In this episode, Nick Weaver and I discuss new Internet regulations proposed in the UK. He’s mostly okay with its anti-nudge code for kids, but not with requiring proof of age to access adult material. I don’t see the problem; after all, who wouldn’t want to store their passport information with Pornhub?

Sri Lanka’s government has suspended social media access in the wake of the Easter attack. As Matthew Heiman notes, the reaction in the West is more or less a shrug—far different from the universal contempt and rejection displayed toward governments who did much the same during the 2011 Arab Spring rebellions. What made the difference? I argue that it’s Putin’s remarkably successful 2016 social media counterattack on Hilary Clinton as payback for her social media campaign against him in 2011.

DNS hijacking is just getting more brazen, according to a new Cisco Talos report. Nick and I talk about why that is and what could be done about it.

Paul Rosenzweig, back from hiatus and feisty as ever, mocks the EU Commission for its on-again, off-again criticism of Kaspersky’s security. Short version: The Commission wants badly to play in cybersecurity because it’s the Hot New Thing, but it has no institutional competence there, in either sense of the word. Speaking of Kaspersky, someone is doing a bad job of trying to compromise its critics with ham-handed private investigator-imposters.

Naked Kitten? Nick and I have a good laugh at the doxxing of Iranian government hackers.

Man bites dog: The Trump Administration is taking interagency processes seriously, and doing a better job than Obama’s team—at least when it comes to use of Cyber Command. Matthew dives into the repeal of PPD-20.

Paul brings us up to date on the Mar-a-Lago Thumb Drive Affair. Maybe it wasn’t malware after all.

Remember that face recognition software that the NGOs said was so crappy it had to be banned? Now, the New York Times reports that it’s so good it has to be banned. Not so fast, says Microsoft: Our face recognition software is still so crappy that it can’t be sold to law enforcement, and it ought to be export controlled so that China can sell—and keep improving—its face recognition tools.

Bet you thought we forgot the Mueller Report. Nope! In fact, I offer the one conclusion about the report that everyone across the political spectrum can agree on. Anti-climactically, Paul and I point out that the report throws sidelights on the "Going Dark" debate and Bitcoin anonymity. Nick points out that we already knew everything the Mueller Report tells us on those topics.

Finally, Nick and I wrangle over the lessons to be drawn from Facebook’s privacy travails.

Download the 260th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our News Roundup is hip deep in China stories. The inconclusive EU-China summit gives Matthew Heiman and me a chance to explain why France understands—and hates—China’s geopolitical trade strategy more than most.

Maury Shenk notes that the Pentagon’s reported plan to put a bunch of Chinese suppliers on a blacklist is a bit of a tribute to China’s own list of sectors not open to Western companies. In other China news, Matthew discloses that there’s reason to believe that China has finally begun to use all the U.S. personnel data it stole from OPM. I’m so worried it may yet turn my hair pink, at least for SF-86 purposes.

And in a sign that it really is better to be lucky than to be good, Matthew and I muse on how the Trump Administration’s China policy is coinciding with broader economic trends to force U.S. companies to reconsider their reliance on Chinese manufacturing.

It’s not all China, though. To kick things off, Nick Weaver and I schadenfreude our way through an otherwise serious take on the Julian Assange story and its strikingly narrow Computer Fraud and Abuse Act charge—and why extradition is likely to be a pain.

We also delve into the Google Sensorvault story. Nick and I agree that law enforcement access to location data, especially under the conditions set by Google, isn’t much of a privacy scandal, at least compared to private access to the same data. But that doesn’t mean it won’t raise endless legal problems for all concerned, partly because asking for a warrant out of the box isn’t quite the right legal or privacy framework.

Pete Jeydel notes two examples of CFIUS’s new toughness: It’s forcing a Russia-linked firm to sell stake in a cybersecurity company, and it has handed out a $1 million fine to a company that blew off its obligations under a mitigation agreement.

Maury covers the German data protection commissioner’s refusal to let German police store data in the Amazon cloud. The commissioner blames the CLOUD Act and the risk that US authorities may get cross-border access to the data. I flag the commissioner for hypocrisy and ignoring international law. Turns out that the Justice Department has a good new whitepaper out on the CLOUD Act, and it points out that remote access to offshore data has been an implicit part of the Budapest Convention since the ‘90s. 

Returning once more to China, Maury and I touch on the Chinese government’s use of AI to find Uighurs in crowds of Han Chinese. In my view, the only thing surprising about this story is that the New York Times thinks we should be surprised by it.

Download the 259th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed! 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our News Roundup leads with the long, slow death of Section 230 immunity. Nick Weaver explains why he thinks social media’s pursuit of engagement has led to a poisonous online environment, and Matthew Heiman replays the astonishing international consensus that Silicon Valley deserves the blame—and the regulation—for all that ails the Internet. The UK is considering holding social media execs liable for “harmful” content on their platforms. Australia has already passed a law to punish social media companies for failure to remove “abhorrent violent material.” And Singapore is not far behind. Even Mark Zuckerberg is reading the writing on the wall and asking for regulation. I note that lost in the hate directed at social media is any notion that other countries shouldn’t be able to tell Americans what they can and can’t read. I also wonder whether the consensus that platforms should be editors will add to conservative doubts about maintaining Section 230 at all—and in the process endanger the U.S.-Mexico-Canada Agreement that would enshrine Section 230 in U.S. treaty obligations.

Nate Jones and I summarize the latest Reuters piece on American hackers working for the UAE. The short version? This is more a victory lap combined with journalists’ special pleading than a major new story.

Nate also briefs us on the latest tale of woe from Silicon Valley, where taking Chinese money and tech means you’re likely to get burned—in a government-ordered fire sale.

Nick and I disagree about how flawed facial recognition is, but not on the fact that NGOs are working overtime to turn the technology toxic.

Nate gives Kaspersky’s lawyers high grades for imagination and effort but not for credibility in their claim that we can trust the company’s software because Russian law doesn’t authorize Putin to intercept its data feeds. 

And, with a hat tip to Gus Coldebella for the story, Matthew and I dig into the Washington attorney general’s $12 million settlement with Motel 6 for its cooperation with ICE. We think Motel 6 could have defended on federal preemption grounds and maybe gotten help from the Justice Department. But if the problem was bad publicity, that defense would have just made things worse.

Our interview is with Adam Segal, the Council on Foreign Relations’ expert on all things digital and China. Adam prognosticates on the likely fate of US-China trade talks, data localization in China, and on the future of China’s commercial cyberespionage plans.

Download the 258th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed! 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

In today’s News Roundup, Klon Kitchen adds to the North Korean Embassy invasion by an unknown group. Turns out some of the participants fled to the U.S. and lawyered up, but the real tipoff about attribution is that they’ve given some of the data they stole to the FBI. That rules out CIA involvement right there.

Nick Weaver talks about Hal Martin pleading guilty to unlawfully retaining massive amounts of classified NSA hacking data. It’s looking more and more as though Martin was just a packrat, making his sentence of nine years in prison about right. But as Nick points out, that leaves unexplained how the Russians got hold of so much NSA data themselves.

Paul Hughes explains the seamy Europolitics behind the new foreign investment regulations that will take effect this month.

Nick explains the deeply troubling compromise of update certs at ASUS and the company’s equally troubling response. I ask why the only agency with clear authority over an incident with important national security implications is the FTC.

Nick and I comment on the Federal Trade Commission’s pending investigation of the privacy practices of seven Internet service providers.

Speaking of sensitive data practices, Klon talks about the Committee on Foreign Investment in the United States’ belated recognition that maybe the Chinese government shouldn’t have access to the most intimate desires of a portion of the U.S. LGBTQ community. I try to explain the difference between Tik Tok and Yik Yak and mostly fail.

Meanwhile, in splinternet news, the EU Parliament has approved the controversial Copyright Directive. A bunch of MEPs, soon to be running for reelection, claim they meant to vote against it, really, but somehow ended up voting for it.

The Department of Housing and Urban Development is suing Facebook for violating the Fair Housing Act. I ask listeners for help in finding guests who can talk about whether it’s a good idea to bar ad targeting that lets companies look for more customers like the ones they already have, even if their customers already skew toward particular genders and ethnicities.

Finally, Nick and I break down Gavin de Becker’s claim that the real killer in the Bezos sexting flap was Saudi Arabia. Plenty of smoke there, but the lack of a reference to any forensic evidence raises doubts about de Becker’s version of events.

Download the 257th Episode (mp3). 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Download the 255th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

If you are in London this week, you can see James Griffiths during his book tour. On March 13, he will be at the Frontline Club, and on March 14, he will be at Chatham House. You can also see him later this month at the Hong Kong Foreign Correspondents Club.

Download the 254th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our interview is with two men who overcame careers as lawyers and journalists to become serial entrepreneurs now trying to solve the “fake news” problem. Gordon Crovitz and Steve Brill co-founded NewsGuard to rate news sites on nine journalistic criteria—using, of all things, real people instead of algorithms. By the end of the interview, I’ve confessed myself a reluctant convert to the effort. This is despite NewsGuard’s treatment of Instapundit, which Gordon Crovitz and I both read regularly but which has not received a green check. 

Download the 253rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our colleagues Nate Jones and David Kris have launched the Culper Partners Rule of Law Series. Be sure to listen as episodes are released through Lawfare. 

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here.

Download the 252nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed! 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The backlash against Big Tech dominates this episode, with new regulatory initiatives in the U.S., EU, Israel, Russia and China. The misbegotten link tax and upload filter provisions of the EU copyright directive have survived the convoluted EU legislative gantlet. My prediction: The link tax will fail because Google wants it to fail, but the upload filter will succeed because Google wants YouTube’s competitors to fail.

Rumors are flying that the Federal Trade Commission and Facebook will agree on a $1+ billion fine on the company for failure to adhere to its consent decree. My guess? This is not so much about law as it is about the climate of hostility around the company since it took the blame for Trump’s election.

And, in yet another attack on Big Tech, the EU is targeting Google and Amazon for unfair practices as sales platforms.

Artificial intelligence is so overworked a tech theme that it has even attracted the attention of the White House and the Defense Department. We ask a new contributor, Jessica “Zhanna” Malekos Smith, to walk us through the president’s executive order on artificial intelligence. I complain that it’s a cookie-cutter order that could as easily be applied to alien abductions. The Pentagon’s AI strategy, in contrast, is somewhat more substantive.

If you can’t beat ‘em, ban ‘em. Instead of regulating Big Tech, Russia is looking to take its own internet offline in an emergency. The real question is whether Russia is planning to cause the emergency it’s protecting itself against. If so, we are profoundly unready.

The CFIUS model is contagious! Brian Egan tells us Israel is considering restrictions on Chinese investment as the world keeps choosing sides in the new cold war.

China’s Ministry of Public Security is now authorized to conduct no-notice penetration testing of internet businesses operating in China. I must say, it was nice of them to offer the service in beta to the Office of Personnel Management, Anthem and Equifax. Speaking of which, could this spell more trouble for Western firms doing business in China?

Brian touches on the Treasury Department’s new sanctions against Iranian organizations for supporting intelligence and cyber operations targeting U.S. persons. It turns out that the hackers had help—and that there is no ideology so loathsome it can’t win converts among Americans.

Nate Jones describes the EU’s plan to use “cyber sanctions” to fend off hackers during upcoming elections.

This Week in Old Guys You Shouldn’t Mess With: Nate reveals how 94-year-old William H. Webster helped take down a Jamaican scam artist.

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

If you get SMS messages on your phone and think you have two-factor authentication, you’re kidding yourself. That’s the message Nick Weaver and David Kris extract from two stories we cover in this week’s episode of The Cyberlaw Podcast—the Justice Department’s indictment of a couple of kids whose hacker chops are modest but whose social engineering skills are remarkable. They used those skills to bribe or bamboozle phone companies into changing the phone numbers of their victims, allowing them to intercept all the two-factor authentication they needed to steal boatloads of cryptocurrency. For those with better hacking chops than social skills, there’s always exploitation of SS7 vulnerabilities, which allow interception of text messages without all the muss and fuss of changing SIM cards.

Okay, it ain’t “When Harry Met Sally,” but for a degraded age, “When Bezos Exposed Pecker” will have to do. David keeps us focused on the legal questions: Was the “Enquirer” letter really extortion? Would publication of the pics be actionable? And is there any way the “Enquirer” could get those text messages without someone committing a crime? And, of course, whether the best way to woo your new girlfriend is to send her brother to jail.

Social media—privacy law threat or competition law menace? That’s the question European (naturally) regulators are weighing. But Matthew Heiman and I have a pretty good idea what their answer will be: Both! We look at the Twitter-mobbing of Facebook by regulators and ask whether the competition charges make more sense than the privacy claims.

Looks like the net effect of the Obama-Xi agreement on not stealing commercial secrets is that a better class of Chinese officials is stealing our commercial secrets. President Xi kicked the People’s Liberation Army (PLA) to the curb and brought in the professionals from China’s Ministry of State Security (MSS). So now Chinese tradecraft is a little better, and the Justice Department is indicting MSS officials instead of PLA soldiers. David sums up.

NERC is proposing a $10 million fine for cybersecurity violations on a utility reported to be Duke Energy. Matthew and I are shocked. Not by the fine, which was negotiated, or by the violations, many of them self-reported, but by the cheese-paring, penny-ante nature of so-called cybersecurity enforcement at NERC and FERC. All this Sturm und Drang to make sure utilities use six-character passwords? When security guys complain about compliance trumping security, these NERC rules will be Exhibit A.

Finally, add another chapter to the Annals of Failed Civil Liberties Campaigns, as EFF and likeminded reporters try to get us outraged about the FBI using court orders to identify a North Korean botnet. Nick points out that academics have been conducting research that is more intrusive for years without unduly disturbing university lawyers.

Okay, one more: I celebrate HoyaSaxaSD for a podcast review that honors our own inimitable Nick Weaver:

“I got a fever, and the only cure is more Weaver. Love the show. I’m a lawyer but not in tech or security law, but it’s still fascinating. My teenage sons also like most episodes, especially the Nick Weaver segments. And I concur. There needs to be Weaver in every episode, and more of him. In fact, an hour of Weaver and Baker debating/discussing would be the perfect show.” 

I am moved to channel Peggy Lee. And if more good reviews don’t pour in, I may make that performance a weekly feature. David Kris, I’m sure, would consider that extortion, on the ground that no one has a right to butcher Peggy Lee’s oeuvre like that.

Download the 250th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed! 

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.