Steptoe Cyberlaw Podcast (general)

Bonus Episode 78: Dmitri Alperovitch, Harvey Rishikof, Stewart Baker, and Melanie Teplinsky debate whether the United States should start doing commercial espionage. 

I know, I know, we promised that the Cyberlaw Podcast would go on hiatus for the month of August.  But we also hinted that there might be a bonus episode.  And here it is, a stimulating panel discussion sponsored by the Atlantic Council and moderated by Melanie Teplinsky.  The topic is whether the United States should abandon its longstanding policy of refusing to steal the commercial secrets of foreigners to help American companies compete.  The discussion is lively, with plenty of disagreements and an audience vote at the start and finish of the discussion to gauge how persuasive we were.  Enjoy!


The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Episode_78.mp3
Category:general -- posted at: 11:13am EDT

Our guest for episode 77 is Bruce Andrews, the deputy secretary of the Commerce Department. Alan Cohn and I pepper Bruce with questions about export controls on cybersecurity technology, stopping commercial cyberespionage, the future of the NIST cybersecurity framework, and how we can get on future cybersecurity trade missions, among other things.

In the news roundup, Alan and I puzzle over the administration’s reluctance to blame China for its hacks of US agencies.

The furor over cybersecurity export controls continues unabated, with a couple of hundred hostile comments filed and Congress beginning to stir. Alan Cohn fills us in.

The UK high court ruling on data retention makes history but maybe only the most evanescent of law. Alan and I discuss whether the ruling will resemble Marbury v. Madison in more ways than one.

France finalizes expansion of surveillance. Bush administration figures come out against back doors. Cyberweek begins and, the cyber left hopes, ends without progress on CISA.

This Week in Prurient Cybersecurity: The first Ashley Madison subscriber is outed. And he’s Canadian. Looks like the nights really are longer up there. Ottawa apparently leads the world in percentage of would-be adulterers, followed by Washington, DC. No further comment seems necessary.

And Bloomberg says that the Chinese attempt to build a database on Americans didn’t begin with OPM or Anthem, but with the compromise of travel databases two years ago.

This time, Alan hints, the FTC may throw away the key, as it once again takes action against LifeLock. And the Seventh Circuit wades into the debate over how much harm a data breach plaintiff must suffer to have standing to sue.


The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_77.mp3
Category:general -- posted at: 3:37pm EDT

Episode 76 of the podcast features the power couple of privacy and cybersecurity, Peter Swire and Annie Antón, both professors at Georgia Institute of Technology. I question them on topics from the USA FREEDOM Act to the enduring gulf between writing law and writing code. 

In the news roundup, as our listeners have come to expect, we do indeed return to our recurring feature, This Week in Prurient Cybersecurity, with a riff on the Ashley Madison hack. But you’ll have to wait until the end, when we’re loosened up. 

We begin more soberly, with Jason Weinstein and Michael Vatis covering the courts’ mopping up after passage of the USA FREEDOM Act. The DC Circuit has received supplemental briefs on Section 215, and the ACLU is leading the hopeless charge against the 215 program in the Second Circuit.

The Hacking Team doxxing draws attention to the risk involved in hiring hackers. When they’re disgruntled, they don’t just slam the door on the way out. Still, Alan Cohn and I can’t help but be fascinated by the Hacking Team proposal to use drones to hover over the target, intercepting his Wi-Fi connection.

In regulatory news, Alan Cohn and Jason Weinstein discuss the FERC’s revisions to the CIP cybersecurity requirements, with a focus on supply chain practices, and a Boston hospital’s settlement of HIPAA charges, prompting me to ask whether HHS’s Office of Civil Rights is the most hypocritically aggressive privacy regulator in government.

Russia’s Right to Be Forgotten law is signed, after further tweaks. And Google announces that it has officially tipped more than one million links into the dustbin of history.

I respond to listener feedback by walking back my mockery of Tony Scott’s “TLS Everywhere” initiative, noting that it might have some modest security benefits after all. Instead of “privacy theater” perhaps I should have called it a “privacy skit.” And as attribution gets better, so does the temptation to fly false flags. It looks as though the Russians will pioneer this particular development, attacking US sites under the nom de guerre of the Cyber Caliphate. And the US government response to the Russian attacks? A predictable silence.


As always, send your questions and suggestions for interview candidates to If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_76.mp3
Category:general -- posted at: 4:29pm EDT

Bitcoin and the blockchain – how do they work and what do they mean for financial and government services and for consumers? And who holds massive stores of bitcoin that can’t be spent without solving one of the great financial mysteries of our time? Our guest for episode 75 is Michael Casey, former senior columnist for the Wall Street Journal and – as of last week – senior advisor at the MIT Media Lab’s Digital Currency Initiative. Michael is also the author, along with his former Wall Street Journal colleague Paul Vigna, of The Age of Cryptocurrency:  How Bitcoin and Digital Money Are Challenging the Global Economic Order. Alan Cohn and Jason Weinstein interview him about bitcoin and its underestimated enabling technology, the blockchain.

In the news roundup, Meredith Rathbone, Alan Cohn, and I dive into the Commerce Department’s sweeping proposal for new regulation of the cybersecurity industry under the Wassenaar arrangement. With comments due on July 20, security companies are beginning to identify a host of unintended regulatory consequences.

The FBI and Justice Department had a surprisingly good week complaining about technologists’ deployment of ubiquitous unbreakable encryption. A group of cryptographers offered a contrary view, and I critiqued their position in the roundup and in a blog post.

Hacking Team was itself hacked, with its internal correspondence spread across the internet. One quick lesson: if anyone is expecting export controls to stop sales of hacking tools to repressive regimes, they aren’t paying attention to the Italian government’s licensing policies.

Finally, the right to be forgotten looks like a bad idea whose time has come. Jason doubts that Consumer Watchdog will succeed in smuggling the right to be forgotten into the FTC Act, perhaps because the act is already bulging at the seams. Canadian courts, in contrast, seem happy to impose their speech rules on Americans – whether or not Canadian courts have, you know, jurisdiction over the Americans.


As always, send your questions and suggestions for interview candidates to  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Episode_75.mp3
Category:general -- posted at: 4:30pm EDT

Our guest commentator for episode 74 is Catherine Lotrionte, a recognized expert on international cyberlaw and the associate director of the Institute for Law, Science and Global Security at Georgetown University.  We dive deep on the United Nations Group of Government Experts, and the recent agreement of that group on a few basic norms for cyberspace.  Predictably, I break out in hives at the third mention of “norms” and default to jokes about “Cheers.”

In the news roundup, Michael Vatis and I sort through China’s ever-growing list of vague laws expressing determination to control technology for security purposes.  Jason Weinstein explains the FTC’s settlement with the makers of a stealthy digital currency mining app.  He and Michael also note the remarkably belated filing of a class action arising from the Anthem hack – and cast doubt on whether the class can be sustained.

Speaking of class actions, the OPM hack has also led to litigation.  All the Cyberlaw commentators are in the class, and none of us expect the litigation to succeed.  And speaking of the FTC, it has released new security guidance, a kind of Restatement of FTC Security Law, explaining just how wisely the FTC settled its 50-plus security cases.  I provide a quick update on the status of my FOIA lawsuit on behalf of Phil Reitinger, in which we try to find out what security standards the FTC is actually using to decide which companies are in violation of the law.

In NSA news, the Foreign Intelligence Surveillance Court says the Second Circuit’s opinion on NSA’s 215 metadata program was unpersuasive and mischaracterized the program.  In judicial circles, the trash talk doesn’t get much trashier.  Since this all becomes irrelevant when the program ends later this year, the FISC will likely have the last word.  And WikiLeaks is rolling out more alleged NSA docs, this time focusing on Germany and Brazil.  The documents don’t seem to be from Snowden, and WikiLeaks offers no provenance for them.  Hmm.  Maybe we ought to take another look at those stories claiming that WikiLeaks has been infiltrated by Russian intelligence.  

As always, send your questions and suggestions for interview candidates to  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_74.mp3
Category:general -- posted at: 4:14pm EDT

Our guest for Episode 73 is Rob Knake, currently the Council on Foreign Relations Senior Fellow for Cyber Policy and formerly with DHS, the White House, and the Richard Clarke finishing school for cybersecurity policymakers. Rob and I are quickly embroiled in disagreement; as usual, I mock the cyberspace “norms” that Rob supports and disagree with his surprisingly common view that the US shouldn’t react strongly to Chinese hacking of the OPM database. But we come together to condemn the gobsmackingly limp US response to China’s attack on Github.

In the news roundup, Alan Cohn and Jason Weinstein explain attribution problems in the Cardinals-Astros hacking case. Somehow the Broncos also figure in the discussion.

Want to know why President Obama was foolish to promise he wouldn’t spy on the French President’s communications? The answer is supplied by WikiLeaks, which discloses that the last French President was caught trying to end run the United States on Palestinean issues. WikiLeaks of course thinks that shows American perfidy.

Google, meanwhile, fought the good fight to overcome a gag order and disclose an investigation of WikiLeaks soulmate Jake Applebaum. Most interesting item in the 300 pages of documents released by the Justice Department?

The Department’s hint that those who Twitter-bully tech companies over their transparency records may be engaged in witness intimidation.

And in a recurring feature, This Week in Prurient Cyberlaw, we unpack the surprisingly complex problem of how Google identifies and delinks revenge porn.


As always, send your questions and suggestions for interview candidates to  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_73.mp3
Category:general -- posted at: 11:50am EDT

James Baker, General Counsel of the FBI, is our guest on this week’s podcast. He fearlessly tackles the FBI’s aerial surveillance capabilities, stingrays, “Going Dark,” encryption, and the bureau’s sometimes controversial attribution of cyberattacks.  But he prudently punts on the Hack of the Century, refusing to reveal details of the FBI investigation into the Houston Astros network intrusion.  


Direct download: Podcast_72.mp3
Category:general -- posted at: 11:22am EDT

Privacy advocates are embracing a recent report recommending that the government require bulk data retention by carriers and perhaps web service providers, exercise extraterritorial jurisdiction over data stored abroad, and expand reliance on classified judicial warrants. In what alternative universe is this true, you ask? No need to look far. That’s the state of the debate in our closest ally. The recommendations were given to the United Kingdom by an independent reviewer, David Anderson. He’s our guest for Episode 71 of the Cyberlaw Podcast, and he provides a refreshingly different perspective on surveillance policy, one that makes us realize that it’s U.S. civil libertarians, not the U.S. government, who are out of step with the world.

In the news roundup, I bring Edward Snowden back for one last time – the fifteenth time I’ve done that, Michael Vatis points out. This time it’s a British government leak claiming that both Russia and China have decrypted the entire corpus of Snowden’s stolen files – including the enormous number of files that have nothing to do with surveillance and everything to do with military operations.

The OPM hack has now reached Target status, Jason Weinstein argues. It’s not the first, it’s maybe not even the worst, but it’s a hack that has captured the country’s imagination in a way that earlier warnings did not. 

You might think that the OPM hack would show why information sharing is essential. But privacy advocates continue to hold CISA hostage to yet more protections for privacy. The 14 million government officials and former officials whose privacy has been grossly abused by the OPM hack will, I’m sure, thank Senators Mike Lee and Ron Wyden for their continued obstruction of government cybersecurity efforts. In the House, the likeminded Rep. Massie has again proposed an appropriations amendment that would put new limits on the most important part of NSA’s intelligence mission – overseas collection. His amendment passed the House but shows little prospect of surviving Senate review.

In a new feature, This Week in Self-Dealing, we review Jason’s recent op-ed on the New York bitcoin regulations and Alan Cohn’s op-ed on what’s wrong with government cybersecurity policy. We close with comments on the new, extensive, and probably ill-advised Connecticut breach and security law, plus new obstacles for Twitter’s “warrant canary” first amendment lawsuit.


As always, send your questions and suggestions for interview candidates to If you’d like to leave a message by phone, contact us at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_71.mp3
Category:general -- posted at: 2:37pm EDT

Our guest for Episode 70 of the Cyberlaw Podcast is Dan Kaminsky, a famous cybersecurity researcher who found and helped fix a DNS security flaw.  Dan is now the Chief Scientist at WhiteOps, but I got to know him in an unlikely-bedfellows campaign against SOPA because of its impact on DNS security. Dan and I spend most of the podcast disagreeing, largely about trust, Snowden, and security, but we do explore in detail the fact that, contrary to the Received Canon of Silicon Valley, end-to-end encryption is broken to improve security thousands if not millions of times a day by responsible corporate CISOs.  Dan also describes WhiteOps’s promising new take on identifying hackers and clickfraud on the internet.

In the news roundup, we bring back This Week in NSA for old times’ sake, highlighting the enactment of the USA FREEDOM Act and exploring its likely impact.  We mock Charlie Savage for his overwrought New York Times article claiming that NSA’s cybersecurity monitoring is a privacy issue. (We apologize to Julia Angwin, Jeff Larson, and Henrik Moltke, who shared Charlie’s byline; we’ll mock you next time, I promise.) NSA is apparently inspecting traffic from foreign sources for malware and other signatures and may also be spotting exfiltrated data as it leaves victims’ networks. Charlie and his coauthors call this “warrantless surveillance of Americans’ international Internet traffic.” Note to the New York Times:  a hacker sending me malware and stealing my files is a lot of things, but in the real world no one would call that my “international Internet traffic.”

Jason covers the broken settlement between MasterCard and Target arising from Target’s notorious Christmas 2013 breach.  And the Office of Personnel Management comes in for some well-earned criticism, not least for its lame offer of credit monitoring to the 4 million victims of what may be Chinese hacking. If it is the Chinese government, the one thing we probably don’t have to worry about is credit fraud, and given the flood of Chinese thefts of American personal data, the government needs to be giving victims better guidance about what to watch for.

Speaking of government failings, we talk about the supine US response to Putin’s trolls, even though they’re clearly testing tools to create panic and sow disinformation in the wake of a crisis in the United States. Even when they do it inside the United States, it appears that our only strategy is hope.

Michael talks about the Supreme Court ruling that will make the internet safe for violent revenge fantasies. And Jason explains the difference between the FBI’s encryption “Going Dark” campaign and the FBI’s CALEA “Going Dark” campaign:  They’re both DOA, but buried in different parts of the US Code.


As always, send your questions and suggestions for interview candidates to  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_70.mp3
Category:general -- posted at: 10:55am EDT

Our guest for Episode 69 is Jason Brown, the Assistant to the Special Agent in Charge of the Cyber Intelligence Section at the U.S. Secret Service. We talk about the Secret Service’s Electronic Crimes Task Forces and their critical role in investigating data breaches affecting financial institutions, retailers and other companies. We also discuss how the Secret Service helps companies prepare for and mitigate their risk of an incident. We talk about issues that impact breach victims’ decisions about whether or how to engage with law enforcement and about how the relationship between law enforcement and Internet providers has changed in the post-Snowden world. Finally, we discuss how the changing jurisprudence relating to electronic searches is impacting the day-to-day conduct of criminal investigations.

In the news roundup, we discuss the dysfunction in the Senate that has led to the (temporary?) lapsing of the 215 program. We mull over the impact of Riley on the Sixth Circuit’s decision in a laptop search case. The DOJ Criminal Division talks about hackback, and Yahoo! faces class certification in an email scanning case. In our “prurient interest” feature, a database of Adult Friend Finder users is for sale online. And we weigh the possible impact of New York’s BitLicense regulations. Once again, Maury Shenk joins us to talk about developments in Europe, including new Dutch breach notification requirements, Skype’s efforts to push back against Belgian intercept law, and discussions about new EU cybersecurity rules that could have a significant impact on US providers.


As always, send your questions and suggestions for interview candidates to  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_69.mp3
Category:general -- posted at: 2:48pm EDT