The Cyberlaw Podcast (general)

James Baker, General Counsel of the FBI, is our guest on this week’s podcast. He fearlessly tackles the FBI’s aerial surveillance capabilities, stingrays, “Going Dark,” encryption, and the bureau’s sometimes controversial attribution of cyberattacks.  But he prudently punts on the Hack of the Century, refusing to reveal details of the FBI investigation into the Houston Astros network intrusion.  

 

Direct download: Podcast_72.mp3
Category:general -- posted at: 11:22am EDT

Privacy advocates are embracing a recent report recommending that the government require bulk data retention by carriers and perhaps web service providers, exercise extraterritorial jurisdiction over data stored abroad, and expand reliance on classified judicial warrants. In what alternative universe is this true, you ask? No need to look far. That’s the state of the debate in our closest ally. The recommendations were given to the United Kingdom by an independent reviewer, David Anderson. He’s our guest for Episode 71 of the Cyberlaw Podcast, and he provides a refreshingly different perspective on surveillance policy, one that makes us realize that it’s U.S. civil libertarians, not the U.S. government, who are out of step with the world.

In the news roundup, I bring Edward Snowden back for one last time – the fifteenth time I’ve done that, Michael Vatis points out. This time it’s a British government leak claiming that both Russia and China have decrypted the entire corpus of Snowden’s stolen files – including the enormous number of files that have nothing to do with surveillance and everything to do with military operations.

The OPM hack has now reached Target status, Jason Weinstein argues. It’s not the first, it’s maybe not even the worst, but it’s a hack that has captured the country’s imagination in a way that earlier warnings did not. 

You might think that the OPM hack would show why information sharing is essential. But privacy advocates continue to hold CISA hostage to yet more protections for privacy. The 14 million government officials and former officials whose privacy has been grossly abused by the OPM hack will, I’m sure, thank Senators Mike Lee and Ron Wyden for their continued obstruction of government cybersecurity efforts. In the House, the likeminded Rep. Massie has again proposed an appropriations amendment that would put new limits on the most important part of NSA’s intelligence mission – overseas collection. His amendment passed the House but shows little prospect of surviving Senate review.

In a new feature, This Week in Self-Dealing, we review Jason’s recent op-ed on the New York bitcoin regulations and Alan Cohn’s op-ed on what’s wrong with government cybersecurity policy. We close with comments on the new, extensive, and probably ill-advised Connecticut breach and security law, plus new obstacles for Twitter’s “warrant canary” first amendment lawsuit.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_71.mp3
Category:general -- posted at: 2:37pm EDT

Our guest for Episode 70 of the Cyberlaw Podcast is Dan Kaminsky, a famous cybersecurity researcher who found and helped fix a DNS security flaw.  Dan is now the Chief Scientist at WhiteOps, but I got to know him in an unlikely-bedfellows campaign against SOPA because of its impact on DNS security. Dan and I spend most of the podcast disagreeing, largely about trust, Snowden, and security, but we do explore in detail the fact that, contrary to the Received Canon of Silicon Valley, end-to-end encryption is broken to improve security thousands if not millions of times a day by responsible corporate CISOs.  Dan also describes WhiteOps’s promising new take on identifying hackers and clickfraud on the internet.

In the news roundup, we bring back This Week in NSA for old times’ sake, highlighting the enactment of the USA FREEDOM Act and exploring its likely impact.  We mock Charlie Savage for his overwrought New York Times article claiming that NSA’s cybersecurity monitoring is a privacy issue. (We apologize to Julia Angwin, Jeff Larson, and Henrik Moltke, who shared Charlie’s byline; we’ll mock you next time, I promise.) NSA is apparently inspecting traffic from foreign sources for malware and other signatures and may also be spotting exfiltrated data as it leaves victims’ networks. Charlie and his coauthors call this “warrantless surveillance of Americans’ international Internet traffic.” Note to the New York Times:  a hacker sending me malware and stealing my files is a lot of things, but in the real world no one would call that my “international Internet traffic.”

Jason covers the broken settlement between MasterCard and Target arising from Target’s notorious Christmas 2013 breach.  And the Office of Personnel Management comes in for some well-earned criticism, not least for its lame offer of credit monitoring to the 4 million victims of what may be Chinese hacking. If it is the Chinese government, the one thing we probably don’t have to worry about is credit fraud, and given the flood of Chinese thefts of American personal data, the government needs to be giving victims better guidance about what to watch for.

Speaking of government failings, we talk about the supine US response to Putin’s trolls, even though they’re clearly testing tools to create panic and sow disinformation in the wake of a crisis in the United States. Even when they do it inside the United States, it appears that our only strategy is hope.

Michael talks about the Supreme Court ruling that will make the internet safe for violent revenge fantasies. And Jason explains the difference between the FBI’s encryption “Going Dark” campaign and the FBI’s CALEA “Going Dark” campaign:  They’re both DOA, but buried in different parts of the US Code.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_70.mp3
Category:general -- posted at: 10:55am EDT

Our guest for Episode 69 is Jason Brown, the Assistant to the Special Agent in Charge of the Cyber Intelligence Section at the U.S. Secret Service. We talk about the Secret Service’s Electronic Crimes Task Forces and their critical role in investigating data breaches affecting financial institutions, retailers and other companies. We also discuss how the Secret Service helps companies prepare for and mitigate their risk of an incident. We talk about issues that impact breach victims’ decisions about whether or how to engage with law enforcement and about how the relationship between law enforcement and Internet providers has changed in the post-Snowden world. Finally, we discuss how the changing jurisprudence relating to electronic searches is impacting the day-to-day conduct of criminal investigations.

In the news roundup, we discuss the dysfunction in the Senate that has led to the (temporary?) lapsing of the 215 program. We mull over the impact of Riley on the Sixth Circuit’s decision in a laptop search case. The DOJ Criminal Division talks about hackback, and Yahoo! faces class certification in an email scanning case. In our “prurient interest” feature, a database of Adult Friend Finder users is for sale online. And we weigh the possible impact of New York’s BitLicense regulations. Once again, Maury Shenk joins us to talk about developments in Europe, including new Dutch breach notification requirements, Skype’s efforts to push back against Belgian intercept law, and discussions about new EU cybersecurity rules that could have a significant impact on US providers.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_69.mp3
Category:general -- posted at: 2:48pm EDT

Our guests for Episode 68 include Julian Sanchez, senior fellow at the CATO Institute where he studies issues at the busy intersection of technology, privacy, and civil liberties, with a particular focus on national security and intelligence surveillance. They also include the entire May meeting of ISSA- NOVA, which kindly invited the Cyberlaw Podcast to go walkabout once again. The audience provides useful feedback on several of the topics covered in this episode.

We begin with This Week in NSA.  And even though we had no idea how the Senate process would end up, neither it turns out did Majority Leader McConnell or anyone else. Our remarks on the Congressional dynamic remain as relevant now as when we made them, despite our intimations of obsolescence. We also cover an early judicial decision on insurance coverage for data breaches (subscription required), the US indictment of (another!) six Chinese economic espionage agents, and the personal data orphaned by Radio Shack’s bankruptcy.

More importantly, we seize on a flimsy pretext to revisit Max Mosley’s five-hour, five hooker sadomasochistic orgy (subscription required) and his self-defeating efforts to wipe it from the internet by threats of lawsuit. It turns out he’s now reached a settlement with Google. I speculate that perhaps we’ve misread Mosley all this time. Maybe he’s doing this because of the Streisand effect, not in spite of it. It’s like he wants the internet to punish him, or something …

Returning to serious coverage, we note that CCIPS and the Justice Department may be suffering from Baker Derangement Syndrome in the face of my defense of private cyber-investigation that goes beyond network boundaries. The Department’s latest effort involves persuading CSIS and a group of CISOs to join a draft paper that looks suspiciously like a DOJ brief in opposition to the Cyberlaw Podcast. And the supposed consensus among CISOs that’s identified in the paper breaks down quickly, rejected ten to one in an informal poll of the ISSA-NOVA audience.

Julian and I mix it up over the new, revived Crypto Wars, as I challenge the claim that building access to encryption systems is always a bad idea. That, I say, will come as news to all the network security administrators who access end-to-end TLS sessions on a routine basis because the security consequences of not “breaking” that crypto are worse than the corporate front door. He recommends that I ask Dan Kaminskyto comment on that statement, and since Dan will be a guest on the podcast soon, we’ll all get to hear his answer.

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_68.mp3
Category:general -- posted at: 4:59pm EDT

Our guest for Episode 67 is Dan Geer, a legendary computer security commentator and current CISO for In-Q-Tel. We review Dan’s recommendations for improving computer security, including mandatory reporting of intrusions, liability for proprietary software, striking back at hackers – at least in some ways – and getting the government to purchase and fix vulnerabilities. We agree on the inherent foolishness of the Internet voting movement, but I disagree with Dan on the right to be forgotten, and I predict that net neutrality will lead to the opposite of what he wants – both more regulation of operators and more limits on what the operators are allowed to carry.

As with Bruce Schneier, I accuse Dan of a kind of digital Romanticism for advocating improbable personal defenses like using Tor for no reason, having multiple online identities, swapping affinity cards, and paying your therapist under an assumed name. But Dan makes me eat my words.

More from Dan can be found here, here, and here.

In the news roundup, we introduce Alan Cohn, yet another recent alumnus of the DHS Policy office now at Steptoe. We also revive This Week in NSA, pooling our collective inability to predict what the week will hold for the 215 metadata program. We muse about border laptop searches, questioning both DOJ’s choice of battleground and the ability of judges to withstand a PR campaign by the privacy lobby. We cover a FOIA case to find out if the FTC actually has security standards – a case filed by Phil Reitinger and Steptoe. The roundup ends with the plane-hacking case, the FBI’s Stingray guidance, and the first anniversary of the EU’s misbegotten Right to Be Forgotten.

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_67.mp3
Category:general -- posted at: 12:15pm EDT

The Triple Entente Beer Summit was a great success, with an audience that filled the Washington Firehouse loft and a cast that mashed up Lawfare, Rational Security, and the Steptoe Cyberlaw Podcast.  We attribute the podcast’s freewheeling interchange to the engaged audience, our profound respect for each other, and, mostly, the beer. After a discussion of between the combined panels, we throw the event over to the audience, which demonstrates that we could have produced almost as good a program by randomly selecting audience members to appear on the panel with us.

 

Direct download: Triple_Entente_Beer_Summit.mp3
Category:general -- posted at: 7:03am EDT

Episode 65 would be ugly if it weren’t so much fun.  Our guest is Bruce Schneier, cryptographer, computer science and privacy guru, and author of the best-selling Data and Goliath – a book I annotated every few pages of with the words, “Bruce, you can’t possibly really believe this.” And that’s pretty much how the interview goes, as Bruce and I mix it up over hackbacks, whether everyone but government should be allowed to use Big Data tools, Edward Snowden, whether “mass surveillance” has value in fighting terrorism, and whether damaging cyberattacks are really infrequent and hard to attribute. We disagree mightily – and with civility.

The news roundup covers Congress’s debate over NSA and section 215. The House is showing a dismaying efficiency in moving bad bills while the Senate is mired in what may turn out to be more productive confusion (see, e.g., S. 1035 and S. 1123). 

We unpack the Supreme Court’s grant of certiorari in Spokeo.

A new and troubling development in cyber insecurity was demonstrated by the malware Cryptowall, which infected readers of the Huffington Post via ads for Hugo Boss, then encrypted the readers’ hard drives and held their data for ransom. We ask whether the ad networks or even the web publishers will eventually be held liable for transmitting the infected ads via HuffPo ads for Hugo Boss. The Senate Homeland Security Committee wrote a report on malvertising risks and liabilities last year that concludes with the view that liability couldn’t be established because none of the participants in the online advertising industry is directly responsible for the harm. I think the Senate Homeland Security committee has never litigated in the Eastern District of Texas.

In quick news, Goldman’s “Flash Boy” has been convicted again. The FCC says it doesn’t regulate Stingrays, except to require FBI approval for purchasers. The US and Japan deepen their cyber defense relationship, and Prime Minister Abe gets standing O for calling out (shh! Chinese) cybertheft of IP. And, DOJ releases cybersecurity guidance that is surprisingly good – but for what I call its fatally flawed view of hacking back (at least that’s what I meant when I called the authors “jackasses”).

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_65.mp3
Category:general -- posted at: 4:21pm EDT

Our guest for episode 64 of the Cyberlaw Podcast is Mary DeRosa, the chief lawyer for the National Security Council during the early years of the Obama Administration, and now a Distinguished Visitor at Georgetown University Law Center. We ask Mary to walk us through a hypothetical set of NSC meetings on the Sony breach and the US response, flagging the legal issues and offices that come to the table. She helps me unpack the differences between the use of force, countermeasures, and an armed attack – and confirms that I have no future at the State Department – an overdetermined outcome if ever there was one. It’s a great primer on the practical ways in which cyberconflict is lawyered (or, in my view, overlawyered). 

In the news roundup, I have to choose between defending the New York Times and defending Hillary Clinton. I choose Hillary, arguing that despite NYT innuendo the Russians aren’t dumb enough to pay tens of millions for a State Department “yes’ vote in CFIUS. Because as far as anyone knows, the State Department has never voted anything but “yes” in CFIUS. 

The House has passed two cyber information sharing bills ‒ H.R. 1560 and H.R. 1731 ‒ and at every stage of the process, the sponsors made concessions to the privacy lobby, which simply pocketed the concessions and moved the goal posts. Michael Vatis and I note that the bill that came out of the Intelligence Committee contained a “privacy tax” on private sector information sharing that will discourage sharing. And the bill as amended on the floor was worse – potentially stripping encryption of its status as a protected “defensive measure” under the act. If privacy groups hadn’t demanded the change, they’d already be screaming about how the House hates crypto. Now the bill moves to the Senate, where it is wrapped around the axle of NSA’s215 metadata program. Debate over that program must conclude by May 22 and will, I predict, be Hobbesian: nasty, brutish, and short. 

Maury Shenk and I discuss the EU’s gift that keeps on giving:  “Mad Dog” Oettinger, the high European official who finally threw away the mask, admitting a determination to regulate US tech companies until Europeans can climb back into the ring. There are rumors that his office is considering a vast new regulatory program for electronic platforms. Meanwhile, a bunch of senior UK intelligence officials are calling US Internet companies ‘terrorist-friendly’ for enabling encrypted communications. 

We quickly reprise the news from RSA: Jeh JohnsonAsh Carter, John Carlin, Tom Wheeler, and Michael Daniel were all in San Francisco last week.  Carter announced a DOD cyberwar strategy that looked at best like a plan to plan for cyberwar but still managed to be an improvement over past DOD efforts. Jeh Johnson wants DHS to have an office in Silicon Valley. And Michael Daniel admitted that the government is still looking for an escrow-type crypto solution. 

Finally, another FTC privacy case is settled, as the Commission declares that the lack of an instore-tracking opt-out is unfair, or deceptive, or newsworthy, or whatever the FTC’s standard for prosecution is these days. Jason Weinstein introduces me to my new heroes –  Maureen Ohlhausen and Joshua Wright‒ the two FTC commissioners who dissented from this lawless decision. 

Direct download: Podcast_64.mp3
Category:general -- posted at: 1:18pm EDT

Our guest for episode 63 of the Cyberlaw Podcast is Alan Cohn, former Assistant Secretary for Strategy, Planning, Analysis & Risk in the DHS Office of Policy and a recent addition at Steptoe. Alan brings to bear nearly a decade of experience at DHS to measure the Department’s growth. He explains how it has undertaken and largely delivered a new civilian cybersecurity infrastructure. And, while Congress dithers, it has begun to build an information sharing network quite independent of the legislative incentives now on offer. Alan also offers his insights into emerging technologies and the risks they may pose, including drones, sensors, and cryptocurrencies.

In the news roundup, the consensus story of the week is the return of Jason Weinstein from a five-week absence, only some of it justified by family vacation and other worthwhile endeavors.  In second place is the concerted European attack on Google and the rest of the US tech sectorMichael Vatis and I mull over a high-ranking European official’s astonishing gaffe in admitting the truth behind the effort – that it’s an attempt to regulate US technology until European industry can compete. Good luck with that.

In the House, Doug Kantor reminds us, it’s cyberweek, so the data breach law has immediately collapsed into such uncertainty that its Democratic sponsor even voted to keep it in committee. The bill has gone back to the shop for repairs to its bipartisan credentials, and the Obama administration, which says it supports a bill, seems to be keeping its distance from the messy business of actually legislating.

Meanwhile, Jason explains why cops are paying ransom to cybercrooks to get their data decrypted; Michael tells us a district court has given life to class action Google Wallet privacy claims under a sweeping theory; and I note that Julian Assange’s Wikileaks has hit a new low in offering a searchable database of stolen Sony email messages. Finally, the SEC’s Mary Jo White is taking heat for standing in the way of ECPA amendments, and the Chinese technological autarky movement seems to be alive and well, with a little help from US companies.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.comor leave a message at +1 202 862 5785.

Download the sixty-third episode (mp3).

 

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Direct download: Podcast_63.mp3
Category:general -- posted at: 10:59am EDT