The Cyberlaw Podcast (general)

Bruce Schneier joins Stewart Baker and Alan Cohn for an episode recorded live in front of an audience of security and privacy professionals.  Appearing at the conference Privacy. Security. Risk. 2015., sponsored by the IAPP and the Cloud Security Alliance, Bruce Schneier talks through recent developments in law and technology.

The three of us stare into the pit opened by an overwrought (and overdue and overweening) European Court of Justice advisor. If the European Court of Justice follows his lead (and what seems to be its inclinations), we could face a true crisis in transatlantic relations.

VW’s decision to hack its own emissions control software leads to a deep dive into the internet of things that lie to us, the value (or not) of open source, and whether plausible deniability is the next skill that programmers will have to learn.

We also talk China, the OPM hack, and the unique value and unique vulnerability of biometric authenticators. Bruce and Alan dig into the proposed export control rules for intrusion software; when they’re done, so is the case for the rules. The right to be forgotten leads to an exploration of when we should delegate law-making to private companies. I promise a detailed analysis in the future of Google’s law-making to date, and hint that it will not make us more fond of private and hidden law making.

Finally, I ask a hard question about Edward Snowden that no one has asked since he first burst on the scene: Is he so in the tank for the Digital Millennium Copyright Act that he can’t imagine intelligent life anywhere in the universe without it?

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.  More importantly, we need feedback on whether to replace our theme music, and with what.  Please take a listen to the samples at www.steptoe.com/cybermusic and vote for your favorite.  Voting closes on October 9.

Direct download: Podcast_83.mp3
Category:general -- posted at: 12:38pm EDT

Cyberlaw negotiations are the theme of episode 82, as the US and China strike a potentially significant agreement on commercial cyberespionage and Europeans focus on tearing up agreements with the US and intruding on US sovereignty.

Our guest for the episode is Jim Lewis, a senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies.  Most importantly, Jim is one of the most deeply informed and insightful commentators on China and cybersecurity.  He offers new perspectives on the Obama-Xi summit and what it means for cyberespionage.

Meanwhile, the news roundup is full of flamboyant European attacks on US sovereignty and US agreements with Europe.  In a pending case involving Facebook, a highly influential advisor to the European Court of Justice has fired both barrels pointblank at the Safe Harbor privacy agreement with the United States.  First, he concludes that any data protection authority is free to defy the primacy of Brussels and refuse to give effect to the EU’s determination that US practices under the Safe Harbor are “adequate” for data transfer purposes.  Second, he concludes that US practices are not adequate because section 702 of the Foreign Intelligence Surveillance Act and other US law permits intelligence collection of European data on a mass scale.  Maury Shenk and I agree that, if followed by the Court, this will be an enormous problem for the transatlantic relationship.  I wonder why we’re giving Europeans the protection of the Privacy Act when their institutions are actively seeking to thwart one of our most effective counterterrorism intelligence programs.

Not to be outdone, Paris put the boot in as well, telling Google that censoring search results on google.fr was not enough.  The right to be forgotten had to be extended to google.com, so that Americans and the rest of the world could be censored at the command of privacy bureaucrats in France’s data protection authority.  Maury and I identify the biggest unanswered question:  Has Google already started to censor its .com search results?

And India seems intent on playing on both sides of the US debate over encryption and lawful access.  After coming down hard for Jim Comey’s side in a draft regulation, Michael Vatis and I note, the Indian government has had a change of heart, withdrawing the draft while leaving uncertain what will replace it.

Finally, in one piece of domestic news, Jason Weinstein unpacks a ruling that refuses to enforce an SEC demand for the passcodes needed to unlock phones.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.  More importantly, we need feedback on whether to replace our theme music, and with what.  Please take a listen to the samples at www.steptoe.com/cybermusic and vote for your favorite.  Voting closes on October 9.

Direct download: Podcast_82.mp3
Category:general -- posted at: 6:18pm EDT

Episode 81 features China in the Bull Shop, as the White House prepares for President Xi’s visit and what could be ugly talks on cyber issues. Our guest commentator, Margie Gilbert, is a network security professional with service at NSA, CIA, ODNI, Congress, and the NSC. Now at Team Cymru, she’s able to offer a career’s worth of perspective on how three Presidents have tried to remedy the country’s unpreparedness for network intrusions.

In the news roundup, there’s a high likelihood that President Obama will be accusing and Xi will be denying China’s role in cyberespionage. You might say it’s a “he said, Xi said” issue. Alan Cohn and I debate whether the US should settle for a “no first use” assurance to protect critical infrastructure in peacetime.  

On encryption, the White House (and Silicon Valley) are certainly raising the issue’s visibility. But they aren’t necessarily persuading anyone who isn’t already persuaded. From MI5 to the NYDFS to the new Indian government, dissing strong encryption is a surprisingly popular pastime.

The never-ending saga of when email content can be obtained with something less than probably cause and a warrant seems to be winding down to a bizarre resolution. Agencies investigating terrorists and white collar fraud that costs consumers hundreds of millions will have to jump through the warrant hoop. Agencies looking to impose regulatory penalties or file civil claims will not. Michael Vatis, Jason Weinstein, and I wonder aloud whether this realpolitik accommodation between politicians who love civil liberties and politicians who hate banks will survive its internal contradictions.

After a decade of stutter-stepping, the EU is bailing on its own data retention law, leaving the issue, and the mess, to member states. Maury Shenk provides a definitive short analysis.

Elsewhere, Judge Leon gets the section 215 plaintiff he sought with everything short of a personal ad in Craigslist,  practically guaranteeing another storm of exclamation points in F.Supp. – followed by a lengthy proceeding to have his opinion vacated as moot.

In good news, a Heartland hacker pleads guilty. Jason Weinstein celebrates – as much as is seemly for someone involved in the case. And in a rare moment of humility, I confess to having learned something from listener criticism, as Robert Horn schools me on some of the lesser-known risks associated with health data breaches.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. More importantly, we need feedback on whether to replace our theme music; please take a listen to the samples at http://www.steptoe.com/cybermusic and vote for your favorite. Voting closes on October 9.

Direct download: Podcast_81.mp3
Category:general -- posted at: 11:28am EDT

Still trying to dig out from under our hiatus backlog, we devote episode 80 to our regulars. We’ll bring back a guest next week. This week it’s a double dose of Jason Weinstein, Michael Vatis, Stewart Baker, and Congress-watcher Doug Kantor

Michael offers an analysis of the Second Circuit’s oral argument in the Microsoft lawsuit over producing data stored in Ireland. The good news: it was a hot bench, deeply engaged, that let oral argument go to triple the usual length. The bad news for Microsoft: by far the hottest member of the panel was Judge Lynch, who made no secret of his deep opposition to Microsoft’s arguments. 

I offered a skeptical view of the US-EU umbrella “deal” on exchange of law enforcement data and the “Judicial Redress Act” that Congress seems ready to rush through in support of the agreement. The problem? It looks as though DOJ sold out the rest of government and much of industry. Justice promised to make the one change in US law the EU wants, granting Europeans a right of action under the Privacy Act, in exchange for, well, pretty much nothing except a bit of peace of mind for DOJ. Since the EU is more a receiver than sender of data, it already has a lot of leverage in data exchanges and there haven’t been many attempts to thwart the exchange of strictly criminal evidence. What the US really wants is for the EU to stop threatening the Safe Harbor, to stop penalizing US companies to pressure the US government about its use of data, and to guarantee that it isn’t holding the US to higher privacy standards than it imposes on EU governments. The DOJ-led negotiations got none of those concessions. And I’m willing to bet that the EU didn’t even give up the right to bitch, moan, and cut off data flows in the future if it doesn’t like how the umbrella applies. (On top of everything, the agreement is still under wraps, so the rush to praise and implement it is particularly imprudent.)

Michael and Jason deliberate on why Justice would obtain a text intercept order for Apple and then not react to the utterly predictable claim by Apple that it had no way to implement such an intercept. We note the further irony of Apple simultaneously defying the US government on privacy grounds while rushing to comply with Russia’s anti-privacy localization law.

The administration seems unable to impose sanctions on China’s cyberattackers or to stop talking about imposing sanctions on China’s cyberattackers. Sounds like a job for Stewart Baker! I offer my proposed sanctions for the Github attack, already laid out in detail here and here.

One barrier to sanctions may be the fear of hitting the wrong target, and in that regard, the Justice Department is wearing a full coat of egg after dropping its indictment of a purported Chinese spy amid allegations that it had simply misunderstood the technology in question. 

Doug Kantor offers a detailed and surprisingly upbeat assessment of the information-sharing bills’ chances for passage later this year. We also alert defense contractors to an expanded breach disclosure obligation.

And, finally, we decide to crowdsource the decision whether to keep our current theme music or to adopt one of three challengers. One of the candidates gets a heart-tugging endorsement from Jason that you’ll have to listen to the podcast to hear. Here’s the link to listen and vote for your favorite: www.steptoe.com/cybermusic.

 

The Cyberlaw Podcast is now open to feedback. Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_80.mp3
Category:general -- posted at: 10:51am EDT

The cyberlaw podcast is back from hiatus with a bang. Our guest is Peter Singer, author of Ghost Fleet, a Tom Clancy-esque thriller designed to illustrate the author’s policy and military chops. The book features a military conflict with China that uses all the weapons the United States and China are likely to deploy in the next decade. These include China’s devilishly effective sabotage of the US defense supply chain, Silicon Valley’s deployment of a letter of marque, and some spot-on predictions of the likely response of our sometime allies. 

Episode 79 also recaps some of the most significant cyberlaw developments of the past month.

First, to no one’s surprise, the cybersecurity disaster just keeps getting worse, and the climate for victims does too: breach losses are being measured in the tens or even hundreds of millions of dollars, with a networking company losing $30 million and unlawful insider trading profits reaching $100 million.

Meanwhile, the courts are less than sympathetic. The Seventh Circuit cleared the way for a breach suit against Neiman Marcus, while the FTC and the Third Circuit were kicking Wyndham around the courtroom and down the courthouse steps. We wonder what exactly Wyndham did to earn the court’s ire. 

Next, we savor the “long, withdrawing, roar” of 215 metadata litigation, as privacy groups try with ever more desperation to pile a judicial ruling on top of their Congressional win. We ask what the hell the DC circuit’s splintered ruling means, and whether Judge Leon is really determined to jam still more exclamation points into the case despite its imminent mootness. (Answer from Judge Leon: Hell, yes!!!). Privacy groups are agitating for the Second Circuit to issue an injunction against the program. We ask: is that as dumb and violative of ordinary judicial procedures as it sounds? Stay tuned.

Finally, the messy fight over location data and the warrant requirement just won’t die, and may be metastasizing. Judge Koh and the Fourth Circuit say a warrant is needed for location data, revitalizing a circuit conflict that looked as though it was curing itself. Meanwhile, DOJ gets in the act, declaring as a matter of policy that federal use of stingrays needs a warrant. The result is that thousands of Baltimore cases could be at risk as a result? Luckily, Jason Weinstein hints, most of those cases wouldn’t have yielded a conviction.

 

The Cyberlaw Podcast is now open to feedback. Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_79.mp3
Category:general -- posted at: 12:04pm EDT

Bonus Episode 78: Dmitri Alperovitch, Harvey Rishikof, Stewart Baker, and Melanie Teplinsky debate whether the United States should start doing commercial espionage. 

I know, I know, we promised that the Cyberlaw Podcast would go on hiatus for the month of August.  But we also hinted that there might be a bonus episode.  And here it is, a stimulating panel discussion sponsored by the Atlantic Council and moderated by Melanie Teplinsky.  The topic is whether the United States should abandon its longstanding policy of refusing to steal the commercial secrets of foreigners to help American companies compete.  The discussion is lively, with plenty of disagreements and an audience vote at the start and finish of the discussion to gauge how persuasive we were.  Enjoy!

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Episode_78.mp3
Category:general -- posted at: 11:13am EDT

Our guest for episode 77 is Bruce Andrews, the deputy secretary of the Commerce Department. Alan Cohn and I pepper Bruce with questions about export controls on cybersecurity technology, stopping commercial cyberespionage, the future of the NIST cybersecurity framework, and how we can get on future cybersecurity trade missions, among other things.

In the news roundup, Alan and I puzzle over the administration’s reluctance to blame China for its hacks of US agencies.

The furor over cybersecurity export controls continues unabated, with a couple of hundred hostile comments filed and Congress beginning to stir. Alan Cohn fills us in.

The UK high court ruling on data retention makes history but maybe only the most evanescent of law. Alan and I discuss whether the ruling will resemble Marbury v. Madison in more ways than one.

France finalizes expansion of surveillance. Bush administration figures come out against back doors. Cyberweek begins and, the cyber left hopes, ends without progress on CISA.

This Week in Prurient Cybersecurity: The first Ashley Madison subscriber is outed. And he’s Canadian. Looks like the nights really are longer up there. Ottawa apparently leads the world in percentage of would-be adulterers, followed by Washington, DC. No further comment seems necessary.

And Bloomberg says that the Chinese attempt to build a database on Americans didn’t begin with OPM or Anthem, but with the compromise of travel databases two years ago.

This time, Alan hints, the FTC may throw away the key, as it once again takes action against LifeLock. And the Seventh Circuit wades into the debate over how much harm a data breach plaintiff must suffer to have standing to sue.

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_77.mp3
Category:general -- posted at: 3:37pm EDT

Episode 76 of the podcast features the power couple of privacy and cybersecurity, Peter Swire and Annie Antón, both professors at Georgia Institute of Technology. I question them on topics from the USA FREEDOM Act to the enduring gulf between writing law and writing code. 

In the news roundup, as our listeners have come to expect, we do indeed return to our recurring feature, This Week in Prurient Cybersecurity, with a riff on the Ashley Madison hack. But you’ll have to wait until the end, when we’re loosened up. 

We begin more soberly, with Jason Weinstein and Michael Vatis covering the courts’ mopping up after passage of the USA FREEDOM Act. The DC Circuit has received supplemental briefs on Section 215, and the ACLU is leading the hopeless charge against the 215 program in the Second Circuit.

The Hacking Team doxxing draws attention to the risk involved in hiring hackers. When they’re disgruntled, they don’t just slam the door on the way out. Still, Alan Cohn and I can’t help but be fascinated by the Hacking Team proposal to use drones to hover over the target, intercepting his Wi-Fi connection.

In regulatory news, Alan Cohn and Jason Weinstein discuss the FERC’s revisions to the CIP cybersecurity requirements, with a focus on supply chain practices, and a Boston hospital’s settlement of HIPAA charges, prompting me to ask whether HHS’s Office of Civil Rights is the most hypocritically aggressive privacy regulator in government.

Russia’s Right to Be Forgotten law is signed, after further tweaks. And Google announces that it has officially tipped more than one million links into the dustbin of history.

I respond to listener feedback by walking back my mockery of Tony Scott’s “TLS Everywhere” initiative, noting that it might have some modest security benefits after all. Instead of “privacy theater” perhaps I should have called it a “privacy skit.” And as attribution gets better, so does the temptation to fly false flags. It looks as though the Russians will pioneer this particular development, attacking US sites under the nom de guerre of the Cyber Caliphate. And the US government response to the Russian attacks? A predictable silence.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_76.mp3
Category:general -- posted at: 4:29pm EDT

Bitcoin and the blockchain – how do they work and what do they mean for financial and government services and for consumers? And who holds massive stores of bitcoin that can’t be spent without solving one of the great financial mysteries of our time? Our guest for episode 75 is Michael Casey, former senior columnist for the Wall Street Journal and – as of last week – senior advisor at the MIT Media Lab’s Digital Currency Initiative. Michael is also the author, along with his former Wall Street Journal colleague Paul Vigna, of The Age of Cryptocurrency:  How Bitcoin and Digital Money Are Challenging the Global Economic Order. Alan Cohn and Jason Weinstein interview him about bitcoin and its underestimated enabling technology, the blockchain.

In the news roundup, Meredith Rathbone, Alan Cohn, and I dive into the Commerce Department’s sweeping proposal for new regulation of the cybersecurity industry under the Wassenaar arrangement. With comments due on July 20, security companies are beginning to identify a host of unintended regulatory consequences.

The FBI and Justice Department had a surprisingly good week complaining about technologists’ deployment of ubiquitous unbreakable encryption. A group of cryptographers offered a contrary view, and I critiqued their position in the roundup and in a blog post.

Hacking Team was itself hacked, with its internal correspondence spread across the internet. One quick lesson: if anyone is expecting export controls to stop sales of hacking tools to repressive regimes, they aren’t paying attention to the Italian government’s licensing policies.

Finally, the right to be forgotten looks like a bad idea whose time has come. Jason doubts that Consumer Watchdog will succeed in smuggling the right to be forgotten into the FTC Act, perhaps because the act is already bulging at the seams. Canadian courts, in contrast, seem happy to impose their speech rules on Americans – whether or not Canadian courts have, you know, jurisdiction over the Americans.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Episode_75.mp3
Category:general -- posted at: 4:30pm EDT

Our guest commentator for episode 74 is Catherine Lotrionte, a recognized expert on international cyberlaw and the associate director of the Institute for Law, Science and Global Security at Georgetown University.  We dive deep on the United Nations Group of Government Experts, and the recent agreement of that group on a few basic norms for cyberspace.  Predictably, I break out in hives at the third mention of “norms” and default to jokes about “Cheers.”

In the news roundup, Michael Vatis and I sort through China’s ever-growing list of vague laws expressing determination to control technology for security purposes.  Jason Weinstein explains the FTC’s settlement with the makers of a stealthy digital currency mining app.  He and Michael also note the remarkably belated filing of a class action arising from the Anthem hack – and cast doubt on whether the class can be sustained.

Speaking of class actions, the OPM hack has also led to litigation.  All the Cyberlaw commentators are in the class, and none of us expect the litigation to succeed.  And speaking of the FTC, it has released new security guidance, a kind of Restatement of FTC Security Law, explaining just how wisely the FTC settled its 50-plus security cases.  I provide a quick update on the status of my FOIA lawsuit on behalf of Phil Reitinger, in which we try to find out what security standards the FTC is actually using to decide which companies are in violation of the law.

In NSA news, the Foreign Intelligence Surveillance Court says the Second Circuit’s opinion on NSA’s 215 metadata program was unpersuasive and mischaracterized the program.  In judicial circles, the trash talk doesn’t get much trashier.  Since this all becomes irrelevant when the program ends later this year, the FISC will likely have the last word.  And WikiLeaks is rolling out more alleged NSA docs, this time focusing on Germany and Brazil.  The documents don’t seem to be from Snowden, and WikiLeaks offers no provenance for them.  Hmm.  Maybe we ought to take another look at those stories claiming that WikiLeaks has been infiltrated by Russian intelligence.  

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_74.mp3
Category:general -- posted at: 4:14pm EDT