GPT-4’s rapid and tangible improvement over ChatGPT has more or less guaranteed that it or a competitor will be built into most new and legacy information and technology (IT) products. Some applications will be pointless; but some will change users’ world. In this episode, Sultan Meghji, Jordan Schneider, and Siobhan Gorman explore the likely impact of GPT4 from Silicon Valley to China.  

Kurt Sanger joins us to explain why Ukraine’s IT Army of volunteer hackers creates political, legal, and maybe even physical risks for the hackers and for Ukraine. This may explain why Ukraine is looking for ways to “regularize” their international supporters, with a view to steering them toward defending Ukrainian infrastructure.

Siobhan and I dig into the Biden administration’s latest target for cybersecurity regulation: cloud providers.  I wonder if there is not a bit of bait and switch in operation here. The administration seems at least as intent on regulating cloud providers to catch hackers as to improve defenses.

Say this for China – it never lets a bit of leverage go to waste, even when it should.  To further buttress its seven-dashed-line claim to the South China Sea, China is demanding that companies get Chinese licenses to lay submarine cable within the contested territory. That, of course, incentivizes the laying of cables much further from China, out where they’re harder for the Chinese to deal with in a conflict. But some Beijing bureaucrat will no doubt claim it as a win for the wolf warriors. Ditto for the Chinese ambassador’s statement about the Netherlands joining the U.S. in restricting chip-making equipment sales to China, which boiled down to “We will make you pay for that. We just do not know how yet.” The U.S. is not always good at dealing with its companies and other countries, but it is nice to be competing with a country that is demonstrably worse at it.

The Security and Exchange Commission has gone from catatonic to hyperactive on cybersecurity. Siobhan notes its latest 48-hour incident reporting requirement and the difficulty of reporting anything useful in that time frame. 

Kurt and Siobhan bring their expertise as parents of teens and aspiring teens to the TikTok debate.

I linger over the extraordinary and undercovered mess created by “18F”—the General Service Administration’s effort to bring Silicon Valley to the government’s IT infrastructure. It looks like they brought Silicon Valley’s arrogance, its political correctness, and its penchant for breaking things but forgot to bring either competence or honesty.  18F lied to its federal customers about how or whether it was checking the identities of people logging in through login.gov. When it finally admitted the lie, it brazenly claimed it was not checking because the technology was biased, contrary to the only available evidence. Oh, and it refused to give back the $10 million it charged because the work it did cost more than that. This breakdown in the middle of coronavirus handouts undoubtedly juiced fraud, but no one has figured out how much. Among the victims: Sen. Ron Wyden (D.-Ore.), who used login.gov and its phony biometric checks as the “good” alternative that would let the Internal Revenue Service (IRS) cancel its politically inconvenient contract with ID.me. Really, guys, it’s time to start scrubbing 18F from your LinkedIn profiles.

The Knicks have won some games. Blind pigs have found some acorns. But Madison Square Garden (and Knicks) owner, Jimmy Dolan is still investing good money in his unwinnable fight to use facial recognition to keep lawyers he does not like out of the Garden. Kurt offers commentary, thereby saving himself the cost of Knicks tickets for future playoff games. 

Finally, I read Simson Garfinkel’s explanation of a question I asked (and should have known the answer to) in episode 448.

This episode of the Cyberlaw Podcast kicks off with the sudden emergence of a serious bipartisan effort to impose new national security regulations on what companies can be part of the U.S. Information Technology and content supply chain. Spurred by a stalled Committee on Foreign Investment in the United States negotiation with TikTok, Michael Ellis tells us, a dozen well-regarded Democrat and Republican senators have joined to endorse the Restricting the Emergence of Security Threats that Risk Information and Communications Technology Act, which authorizes the exclusion of companies based in hostile countries from the U.S. economy. The administration has also jumped on the bandwagon, making the adoption of some legislation more likely than in the past.  

Jane Bambauer takes us through the district court decision upholding the use of a “geofence warrant” to identify January 6th rioters. We end up agreeing that this decision (and the context) turned out to be the best possible result for the Justice Department, silencing the usual left-leaning doubters about law enforcement technological adaptation. 

Just a few days after issuing a cybersecurity strategy that calls for more regulation, the administration is delivering what it called for. Transportation Security Administration (TSA) has issued emergency cybersecurity orders for airports and aircraft operators that, I argue, take the regulatory framework from a few baby steps to a plausible set of minimum requirements. Things look a little different in the water and sewage sector, where the regulator is the Environmental Protection Agency (EPA)—not known for its cybersecurity expertise—and the authority to regulate is grounded if at all in very general legislative language. To make the task even harder, EPA is planning to impose its cybersecurity standards using an interpretive rule against a background in which Congress has done just enough cybersecurity legislating to undermine the case for a broad interpretation. 

Jane explores the story that Google was deterred from releasing its impressive AI technology by fear of bad press. That leads us to a meditation on politics inside companies with a guaranteed source of revenue. I offer hope that Google’s fears about politically incorrect AI will infect Chinese tech firms.

Jane and I reprise the debate over the United Kingdom’s Online Safety Act and end-to-end encryption, which leads to a poli-sci tour of European policymaking institutions. 

The other cyber and national security news in Congress is the ongoing debate over renewal of section 702 of the Foreign Intelligence Surveillance Act (FISA), where it appears that the FBI scored an own-goal. Michael reports that an FBI analyst did unauthorized searches of the 702 database for intelligence on one of the House intelligence committee’s moderates, Rep. Darin LaHood, R-Ill. Details are sketchy, Michael notes, but the search was disclosed by Rep. LaHood, and it is bound to have led to harsh questioning during the FBI director’s classified testimony, Meanwhile, at least one member of the President’s Civil Liberties and Oversight Board is calling for what could be a crippling “reform” of 702 database searches. 

Jane and I unpack the controversy surrounding the Federal Trade Commission’s investigation of Twitter’s compliance with its consent decree. On the law, Elon Musk’s Twitter is in trouble. On the political front, however, they are more evenly matched. Chances are, both parties are overestimating their own strengths, which could foretell a real donnybrook.

Michael assesses the stories saying that the Biden administration  is preparing new rules to govern outbound investment in China. He is skeptical that we’ll see heavy regulation in this space.

In quick hits,  

• Jane explains the 9th Circuit decision saying that Twitter can be prohibited from publishing a full report on how many FBI probes it answered

• Jane and I puzzle over reports that a Colorado Catholic group bought app data to track gay priests.

Download 448th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

As promised, the Cyberlaw Podcast devoted half of this episode to an autopsy of Gonzalez v. Google LLC , the Supreme Court’s first opportunity in a quarter century to construe section 230 of the Communications Decency Act. And an autopsy is what our panel—Adam Candeub, Gus Hurwitz, Michael Ellis and Mark MacCarthy—came to perform. I had already laid out my analysis and predictions in a separate article for the Volokh Conspiracy, contending that both Gonzalez and Google would lose. All our panelists agreed that Gonzalez was unlikely to prevail, but no one followed me in predicting that Google’s broad immunity claim would fall, at least not in this case. The general view was that Gonzalez’s lawyer had hurt his case with shifting and opaque theories of liability, that Google’s arguments raised concerns among the Justices but not enough to induce them to write an opinion in such a muddled case. Evaluating the Justices’ performance, Justice Neil Gorsuch’s search for a textual answer drew little praise and some derision while Justice Ketanji Jackson won admiration even from the more conservative panelists. More broadly, there was a consensus that, whatever the fate of this particular case, the court will find a way to push the lower courts away from a sweeping immunity for platforms and toward a more nuanced protection. But because returning to the original intent of section 230 is not likely after 25 years of investment based on a lack of liability, this more nuanced protection will not have much grounding in the actual statutory language. Call it a return to the Rule of Reason.

In other news, Michael summed up recent developments in cyber war between Russia and Ukraine, including imaginative attacks on Russia’s communications system. I wonder whether these attacks—which are sexy but limited in impact—make cyber the modern equivalent of using motorcycles as a weapon in 1939. 

Gus brings us up to date on recent developments in competition law, including a likely Department of Justice's challenge to Adobe’s $20 Billion Figma deal, new airline merger challenge, the beginnings of opposition to the Federal Trade Commission’s (FTC) proposed ban on noncompete clauses, and the third and final nail in the coffin of the FTC’s challenge to the Meta-Within merger. 

In European cyber news, the European Union is launching a consultation designed to make U.S. platforms pay more of European telecom networks’ costs. Adam and Gus note the rent-seeking involved but point out that rent-seeking in U.S. network construction is just as bad, but seems to be extracting rents from taxpayers instead of Silicon Valley.

The EU is also getting ready to fix the General Data Protection Regulation (GDPR), in the sense that gamblers fix a prize fight. The new fix will make sure Ireland never again wins a fight with the rest of Europe over how aggressively to extract privacy rents from U.S. technology companies.

I am excited about Apple’s progress in devising a blood glucose monitor that could go into a watch. Adam and Gus tell me not to get too excited until we know how many roadblocks The Food and Drug Administration (FDA) will erect to the use and analysis of the monitors’ data.

In quick hits, 

• Gus confirms our suspicion that generative AI Is coming for the lawyers’ jobs

• And that Illinois’ biometric privacy law has gone from a really bad idea to a social, economic, and litigation catastrophe.  The Illinois Supreme Court could have staved this one off and didn’t. 

Download 445th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast opens with a look at some genuinely weird behavior by the Bing AI chatbot – dark fantasies, professions of love, and lies on top of lies – plus the factual error that wrecked the rollout of Google’s AI search bot. Chinny Sharma and Nick Weaver explain how we ended up with AI that is better at BS’ing than at accurately conveying facts. This leads me to propose a scheme to ensure that China’s autocracy never gets its AI capabilities off the ground. 

One thing that AI is creepily good at is faking people’s voices. I try out ElevenLabs’ technology in the first advertisement ever to run on the Cyberlaw Podcast.

The upcoming fight over renewing section 702 of FISA has focused Congressional attention on FBI searches of 702 data, Jim Dempsey reports. That leads us to the latest compliance assessment on agencies’ handling of 702 data. Chinny wonders whether the only way to save 702 will be to cut off the FBI’s access – at great cost to our unified approach to terrorism intelligence,  I complain that the compliance data is older than dirt. Jim and I come together around the need to provide more safeguards against political bias in the intelligence community. 

Nick brings us up to date on cyber issues in Ukraine, as summarized in a good Google report. He puzzles over Starlink’s effort to keep providing service to Ukraine without assisting offensive military operations. 

Chinny does a victory lap over reports that the (still not released) national cyber strategy will recommend imposing liability on the companies that distribute tech products – a recommendation she made in a paper released last year. I cannot quite understand why Google thinks this is good for Google.

Nick introduces us to modern reputation management. It involves a lot of fake news and bogus legal complaints. The Digital Millennium Copyright Act and European Union (EU) and California privacy law are the censor’s favorite tools. What is remarkable to my mind is that a business taking so much legal risk charges so little.

Jim and Chinny bring us up to date on the charm offensive being waged in Washington by TikTok’s CEO and the broader debate over China’s access to the personal data of Americans, including health data. Jim cites a recent Duke study, which I complain is not clear about when the data being sold is individual and when it is aggregated. Nick reminds us all that aggregate data is often easy to individualize. 

Finally, we make quick work of a few more stories:

• This week’s oral argument in Gonzalez v. Google is a big deal, but we will cover it in detail once the Justices have chewed it over.  

• If you want to know why conservatives think the whole “disinformation” scare is a scam to suppress conservative speech, look no further than the scandal over the State Department’s funding of an non-governmental organization (NGO) devoted to cutting off ad revenue for “risky” purveyors of “disinformation” like Reason (presumably including the Volokh Conspiracy), Real Clear Politics, the N.Y. Post, and the Washington Examiner – all outlets that can only look like disinformation to the most biased judge. The National Endowment for Democracy has already cut off funding, but Microsoft’s ad agency still seems to be boycotting these conservative outlets.

• EU Lawmakers are refusing to endorse the latest EU-U.S. data deal. But it is all virtue signaling.

• Leaving Twitter over Elon Musk’s ownership turns out to be about as popular as leaving the U.S. over Trump’s presidency.

• Chris Inglis has finished his tour of duty as national cyber director.

• And the Federal Trade Commission’s humiliation over its effort to block Meta’s acquisition of Within is complete. Meta closed the deal last week.

Download 443rd Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The latest episode of The Cyberlaw Podcast gets a bit carried away with the China spy balloon saga. Guest host Brian Fleming, along with guests Gus Hurwitz, Nate Jones, and Paul Rosenzweig, share insights (and bad puns) about the latest reporting on the electronic surveillance capabilities of the first downed balloon, the Biden administration’s “shoot first, ask questions later” response to the latest “flying objects,” and whether we should all spend more time worrying about China’s hackers and satellites. Gus then shares a few thoughts on the State of the Union address and the brief but pointed calls for antitrust and data privacy reform. Sticking with big tech and antitrust, Gus recaps a significant recent loss for the Federal Trade Commission (FTC) and discusses what may be on the horizon for FTC enforcement later this year. Pivoting back to China, Nate and Paul discuss the latest reporting on a forthcoming (at some point) executive order intended to limit and track U.S. outbound investment in certain key aspects of China’s tech sector. They also ponder how industry may continue its efforts to narrow the scope of the restrictions and whether Congress will get involved. Sticking with Congress, Paul takes the opportunity to explain the key takeaways from the not-so-bombshell House Oversight Committee hearing featuring former Twitter executives. Gus next describes his favorite ChatGPT jailbreaks and a costly mistake for an artificial intelligence (AI) chatbot competitor during a demo. Paul recommends a fascinating interview with Sinbad.io, the new Bitcoin mixer of choice for North Korean hackers, and reflects on the substantial portion of the Democratic People's Republic of Korea’s gross domestic product attributable to ransomware attacks. Finally, Gus questions whether AI-generated “Nothing, Forever” will need to change its name after becoming sentient and channeling Dave Chapelle. To wrap things up in the week’s quick hits, Gus briefly highlights where things stand with Chip Wars: Japan edition and Brian covers coordinated U.S./UK sanctions against the Trickbot cybercrime group, confirmation that Twitter’s sale will not be investigated by the Committee on Foreign Investment in the United States (CFIUS), and the latest on Security and Exchange Commission (SEC) v. Covington.    

Download 442nd Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast is dominated by stories about possible cybersecurity regulation. David Kris points us first to an article by the leadership of the Cybersecurity and Infrastructure Security Administration in Foreign Affairs. Jen Easterly and Eric Goldstein seem to take a tough line on “Why Companies Must Build Safety Into Tech Products.“ But for all the tough language, one word, “regulation,” is entirely missing from the piece. Meanwhile, the cybersecurity strategy that the White House has been reportedly drafting for months seems to be hung up over how enthusiastically to demand regulation.

All of which seems just a little weird in a world where Republicans hold the House. Regulation is not likely to be high on the GOP to-do list, so calls for tougher regulation are almost certainly more symbolic than real.

Still, this is a week for symbolic calls for regulation. David also takes us through an National Telecommunications and Information Administration (NTIA) report on the anticompetitive impact of Apple’s and Google’s control of their mobile app markets. The report points to many problems and opportunities for abuse inherent in their headlock on what apps can be sold to phone users. But, as Google and Apple are quick to point out, they do play a role in regulating app security, so breaking the headlock could be bad for cybersecurity. In any event, practically every recommendation for action in the report is a call for Congress to step in—almost certainly a nonstarter for reasons already given.

Not to be outdone on the phony regulation beat, Jordan Schneider and Sultan Meghji explore some of the policy and regulatory proposals for AI that have been inspired by the success of ChatGPT. The EU’s AI Act is coming in for lots of attention, mainly from parts of the industry that want to be regulation-free. Sultan and I trade observations about who’ll be hollowed out first by ChatGPT, law firms or investment firms.

Sultan also tells us why the ION ransomware hack matters. Jordan and Sultan find a cybersecurity angle to The Great Chinese Balloon Scandal of 2023. And I offer an assessment of Matt Taibbi’s story about the Hamilton 68 “Russian influence” reports. If you have wondered what the fuss was about, do not expect mainstream media to tell you; the media does not come out looking good in this story. Unfortunately for Matt Taibbi, he does not look much better than the reporters his story criticizes. David thinks it is a balanced and moderate take, for which I offer an apology and a promise to do better next time.

The big cyberlaw story of the week is the Justice Department’s antitrust lawsuit against Google and the many hats it wears in the online ad ecosystem. Lee Berger explains the Justice Department’s theory, which is not dissimilar to the Texas attorney general’s two-year-old claims. When you have lost both the Biden administration and the Texas attorney general, I suggest, you cannot look too many places for friends—and certainly not to Brussels, which is also pursuing similar claims of its own. So what is the Justice Department’s late-to-the-party contribution? At least two things, Lee suggests: a jury demand that will put all those complex Borkian consumer-welfare doctrines in front of a northern Virginia jury and a “rocket docket” that will allow Justice to catch up with and maybe lap the other lawsuits against the company. This case looks as though it will be long and ugly for Google, unless it turns out to be short and ugly. Mark reminds us that, for the Justice Department, finding an effective remedy may be harder than proving anticompetitive conduct.

Nathan Simington assesses the administration’s announced deal with Japan and the Netherlands to enforce a tougher decoupling policy against China’s semiconductor makers. Details are still a little sparse, but some kind of deal was essential for the United States. But for Japan and the Netherlands, the details are critical, and any arrangement will require flexibility and sophistication on the part of the Commerce Department. 

Megan Stifel and I chew over the Justice Department/FBI victory lap after putting a stick in the spokes of The Hive ransomware infrastructure. We agree that the lap was warranted. Among other things, the FBI handled its access to decryption keys with more care than in the past, providing them to many victims before taking down a big chunk of the ransomware gang’s tools. The bad news? Nobody was arrested, and the infrastructure can probably be reconstituted in the near term.

Here is an evergreen headline: “Facebook is going to reinstate Donald Trump’s account.” That could be the opening line of any story in the last few months, and that is probably Facebook’s strategy—a long, teasing dance of seven veils so that by the time Trump starts posting, it will be old news. If that is Facebook’s PR strategy, it is working, Mark MacCarthy reports. Nobody much cares, and they certainly do not seem to be mad at Facebook. So the company is out of the woods, and they have left the ex-president on the receiving end of a blow to the ego that is bound to sting.

Megan has more good news on the cybercrime front: The FBI identified the North Korean hacking group that stole $100 million in crypto last year—and may have kept the regime from getting its hands on any of the funds. 

Nathan unpacks two competing news stories. First, “OMG, ChatGPT will help bad guys write malware.” Second: “OMG, ChatGPT will help good guys find and fix security holes.” He thinks they are both a bit overwrought, but maybe a glimpse of the future.

Mark and Megan explain TikTok’s new offer to Washington. Megan also covers Congress’s “TayTay v. Ticketmaster” hearing after disclosing her personal conflict of interest.

Nathan answers my question: how can the FAA be so good a preventing airliners from crashing and so bad at preventing its systems from crashing? The ensuing discussion turns up more on-point bathroom humor than anyone would have expected.   

In quick hits, I cover three stories:

• First, my complaint about Gen. Milley’s egregious and self-admitted overclassification of January 6th records. And the prospect that he may be investigated for it. 
• Next, the delightful Iran-Iraq War pity-they-cannot-both-lose fight between James Dolan, the owner of Madison Square Garden, and the lawyers he his’s barred from the Garden. In a tactic that reminds me of Donald Trump, Dolan is doubling down on confrontation despite the mounting legal troubles it’s created. My explanation? I am betting both men have Daddy issues. 
• Finally, Google has won at least one victory in Washington this week: It outmaneuvered the Republican effort to score points against Google in the scandal over Gmail’s partisan spam filtering

Download 440th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We kick off a jam-packed episode of the Cyberlaw Podcast by flagging the news that ransomware revenue fell substantially in 2022. There is lots of room for error in that Chainalysis finding, Nick Weaver notes, but the effect is large. Among the reasons to think it might also be real is resistance to paying ransoms on the part of companies and their insurers, who are especially concerned about liability for payments to sanctioned ransomware gangs. I also note that a fascinating additional insight from Jon DiMaggio, who infiltrated the Lockbit ransomware gang. He says that Entrust was hit by Lockbit, which threatened to release its internal files, and that the company responded with days of Distributed Denial of Service (DDoS) attacks on Lockbit’s infrastructure – and never did pay up. That would be a heartening display of courage. It would also be a felony, at least according to the conventional wisdom that condemns hacking back. So I cannot help thinking there is more to the story. Like, maybe Canadian Security Intelligence Service is joining Australian Signals Directorate in releasing the hounds on ransomware gangs. I look forward to more stories on this undercovered disclosure.

Gus Hurwitz offers two explanations for the Federal Aviation Administration system outage, which grounded planes across the country. There’s the official version and the conspiracy theory, as with everything else these days. Nick breaks down the latest cryptocurrency failure; this time it’s Genesis. Nick’s not a fan of this prepackaged bankruptcy. And Gus and I puzzle over the Federal Trade Commission’s determination to write regulations to outlaw most non-compete clauses.

Justin Sherman, a first-timer on the podcast, covers recent research showing that alleged Russian social media interference had no meaningful effect on the 2016 election. That spurs an outburst from me about the cynical scam that was the “Russia, Russia, Russia” narrative—a kind of 2016 election denial for which the press and the left have never apologized.

Nick explains the looming impact of Twitter’s interest payment obligation. We’re going to learn a lot more about Elon Musk’s business plans from how he deals with that crisis than from anything he’s tweeted in recent months.

It does not get more cyberlawyerly than a case the Supreme Court will be taking up this term—Gonzalez v. Google. This case will put Section 230 squarely on the Court’s docket, and the amicus briefs can be measured by the shovelful. The issue is whether YouTube’s recommendation of terrorist videos can ever lead to liability—or whether any judgment is barred by Section 230. Gus and I are on different sides of that question, but we agree that this is going to be a hot case, a divided Court, and a big deal.

And, just to show that our foray into cyberlaw was no fluke, Gus and I also predict that the United States Court of Appeals for the District of Columbia Circuit is going to strike down the Allow States and Victims to Fight Online Sex Trafficking Act, also known as FOSTA-SESTA—the legislative exception to Section 230 that civil society loves to hate. Its prohibition on promotion of prostitution may fall to first amendment fears on the court, but the practical impact of the law may remain.

Next, Justin gives us a quick primer on the national security reasons for regulation of submarine cables. Nick covers the leak of the terror watchlist thanks to an commuter airline’s sloppy security. Justin explains TikTok’s latest charm offensive in Washington.

Finally, I provide an update on the UK’s online safety bill, which just keeps getting tougher, from criminal penalties, to “ten percent of revenue” fines, to mandating age checks that may fail technically or drive away users, or both. And I review the latest theatrical offering from Madison Square Garden—“The Revenge of the Lawyers.” You may root for the snake or for the scorpions, but you will not want to miss it.

In this bonus episode of the Cyberlaw Podcast, I interview Andy Greenberg, long-time WIRED reporter, about his new book, “Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.” This is Andy’s second author interview on the Cyberlaw Podcast. He also came on to discuss an earlier book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. They are both excellent cybersecurity stories.

“Tracers in the Dark”, I suggest, is a kind of sequel to the Silk Road story, which ends with Ross Ulbricht, the Dread Pirate Roberts, pinioned in a San Francisco library with his laptop open to an administrator’s page on the Silk Road digital black market. At that time, cryptocurrency backers believed that Ulbricht’s arrest was a fluke, and that properly implemented, bitcoin was anonymous and untraceable. Greenberg’s book explains, story by story, how that illusion was trashed by smart cops and techies (including our own Nick Weaver!) who showed that the blockchain’s “forever” records make it almost impossible to avoid attribution over time.

Among those who fall victim to the illusion of anonymity are two federal officers who helped pursue Ulbricht—and to rip him off; the administrator of AlphaBay, Silk Road’s successor dark market, an alleged Russian hacker who made so much money hacking Mt. Gox that he had to create his own exchange to launder it all, and hundreds of child sex abuse consumers and producers. 

It is a great story, and Andy brings it up to date in the interview as we dig into two massive, multi-billion seizures made possible by transaction tracing. In fact, for all the colorful characters in the book, the protagonist is really Chainalysis and its competitors, who have turned tracing into a kind of science. We close the talk by exploring Andy’s deeply mixed feelings about both the world envisioned by cryptocurrency’s evangelists and the way Chainalysis is saving us from that world.

The Cyberlaw Podcast kicks off 2023 by staring directly into the sun(set) of Section 702 authorization. The entire panel, including guest host Brian Fleming and guests Michael Ellis  and David Kris, debates where things could be headed this year as the clock is officially ticking on FISA Section 702 reauthorization. Although there is agreement that a straight reauthorization is unlikely in today’s political environment, the ultimate landing spot for Section 702 is very much in doubt and a “game of chicken” will likely precede any potential deal. Everything seems to be in play, as this reauthorization battle could result in meaningful reform or a complete car crash come this time next year. Sticking with Congress, Michael also reacts to President Biden’s recent bipartisan call to action regarding “Big Tech” and ponders where Republicans and Democrats could potentially find agreement on an issue everyone seems to agree on (for very different reasons). The panel also discusses the timing of President Biden’s OpEd in the Wall Street Journal and debates whether it is intended as a challenge to the Republican-controlled House to act rather than simply increase oversight on the tech industry. 

David then introduces a fascinating story about the bold recent action by the Security and Exchange Commission (SEC) to bring suit against Covington & Burling LLP to enforce an administrative subpoena seeking disclosure of the firm’s clients implicated in a 2020 cyberattack by Chinese state-sponsored group, Hafnium. David posits that the SEC knows exactly what it is doing by taking such aggressive action in the face of strong resistance, and the panel discusses whether the SEC may have already won by attempting to protect its burgeoning piece of turf in the U.S. government cybersecurity enforcement landscape. Brian then turns to the crypto regulatory and enforcement space to discuss Coinbase’s recent settlement with New York’s Department of Financial Services. Rather than signal another crack in the foundation of the once high-flying crypto industry, Brian offers that this may just be routine growing pains for a maturing industry that is more like the traditional banking sector, from a regulatory and compliance standpoint, than it may have wanted to believe.

Then, in the China portion of the episode, Michael discusses the latest news on the establishment of reverse Committee on Foreign Investment in the United States (CFIUS), and suggests it may still be some time before this tool gets finalized (even as the substantive scope appears to be shrinking). Next, Brian discusses a recent D.C. Circuit decision which upheld the Federal Communication Commission’s decision to rescind the license of China Telecom at the recommendation of the executive branch agencies known as Team Telecom (Department of Justice, Department of Defense, and Department of Homeland Security). This important, first-of-its-kind decision reinforces the role of Team Telecom as an important national security gatekeeper for U.S. telecommunications infrastructure. Finally, David highlights an interesting recent story about an FBI search of an apparent Chinese police outpost in New York and ponders what it would mean to negotiate with and be educated by undeclared Chinese law enforcement agents in a foreign country.

In a few updates and quick hits:

• Brian updates listeners on the U.S. government’s continuing efforts to win multilateral support from key allies for tough new semiconductor export controls targeting China.
• Michael picks up the thread on the Twitter Files release and offers his quick take on what it says about ReleaseTheMemo.  

And, last but not least, Brian discusses the unsurprising (according the Stewart) decision by the Supreme Court of the United States to allow WhatsApp’s spyware suit against NSO Group to continue.