reporting. And I offer highlights and lowlights from the DHS guidelines for information sharing, shining particular light on a troubling proposal that some shared fields will have to be scrubbed by human beings before the information is passed on to at-risk sysadmins. In the words of Silicon Valley, human review doesn’t scale.
As always, the Cyberlaw Podcast welcomes feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.
Wed, 24 February 2016
What is the most surprising discovery a law firm partner makes when he jumps to the National Security Agency? I direct that and other questions at Glenn Gerstell, who has just finished six months in the job as General Counsel at the National Security Agency.
In the news roundup, we begin, of course, with the fight between Apple and the Justice Department. I open the discussion by reminding the audience that the war on terror cannot be a war on one of the world’s great religions and insisting that Apple remains a religion of peace. Michael Vatis describes the Justice Department’s latest filing, and we trade for deep discovery, not only at the FBI but also at Apple.
CFIUS has released its annual report – only eighteen months late – and the report shows continuing tough review standards from the Committee, Stephen Heifetz reports. There is no sign yet that Chinese acquisitions will experience a smoother ride in future.
Michael and I report on Google’s new effort to accommodate European data censors by geolocating users of google.com.
Finally, the judiciary is allowing defense lawyers to take a close look at the code used by the FBI to capture data about users of a child porn site seized by the Bureau.
Tue, 23 February 2016
The Second Annual Triple Entente Beer Summit again filled the Washington Firehouse loft with an audience at least as knowledgeable as the panel, which consisted of Ben Wittes, Shane Harris,Stewart Baker, Tamara Cofman Wittes, and Alan Cohn. The Triple Entente Beer Summit brings together members of the Lawfare, Rational Security, and the Steptoe Cyberlaw podcasts.
The topic of the day was the confrontation between Apple and the Justice Department over gaining access to the iPhone used by one of the terrorists responsible for the mass killing in San Bernardino, California. Suffice it to say that the podcast was not sponsored by Apple, nor will it be any time prior to the heat death of the universe.
We also dig into the Nitro Zeus story, claiming that in 2009 the United States prepared a massive cyberattack on Iran as an alternative to kinetic action in the event that nuclear talks failed and Iran began a nuclear breakout.
Finally, the panel explores the administration’s rekindled enthusiasm for CVE – countering violent extremism. We provide a definitive answer to the question, “Do we need more GS-14s tweeting on terrorism?” And Tamara Wittes challenges us to find the difference between late Obama and late Bush in the messaging department.
Then the audience takes over, greatly raising the tone of the podcast with a series of thoughtful questions for the panel.
It was a fine evening, and we look forward to another reunion soon.
As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
Tue, 9 February 2016
We devote episode 100 to “section 702” intelligence – the highly productive counterterrorism program that collects data on foreigners from data stored on US servers. What’s remarkable about the program is its roots: President Bush’s decision to ignore the clear language of FISA and implement collection without judicial approval. That decision has now been ratified by Congress – and will be ratified again in 2017 when the authority for it ends. But what does it say about the future of intelligence under law that our most productive innovation in intelligence only came about because the law was broken?
Our guest for the episode, David Kris, thinks that President Bush might have been able to persuade Congress to approve the program in 2001 if he’d asked. David may be right; he is a former Assistant Attorney General for National Security, the coauthor of the premier sourcebook on intelligence under law, "National Security Investigations & Prosecutions,” and the General Counsel of Intellectual Ventures. But what I find surprising is how little attention has been paid to the question. How about it? Is George Bush to FISA what Abraham Lincoln was to habeas corpus?
My interview with David leaves Lincoln to the history books and instead focuses entirely on section 702. David lays out the half-dozen issues likely to be addressed during the debate over reauthorization, including the risk that the legislation will attract efforts to limit overseas signals intelligence, now governed mainly by Executive Order 12333. He then pivots to the issues he thinks Congress should grapple with but probably won’t – from the growing ambiguity of location as a proxy for US citizenship to the failure of current intelligence law to adequately extract intelligence from the technologies that have emerged since 9/11, particularly social media and advertising technology.
In the news roundup, Maury Shenk and Michael Vatis take us deep into the US-EU agreement on “Privacy Shield” – a replacement for the Safe Harbor. The short version: there’s many a slip twixt cup and lip, but the EU has once again taken off the table its unenforceable threat to stop transatlantic data flows.
In other news, Michael and Alan explain how HIPAA became a divorce lawyer’s dream weapon.
The Brits, meanwhile, are lapping the United States in creative use of intelligence law. Maury and Michael explore how the UK proposes to bring the big webmail providers to heel.
I note the controversy at Berkeley over some garden-variety network monitoring, adopted in response to a serious health data breach. University academics are appalled to discover that protecting patient privacy might limit their ability to do what they want on university networks. HIPAA enforcers v. entitled academic lefties: all I ask is more popcorn.
Hey, remember Norse Security, the company that went to the press to say that the FBI was all wet when it attributed the Sony attack to North Korea? Well, Norse imploded last week, after a laid-off employee’s published criticisms were amplified by security blogger Brian Krebs. Choicest bit from the Norse co-founder’s post: the company’“demonstrat[es] how today’s media can be manipulated by persons to suit their purposes or personal vendettas and how facts can be misrepresented to lead an entire industry astray.” Yep. You know what they say: Live by the flashy but inaccurate press report, die by the flashy but inaccurate press report.
Mon, 1 February 2016
Our guest is Amit Ashkenazi, whom I interviewed while in Israel. Amit is Legal Advisor of The Israel National Cyber Bureau and a former general counsel to Israel’s data protection agency. Israel is drafting its own cybersecurity act, and we discuss what if anything that country can learn from the US debate – and what the US can learn from Israel’s cybersecurity experience. We explore the challenges Israel will face in trying to start a new cybersecurity agency, how Israel strikes the balance between security and privacy, the risks of using contractors to staff a new agency, the danger of stating agency authorities with too much specificity, and why the agency is likely to look more like DHS than the FBI.
In the news roundup, I discuss the dynamics of the Safe Harbor talks with Maury Shenk, boldly predicting that the EU will cave on the remaining issues once it’s convinced the US means business.
Jason Weinstein and I talk about the Judicial Redress Act and the gratifying Senate Judiciary Committee amendment – an amendment that the EU must have seen as a bad sign for the future if the Safe Harbor talks fail. The Act is intended to facilitate the Justice Department’s “umbrella” agreement over data protection and law enforcement. We conclude that it is a largely one-sided set of concessions by the United States in return for an illusory “data peace in our time.” We nonetheless find a fine reason for the Obama administration to have accepted all these limits.
As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
Wed, 27 January 2016
If there really is another crypto war in Washington, then this week’s podcast features several war correspondents and at least one victim of PTSD. Our guest is Melanie Teplinsky, former cybersecurity lawyer at Steptoe, adjunct professor at American University’s Washington College of Law, advisory board member for Crowdstrike, and a regular columnist on privacy and security issues for the Christian Science Monitor.
We cover crypto news from Davos to the New York legislature. We also discuss my latest policy provocation, designed to unveil yet another example of European hypocrisy where privacy, data protection, and the United States are concerned. Inspired by the still-stalled Safe Harbor talks, I announce plans to award a Europocrisy Prize for filings that force European data protection authorities to assess the adequacy of surveillance law in important European trading partners who aren’t the United States, such as China, Russia, Saudia Arabia, and Algeria. Amazingly, in twenty years of bitter attacks on US privacy adequacy, that’s never been done.
We dig into several developments in the world of litigation. Michael Vatis and Alan Cohn discuss several new cases: a lawsuit claiming that fake emails should be covered by a forgery insurance policy, a hacked casino’s effort to recover from the security consultant that incorrectly told the casino its security problems had been solved, and a Minnesota decision that shoots down still more creative arguments for injury from the breach plaintiff’s bar.
Michael tells us why the FBI isn’t apologizing for running a child porn site for two weeks in order to catch pedophiles. And I predict with a bit of enthusiasm that the Senate Judiciary Committee will add more conditions to the Judicial Redress Act, as Congressional patience with Europocrisy begins to wear thin.
Finally, Alan reveals that the Obama administration has just created the worst Schedule C job in government.
Thu, 21 January 2016
Back for a rematch, John Lynch and I return to the “hackback” debate in episode 97, with Jim Lewis of CSIS providing color commentary. John Lynch is the head of the Justice Department’s computer crime section. We find more common ground than might be expected but plenty of conflict as well. I suggest that Sheriff Arpaio in Arizona may soon be dressing hackers in pink while deputizing backhackers, while Jim Lewis focuses on the risk of adverse foreign government reactions. We also consider when it’s lawful to use “web beacons” and whether trusted security professionals should be given more leeway to take action outside their customers’ networks. In response to suggestions that those who break into hacker hop points might be sued by the third parties who nominally own those hop points, I suggest that those parties could face counterclaims for negligence. We close with a surprisingly undogmatic discussion of Justice Department “no-action letters” for computer security practitioners considering novel forms of active defense.
In the news roundup, Alan Cohn and I consider whether Twitter should worry about being sued for providing material support to ISIS. Answer: Yes, at least a little. Tim Cook, too, for that matter.
Meredith Rathbone leads us through the Wassenaar wilderness, providing glimpses of a promised land. And Maury Shenk brings good news for sane corporate security programs from the unlikeliest of sources – the European Court of Human Rights.
I question the FTC’s judgment in imposing a fine and a consent decree on a dental software firm that wrote its own crypto.
Maury reports incremental progress on cybersecurity in the only law-writing process that makes Congress’s adoption of the Cyber Security Act look expeditious.
And in quick succession, I note NSA’s newly disclosed procedures for implementing the USA FREEDOM Act, Yahoo’s cheap settlement of an email surveillance suit, and a teenaged social hack that compromised accounts associated with Director of National Intelligence James Clapper.
Wed, 13 January 2016
How do you graduate as a conservative with two Harvard degrees? We learn this and much more from Sen. Tom Cotton (R-AR), our guest for episode 96 . We dive deep with the Senator on the 215 metadata program and its USA FREEDOM Act replacement. We ask what the future holds for the 702 program, one of the most important counterterrorism programs and just entering yet another round of jockeying over renewal; Sen. Cotton has already come out in favor of making the program permanent. To round things out, Sen. Cotton assesses the risks of Going Dark for our intelligence community and the difficulties that the Safe Harbor negotiations pose for US intelligence.
In the news roundup, evidence mounts that someone has hacked the Ukrainian electric grid. Michael isn’t ready to point the finger at Russia yet; but I pretty much am. Whoever gets the blame, this probably means another aspirational cyberwar norm down the tubes.
In the United Kingdom, US tech firms are lobbying against a security bill, but Maury Shenk questions whether they’re mainly complaining about rules that are already part of UK law.
In the US, administration officials and Silicon Valley are happy talking about cooperation to discourage terrorist use of social media, but Michael isn’t sure what will come of the effort. I unveil a half-baked proposal to activate a Mom Squad, on the theory that the best weapon against radicalization of adolescents is letting their parents know what they’re up to. Michael reminds me that the government can’t tell Mom without getting a search warrant for private content, just as my daughter calls to say she’s been reading my blog and I need an intervention.
File this one in the bulging folder labeled “Privacy protects the privileged”: Volkswagen says it can’t comply with US government investigative demands because of the privacy of its employees – apparently including the privacy of employees who lied to US investigators. Maury and I explore VW’s data protection justifications, all of which seem, well, arguable.
And in short takes, as predicted, Justice wants to moot the Klayman/Leon victory over NSA. Meanwhile, NSA's General Counsel makes his maiden public statement in Lawfare, and says a few things that the Cruz campaign will welcome. Defense counsel are making explosive charges against the FBI’s handling of a child porn investigation. And in the tastiest privacy irony of the week, the EU’s otherwise pointless "cookie notice" requirement turns out to be great news for malware distributors, if no one else. Where would we be without the steady hand of wise European data protection officials?
Finally, after weeks of cajoling, our listeners have come through. We have entries in the iTunes podcast reviews, and we’re averaging five stars. Many thanks!
Wed, 6 January 2016
We’re back from hiatus with a boatload of news and a cautiously libertarian technologist guest in Nick Weaver of the International Computer Science Institute in Berkeley. To start Episode 95 of the podcast, Michael Vatis and I plumb the meaning of the Cyber Security Act’s passage. The big news? Apparently Santa is real, state laws prohibiting employer access to social media credentials may have been preempted, at least a bit, and ISPs just got new authority to monitor traffic to find bits that threaten other people. Now if we could just find something useful to do with the defensive measures provision …
Maury and Michael note that the encryption debate just won’t stay dead, no matter how much Silicon Valley keeps pounding the stake into its heart. In addition to the FBI, tech companies are seeing a whole bunch of new eyes gleaming in the dark – China’s new security law, Pakistan’s fight with Blackberry, the new UK legislation, and Brazil’s shot across Whatsapp’s bow. In every case, government has crowded Silicon Valley hard for more cooperation on access to customer data – but without (quite) insisting on a built-in backdoor.
Speaking of governments, Michael tells us that regulators closed 2015 with a bang, with HIPAA, COPPA, and order-enforcement fines up to $100 million. And Alan points to the CFTC’s new testing rules, which I contend may have smuggled something close to strict security liability into the Federal Register.
Michael brings us up to date on the never-ending turmoil over what access in excess of authorization means under the CFAA. None of us are surprised that courts think it includes access in violation of a court order.
The interview with Nick Weaver explores the charms and evils of bulk surveillance, not to mention its inevitability. Nick analyzes the two Silicon Valley business models – which he shorthands as selling shiny stuff and selling people’s souls. (Guess which model he disapproves of.) Which leads us to the question of tracking terrorists as though we wanted to sell them beheading videos. Call it Son of 702. Which leads me to ask how soon it will be before the government blocks the sale of an online ad network to China on national security grounds.
Tue, 22 December 2015
With Wyndham’s surrender to the FTC after a brutal court of appeals opinion, the last outpost of resistance to the FTC’s cybersecurity agenda is Mike Daugherty, CEO of LabMD. Daugherty refused to take the easy road and enter into a consent decree with the FTC to settle its claim that the company’s security was insufficient because of a file-sharing program installed on the corporate network. That decision has cost Daugherty his company. LabMD has ceased operations. And it took him on an extraordinary odyssey through Washington that he has described in his book, The Devil Inside the Beltway, and speeches. I caught up with Mike at the Black Hat Executive Summit where we were both speakers, and he kindly agreed to a short interview describing some of that odyssey.
I offered the FTC equal time to offer their perspective. So far, they haven’t taken me up on the offer, but it remains open.