Whatever else the pundits are saying about the use of cyberattacks in the Ukraine war, Dave Aitel notes, they all believe it confirms their past predictions about cyberwar. Not much has been surprising about the cyber weapons the parties have deployed, Scott Shapiro agrees. The Ukrainians have been doxxing Russia’s soldiers in Bucha and its spies around the world. The Russians have been attacking Ukraine’s grid. What’s surprising is that the grid attacks have not seriously degraded civilian life, and how hard the Russians have had to work to have any effect at all. Cyberwar isn’t a bust, exactly, but it is looking a little overhyped. In fact, Scott suggests, it’s looking more like a confession of weakness than of strength: “My military attack isn’t up to the job, so I’ll throw in some fancy cyberweapons to impress The Boss.”

Would it have more impact here? We can’t know until the Russians (or someone else) gives it a try. But we should certainly have a plan for responding, and Dmitri Alperovitch and Sam Charap have offered theirs: Shut down Russia’s internet for a few hours just to show we can. It’s better than no plan, but we’re not ready to say it’s the right plan, given the limited impact and the high cost in terms of exploits exposed.

Much more surprising, and therefore interesting, is the way Ukrainian mobile phone networks have become an essential part of Ukrainian defense. As discussed in a very good blog post, Ukraine has made it easy for civilians to keep using their phones without paying no matter where they travel in the country and no matter which network they find there. At the same time, Russian soldiers are finding the network to be a dangerous honeypot. Dave and I think there are lessons there for emergency administration of phone networks in other countries.

Gus Hurwitz draws the short straw and sums up the second installment of the Elon Musk v. Twitter story. We agree that Twitter’s poison pill probably kills Musk’s chances of a successful takeover. So what else is there to talk about? In keeping with the confirmation bias story, I take a short victory lap for having predicted that Musk would try to become the Rupert Murdoch of the social oligarchs. And Gus helps us enjoy the festschrift of hypocrisy from the Usual Sources, all declaring that the preservation of democracy depends on internet censorship, administered by their friends.

Scott takes us deep on pipeline security, citing a colleague’s article for Lawfare on the topic. He thinks responsibility for pipeline security should be moved from Transportation Security Administration (TSA) to (FERC), because, well, TSA. The Biden administration is similarly inclined, but I’m not enthusiastic; TSA may not have shown much regulatory gumption until recently, but neither has FERC, and TSA can borrow all the cyber expertise it needs from its sister agency, CISA. An option that’s also open to FERC, Scott points out.

You can’t talk pipeline cyber security without talking industrial control security, so Scott and Gus unpack a recently discovered ICS malware package that is a kind of Metasploit for attacking operational tech systems. It’s got a boatload of features, but Gus is skeptical that it’s the best tool for causing major havoc in electric grids or pipelines. Also, remarkable: it seems to have been disclosed before the nation state that developed it could actually use it against an adversary. Now that’s Defending Forward!

As a palate cleanser, we ask Gus to take us through the latest in EU cloud protectionism. It sounds like a measure that will hurt U.S. intelligence but do nothing for Europe’s effort to build its own cloud industry. I recount the broader story, from subpoena litigation to the CLOUD Act to this latest counter-CLOUD attack. The whole thing feels to me like Microsoft playing both sides against the middle. 

Finally, Dave takes us on a tour of the many proposals being launched around the world to regulate the use of Artificial Intelligence (AI) systems. I note that Congressional Dems have their knives out for face recognition vendor id.me. And I return briefly to the problem of biased content moderation. I look at research showing that Republican Twitter accounts were four times more likely to be suspended than Democrats after the 2020 election. But I find myself at least tentatively persuaded by further research showing that the Republican accounts were four times as likely to tweet links to sites that a balanced cross section of voters considers unreliable. Where is confirmation bias when you need it?

Download the 403rd Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The theme of this episode of the Cyberlaw Podcast is, “Be careful what you wish for.“ Techlash regulation is burgeoning around the world. Mark MacCarthy  takes us through a week’s worth of regulatory enthusiasm. Canada is planning to force Google and Facebook to pay Canadian news media for links. It sounds simple, but arriving at the right price—and the right recipients—will require a hefty dose of discretionary government intervention. Meanwhile, South Korea’s effort to regulate Google’s Android app store policies, which also sounds simple, is quickly devolving into such detail that the government might as well call it price regulation—because that’s what it is. And, Mark notes, even in China, which seemed to be moderating its hostility to tech platforms, just announced algorithm compliance audits for TenCent and ByteDance.

Nobody is weeping for Big Tech, but anybody who thinks this kind of thing will hurt Big Tech has never studied the history of AT&T—or Rupert Murdoch. Incumbent tech companies have the resources to protect themselves from regulatory harm—and to make sure their competitors will be crushed by the burdens they bear. The one missing chapter in the mutual accommodation of Big Tech and Big Government, I argue, is a Rupert Murdoch figure—someone who will use his platform unabashedly to curry favor not from the left but from the right. It’s an unfilled niche, but a moderately conservative Big Tech company is likely to find all the close regulatory calls being made in its favor if (or, more likely, when) the GOP takes power. If you think that’s not possible, you missed the last week of tech news. Elon Musk, whose entire business empire is built on government spending, is already toying with occupying a Silicon Valley version of the Rupert Murdoch niche. His acquisition of nearly 10 percent of Twitter is an opening gambit that is likely to make him the man that conservatives hail as the antidote to Silicon Valley’s political monoculture. Axios’s complaint that the internet is becoming politically splintered is wildly off the mark today, but it may yet come true.

Nick Weaver brings us back to earth with a review of the FBI’s successful (for now) takedown of the Cyclops Blink botnet—a Russian cyber weapon that was disabled before it could be fired. Nick reminds us that the operation was only made possible by a change in search and seizure procedures that the Electronic Frontier Foundation (EFF) and friends condemned as outrageous just a decade ago. Last week, he reports, Western law enforcement also broke the Hydra dark market. In more good news, Nick takes us through the ways in which bitcoin’s traceability has enabled authorities to bust child sex rings around the globe.

Nick also brings us This Week in Bad News for Surveillance Software: FinFisher is bankrupt. Israeli surveillance software smuggled onto EU ministers’ phones is being investigated; and Google has banned apps that use particularly intrusive data collection tools, outed by Nick’s colleagues at the International Computer Science Institute.

Finally, Europe is building a vast network to do face recognition across the continent. I celebrate the likely defeat of ideologues who’ve been trying to toxify face recognition for years. And I note that one of my last campaigns at the Department of Homeland Security (DHS) was a series of international agreements that lock European law enforcement into sharing of such data with the United States. Defending those agreements, of course, should be a high priority for the State Department’s on-again off-again new cyber bureau.

Download the 402nd Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Spurred by a Cyberspace Solarium op-ed, Nate Jones gives an overview of cybersecurity worries in the maritime sector, where there is plenty to worry about. I critique the U.S. government’s December 2020 National Maritime Cybersecurity Strategy, a 36-page tome that, when the intro and summary and appendices and blank pages are subtracted, offers only eight pages of substance. Luckily, the Atlantic Council has filled the void with its own report on the topic.

Of course, the maritime sector isn’t the only one we should be concerned about. Sultan Meghji points to the deeply troubling state of industrial control security, as illustrated by at “10 out of 10” vulnerability recently identified in a Rockwell Automation ICS system. 

Still, sometimes software rot serves a good purpose. Maury Shenk tells us about decay in Russia’s SORM—a site-blocking system that may be buckling under the weight of the Ukraine invasion. Talking about SORM allows me to trash a nothingburger story perpetrated by three New York Times reporters who ought to know better. Adam Satariano, Paul Mozur and Aaron Krolik should be ashamed of themselves for writing a long story suggesting that Nokia did something wrong by selling Russia telecom gear that enables wiretaps. Since the same wiretap features are required by Western governments as a matter of law, Nokia could hardly do anything else. SORM and its abuses were all carried out by Russian companies. I suspect that, after wading through a boatload of leaked documents, these three (three!) reporters just couldn’t admit there was no there, there. 

Nate and I note the emergence of a new set of secondary sanctions targets as the Treasury Department begins sanctioning companies that it concludes are part of a sanctions evasion network. We also puzzle over the surprising pushback on proposals to impose  sanctions on Kaspersky. If the Wall Street Journal is correct, and the reason is fear of cyberattacks if the Russian firm is sanctioned, isn’t that a reason to sanction them out of Western networks? 

Sultan and Maury remind us that regulating cryptocurrency is wildly popular with some, including Sen. Elizabeth Warren and the EU Parliament. Sultan remains skeptical that sweeping regulation is in the cards. He is much more bullish on Apple’s ability to upend the entire fintech field by plunging into financial services with enthusiasm. I point out that it’s almost impossible for a financial services company to maintain a standoffish relationship with the government, so Apple may have to change the tune it’s been playing in the U.S. for the last decade.

Maury and I explore fears that the DMA will break WhatsApp encryption, while Nate and I plumb some of the complexities of a story Brian Krebs broke about hackers exploiting the system by which online services provide subscriber information to law enforcement in an emergency. 

Speaking of Krebs, we dig into Ubiquiti’s defamation suit against him. The gist of the complaint is that Krebs relied on a “whistleblower” who turned out to be the perp, and that Krebs didn’t quickly correct his scoop when that became apparent. My sympathies are with Krebs on this one, at least until Ubiquiti fills in a serious gap in its complaint—the lack of any allegation that the company told Krebs that he’d been misled and asked for a retraction. Without that, it’s hard to say that Krebs was negligent (let alone malicious) in reporting allegations by an apparently well-informed insider. 

Maury brings us up to speed on the (still half-formed) U.K. online harms bill and explains why the U.K. government was willing to let the subsidiary of a Chinese company buy the U.K.’s biggest chip foundry. Sultan finds several insights in an excellent CNN story about the Great Conti Leak.

And, finally, I express my personal qualms about the indictment (for disclosing classified information) of Mark Unkenholz, a highly competent man whom I know from my time in government. To my mind the prosecutors are going to have to establish that Unkenholz was doing something different from the kind of disclosures that are an essential part of working with tech companies that have no security clearances but plenty of tools needed by the intelligence community. This is going to be a story to watch.

Download the 401st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

With the U.S. and Europe united in opposing Russia’s attack on Ukraine, a few tough transatlantic disputes are being swept away—or at least under the rug. Most prominently, the data protection crisis touched off by Schrems 2 has been resolved in principle by a new framework agreement between the U.S. and the EU. Michael Ellis and Paul Rosenzweig trade insights on the deal and its prospects before the European Court of Justice. The most controversial aspect of the agreement is the lack of any change in U.S. legislation. That’s simple vote-counting if you’re in Washington, but the Court of Justice of the European Union (CJEU) clearly expected that it was dictating legislation for the U.S. Congress to adopt, so Europe’s acquiescence may simply kick the can down the road a bit. The lack of legislation will be felt in particular, Michael and Paul aver, when it comes to providing remedies to European citizens who feel their rights have been trampled.  Instead of going to court, they’ll be going to an administrative body with executive branch guarantees of independence and impartiality.  We congratulate several old friends of the podcast who patched this solution together.

The Russian invasion of Ukraine, meanwhile, continues to throw off new tech stories. Nick Weaver updates us on the single most likely example of Russia using its cyber weapons effectively for military purposes—the bricking of Ukraine’s (and a bunch of other European) Viasat terminals. Alex Stamos and I talk about whether the social media companies recently evicted from Russia, especially Instagram, should be induced or required to provide information about their former subscribers’ interests to allow microtargeting of news to break Putin’s information management barriers; along the way we examine why it is that tech’s response to Chinese aggression has been less vigorous. Speaking of microtargeting, Paul gives kudos to the FBI for its microtargeted “talk to us” ads, only visible to Russian speakers within 100 yards of the Russian embassy in Washington. Finally, Nick Weaver and Mike mull the significance of Israel’s determination not to sell sophisticated cell phone surveillance malware to Ukraine.

Returning to Europe-U.S. tension, Alex and I unpack the European Digital Markets Act, which regulates a handful of U.S. companies because they are “digital gatekeepers.“ I think it’s a plausible response to network effect monopolization, ruined by anti-Americanism and the persistent illusion that the EU can regulate its way to a viable tech industry. Alex has a similar take, noting that the adoption of end-to-end encryption was a big privacy victory, thanks to WhatsApp, an achievement that the Digital Markets Act will undo in attempting to force standardized interoperable messaging on gatekeepers. 

Nick walks us through the surprising achievements of the gang of juvenile delinquents known as Lapsus$. Their breach of Okta is the occasion for speculation about how lawyers skew cyber incident response in directions that turn out to be very bad for the breach victim. Alex vividly captures the lawyerly dynamics that hamper effective response. While we’re talking ransomware, Michael cites a detailed report on corporate responses to REvil breaches, authored by the minority staff of the Senate Homeland security committee. Neither the FBI nor CISA comes out of it looking good.  But the bureau comes in for more criticism, which may help explain why no one paid much attention when the FBI demanded changes to the cyber incident reporting bill.

Finally, Nick and Michael debate whether the musician and Elon Musk sweetheart Grimes could be prosecuted for computer crimes after confessing to having DDOSed an online publication for an embarrassing photo of her. Just to be on the safe side, we conclude, maybe she shouldn’t go back to Canada. And Paul and I praise a brilliant WIRED op-ed proposing that Putin’s Soviet empire nostalgia deserves a wakeup call; the authors (Rosenzweig and Baker, as it happens) suggest that the least ICANN can do is kill off the Soviet Union’s out-of-date .su country code.

Download the 400th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

A special reminder that we will be doing episode 400 live on video and with audience participation on March 28, 2022 at noon Eastern daylight time. So, mark your calendar and when the time comes, use this link to join the audience:

https://riverside.fm/studio/the-cyberlaw-podcast-400 

See you there!

There’s nothing like a serious shooting war to bring on paranoia and mistrust, and the Russian invasion of Ukraine is generating mistrust on all sides. 

Everyone expected a much more damaging cyberattack from the Russians, and no one knows why it hasn’t happened yet. Dave Aitel walks us through some possibilities. Cyberattacks take planning, and Russia’s planners may have believed they wouldn’t need to use large-scale cyberattacks—apart from what appears to be a pretty impressive bricking of Viasat terminals used extensively by Ukrainian forces. Now that the Russians could use some cyber weapons in Ukraine, the pace of the war may be making it hard to build them. None of that is much comfort to Western countries that have imposed sanctions, since their infrastructure makes a nice fat sitting-duck target, and may draw fire soon if American intelligence warnings prove true.

Meanwhile, Matthew Heiman reports, the effort to shore up defenses is leading to a cavalcade of paranoia. Has the UK defense ministry banned the use of WhatsApp due to fears that it’s been compromised by Russia? Maybe. But WhatsApp has long had known security limitations that might justify downgrading its use on the battlefield. Speaking of ambiguity and mistrust, Telegram use is booming in Russia, Dave says, either because the Russians know how to control it or because they can’t. Take your pick.

Speaking of mistrust, the German security agency has suddenly discovered that it can’t trust Kaspersky products.  Good luck finding them, Dave offers, since many have been whitelabeled into other company’s software. He has limited sympathy for an agency that resolutely ignored U.S. warnings about Kaspersky for years.

Even in the absence of a government with an interest in subverting software, the war is producing products that can’t be trusted. One open-source maintainer of a popular open-source tool turned it into a data wiper for anyone whose computer looks Belarussian or Russian. What could possibly go wrong with that plan?

Meanwhile, people who’ve advocated tougher cybersecurity regulation (including me) are doing a victory lap in the press about how it will bolster our defenses. It’ll help, I argue, but only some, and at a cost of new failures. The best example being TSA’s effort to regulate pipeline security, which has struggled to avoid unintended consequences while being critiqued by an industry that has been hostile to the whole effort from the start.

The most interesting impact of the war is in China. Jordan Schneider explores how China and Chinese companies are responding to sanctions on Russia. Jordan thinks that Chinese companies will follow their economic interests and adhere to sanctions—at least where it’s clear they’re being watched—despite online hostility to sanctions among Chinese digerati.

Matthew and I think more attention needs to be paid to Chinese government efforts to police and intimidate ethnic Chinese, including Chinese Americans, in the United States. The Justice Department for one is paying attention; it has arrested several alleged Chinese government agents engaged in such efforts.

Jordan unpacks China’s new guidance on AI algorithms. I offer grudging respect to the breadth and value of the topics covered by China’s AI regulatory endeavors.  

Dave and I are disappointed by a surprise package in the FY 22 omnibus appropriations act. Buried on page 2334 is an entire smorgasbord of regulation for intelligence agency employees who go looking for jobs after leaving the intelligence community. This version is better than the original draft, but mainly for the intelligence agencies; intelligence professionals seem to have been left out in the cold when revisions were proposed. 

Matthew does an update on the peanut butter sandwich spies who tried to sell nuclear sub secrets to a foreign power that the Justice Department did not name at the time of their arrest. Now that country has been revealed. It’s Brazil, apparently chosen because the spies couldn’t bring themselves to help an actual enemy of their country. 

And finally, I float my own proposal for the nerdiest possible sanctions on Putin. He’s a big fan of the old Soviet empire, so it would be fitting to finally wipe out the last traces of the Soviet Union, which have lingered for thirty years too long in the Internet domain system. Check WIRED magazine for my upcoming op-ed on the topic. 

Download the 399th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

A special reminder that we will be doing episode 400 live on video and with audience participation on March 28, 2022 at noon Eastern daylight time. So mark your calendar and when the time comes, use this link to join the audience:

https://riverside.fm/studio/the-cyberlaw-podcast-400

See you there! 

For the third week in a row, we lead with cyber and Russia’s invasion of Ukraine. Paul Rosenzweig comments on the most surprising thing about social media’s decoupling from Russia—how enthusiastically the industry is pursuing the separation. Facebook is allowing Ukrainians to threaten violence against Russian leadership and removing or fact checking Russian government and media posts. Not satisfied with this, the EU wants Google to remove Russia Today and Sputnik from search results. I ask why the U.S. can’t take over Facebook and Twitter infrastructure to deliver the Voice of America to Facebook and Twitter users who’ve been cut off by their departure. Nobody likes that idea but me. Meanwhile, Paul notes that The Great Cyberwar that Wasn’t could still make an appearance, citing Ciaran Martin’s sober Lawfare piece.  

David Kris tells us that Congress has, after a few false starts, finally passed a cyber incident reporting bill, notwithstanding the Justice Department’s over-the-top histrionics in opposition. I wonder if the bill, passed in haste due to the Ukraine conflict, should have had another round of edits, since it seems to lock in a leisurely reg-writing process that the Cybersecurity and Infrastructure Security Agency (CISA) can’t cut short.  

Jane Bambauer and David unpack the first district court opinion considering the legal status of “geofence” warrants—where Google gradually releases more data about people whose phones were found near a crime scene when the crime was committed. It’s a long opinion by Judge M. Hannah Lauck, but none of us finds it satisfying. As is often true, Orin Kerr’s take is more persuasive than the court’s.

Next, Paul Rosenzweig digs into Biden’s cryptocurrency executive order. It’s not a nothingburger, he opines, but it is a process-burger, meaning that nothing will happen in the field for many months, but the interagency mill will begin to grind, and sooner or later will likely grind exceeding fine. 

Jane and I draw lessons from WIRED’s “expose” on three wrongful arrests based on face recognition software, but not the “face recognition is Evil” lesson WIRED wanted us to draw. The arrests do reflect less than perfect policing, and are a wrenching view of what it’s like for an innocent man to face charges that aren’t true. But it’s unpersuasive to blame face recognition for mistakes that could have been avoided with a little more care by the cops.

David and I highly recommend Brian Krebs’s great series on what we can learn from leaked chat logs belonging to the Conti ransomware gang. What we learned from the Conti leaks. My favorite insight was the Conti member who said, when a company resisted paying to keep its files from being published, that “There is a journalist who will help intimidate them for 5 percent of the payout.” I suggest that our listeners crowdsource an effort to find journalists who might fit this description. It might not be hard; after all, how many journalists these days are breaking stories that dive deep into doxxed databases? 

Paul and I spend a little more time than it deserves on an ICANN paper about ways to block Russia from the network. But I am inspired to suggest that the country code .su—presumably all that’s left of the Soviet Union—be permanently retired. I mean, really, does anyone respectable want it back? 

Jane gives a lick and a promise to the Open App Markets bill coming out of the Senate Judiciary Committee. I alert the American Civil Liberties Union to a shocking porcine privacy invasion. 

I discover that none of the other panelists is surprised that 15 percent of people have already had sex with a robot but all of them find the idea of falling in love with a robot preposterous. 

Download the 398th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets.

Much of this episode is devoted to new digital curtain falling across Europe. Gus Horwitz and Mark-MacCarthy review the tech boycott that has seen companies like Apple, Samsung, Microsoft and Adobe pull their service from Russia. Nick Weaver describes how Russia cracked down on independent Russian media outlets and blocked access to the websites of foreign media including the BBC and Facebook. Gus reports on an apparent Russian decision to require all servers and domains to transfer Russian zone, thereby disconnecting itself from the global internet. 

Mark describes how private companies in the U.S. have excluded Russian media from their systems, including how DirecTV’s decision to drop RT America led the Russian 24-hour news channel to shutter its operations. In contrast, the EU officially shut down all RT and Sputnik operations, including their apps and websites. Nick wonders if the enforcement mechanism is up to the task of taking down the websites. Gus, Dave and Mark discuss the myth making in social media about the Ukrainian war such as the Ghost of Kyiv, and wonder if fiction might do some good to keep up the morale of the besieged country. 

Dave Aitel reminds us that despite the apparent lack of cyberattacks in the war, more might be going on under the surface. He also he tells us more about the internal attack that affected the Conti Ransomware gang when they voiced support for Russia. Nick opines that cryptocurrencies do not have the volume to serve as an effective way around the financial sanctions against Russia. Sultan Meghji agrees that the financial sanctions will accelerate the move away from the dollar as the world’s reserve currency and is skeptical that a principles-based constraint will do much good to halt that trend. 

A few things happened other than the war in Ukraine, including President Biden’s first state of the union address. Gus notices that much of the speech was devoted to tech. He notes that the presence in the audience of Frances Haugen, the Facebook whistleblower, highlighted Biden’s embrace of stronger online children’s privacy laws and that the presence of Intel CEO Patrick Gelsinger gave the president the opportunity to pitch his plan to support domestic chip production. 

Sultan and Dave discuss the cybersecurity bill that passed out of the Senate unanimously. It would require companies in critical sectors to report cyberattacks and ransomware to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). They also analyze the concerns that companies have about providing information to the FBI. Dave thinks the bills that were discussed in this week’s House Commerce hearing to hold Big Tech accountable, respond to wide-spread public concerns about tech’s surveillance business model, but still he thinks they are unlikely to make it through the process to become law. 

Gus says that Amazon’s certification that it has responded to the Federal Trade Commission’s inquiries about its proposed $6.5 billion MGM merger triggers a statutory deadline for the agency to act. It is not the company’s fault, he says, that the agency has a 2-2 between Democrats and Republicans that will likely prevent them opposing the merger in time. I take the opportunity to note that the Senate Commerce committee sent the nominations of Alvaro Bedoya for the Federal Trade Commission and Gigi Sohn for the Federal Communications Commission to the Senate floor, but that it would likely be several months before the full Senate would act on the nominations.

Finally, Nick argues that certain measures in the European Commission’s proposed digital identity framework, aiming to improve authentication on the web, would in practice have the opposite effect of dramatically weakening web security.

Download the 397th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Much of this episode is devoted to how modern networks and media are influencing what has become a major shooting war between Russia and Ukraine. Dmitri Alperovitch gives a sweeping overview. Ukraine and its president, Volodymyr Zelenskyy, clearly won the initial stages of the war in cyberspace, turning broad Western sympathy into a deeper commitment with short videos from downtown Kyiv at a time when Zelenskyy was expected to be racing for the border. The narrative of determined Ukrainian resistance and hapless Russian arrogance was set in cement by the end of the week, and Zelenskyy’s ability to casually dial in to EU ministers’ meetings (and just as casually say that this might be the last time the ministers saw him alive) changed official Europe’s view of the conflict permanently. Putin’s failure to seize Ukraine’s capital and telecom facilities in the first day of the fight may mean a long, grinding conflict.

Russia is doing its best to control the narrative on Russian networks by throttling Facebook, Twitter and other Western media. And it’s essentially telling those companies that they need to distribute pro-Russian media in the West if they want a future in Russia. Dmitri believes that that’s not a price Silicon Valley will pay for access to a country where every other bank and company is already off-limits due to Western sanctions. Jane Bambauer weighs in with the details of Russia’s narrative-control efforts—and their failure.

And what about the cyberattacks that press coverage led us to expect in this conflict between two technically capable adversaries? Nate Jones and Dmitri agree that, while network wiping and ransomware have occurred, their impact on the battle has not been obvious. Russia seems not to have sent its A-team to take down any of Ukraine’s critical infrastructure. Meanwhile, as Western nations pledge more weapons and more sanctions, Russian cyber reprisals have been scarce, perhaps because Western counter-reprisals are clearly being held in reserve. 

All that said, and despite unprecedented financial sanctions and export control measures, initiative in the conflict remains with Putin, and none of the panel is looking forward to finding out how Putin will react to Russia’s early humiliations in cyberspace and on the battlefield. 

In other tech news, the EU has not exactly turned over a new leaf when it comes to milking national security for competitive advantage over U.S. industry. Nate and Jane unpack the proposed European Data Act, best described as an effort to write a General Data Protection Regulation (GDPR) for non-personal data. And, as always, as a European effort to regulate a European tech industry into existence.  

Nate and I dig into a Foreign Affairs op-ed by Chris Inglis, the Biden administration’s National Cyber Director. It calls for a new Cyber Social Contract between government and industry. I CTRL-F for “regulation” and don’t find the word, likely thanks to White House copy editors, but the op-ed clearly thinks that more regulation is the key to ensuring public-private cooperation.  

Jane reprises a story from the estimable “Rest of World” tech site. It turns out that corrupt and abusive companies and governments have better tools for controlling their image than Vladimir Putin—all thanks to the European Parliament and the U.S. Congress, which approved GDPR and the Digital Millennium Copyright Act respectively. These turn out to be great tools for suppressing stories that make third-world big shots uncomfortable. I remind the audience once again that Privacy mainly Protects the Privileged and the Powerful.   

In closing, Jane and I catch up on the IRS’s latest position on face recognition—and the wrongheadedness of the NGOs campaigning against the technology. 

Download the 396th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Troops and sanctions and accusations are coming thick and fast in Ukraine as we record the podcast. Michael Ellis draws on his past experience at the National Security Council (NSC) to guess how things are going at the White House, and we both speculate on whether the conflict will turn into a cyberwar that draws the United States in. Neither of us thinks so, though for different reasons.

Meanwhile, Nick Weaver reports, the Justice Department is gearing up for a fight with cryptocurrency criminals. Nick thinks it couldn’t happen to a nicer industry. Michael and I contrast the launching of this initiative with the slow death of the China initiative at the hands of a few botched prosecutions. Michael and I do a roundup of news (all bad) about face recognition. District Judge Sharon Johnson Coleman (ND IL) gets our prize for least persuasive first amendment analysis of the year in an opinion holding that collecting and disclosing public data about people (what their faces look like) can be punished with massive civil liability even if no damages have been shown. After all, the judge declares in an analysis that covers a full page and a half (double-spaced), the Illinois law imposing liability “does not restrict a particular viewpoint nor target public discussion of an entire topic.” But not to worry; the first amendment is bound to get a heavy workout in the next big face recognition lawsuit—the Texas Attorney General’s effort to extract hundreds of billions of dollars from Facebook for similarly collecting the face of their users. My bet? This one will make it to the Supreme Court. Next, we review the IRS’s travails in trying to use face recognition to verify taxpayers who want access to their returns. I urge everyone to read my latest op-ed in the Washington Post criticizing the Congressional critics of the effort. Finally, I mock the staff at Amnesty International who think that people who live in high-crime New York neighborhoods should be freed from the burden of being able to identify and jail street criminals using facial recognition. After all, if facial recognition were more equitably allocated, think of the opportunity to identify scofflaws who let their dogs poop on the sidewalk. 

Nick and I dig into the pending collision between European law enforcement agencies and privacy zealots in Brussels who want to ban EU use of NSO’s Pegasus surveillance tech. Meanwhile, in a rare bit of good news for Pegasus’s creator, an Israeli investigation is now casting doubt on press reports of Pegasus abuse.

Finally, Michael and I mull over the surprisingly belated but still troubling disclosures about just how opaque TikTok has made its methods of operation. Two administrations in a row have started out to do something about this sus app, and neither has delivered – for reasons that demonstrate the deepest flaws of both.

Download the 395th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Cyberlaw Podcast has decided to take a leaf from the (alleged) Bitcoin Bandits’ embrace of cringe rap. No more apologies. We’re proud to have been cringe-casting for the last six years. Scott Shapiro, however, shows that there’s a lot more meat to the bitcoin story than embarrassing social media posts. In fact, the government’s filing after the arrest of Ilya Lichtenstein and Heather Morgan paints a forbidding picture of how hard it is to actually cash $4.5 billion in bitcoin. That’s what the government wants us to think, but it’s persuasive nonetheless, and both Scott and David Kris recommend it as a read.

Like the Rolling Stones performing their greatest hits from 1965 on tour this year, U.S. Senator Ron Wyden of Oregon is replaying his favorite schtick from 2013 or so—complaining that the government has an intelligence program that collects some U.S. person data under a legal theory that would surprise most Americans. Based on the Privacy and Civil Liberties Oversight Board staff recommendations, Dave Aitel and David Kris conclude that this doesn’t sound like much of a scandal, but it may lead to new popup boxes on intel analysts’ desktops as they search the resulting databases.

In an entirely predictable but still discouraging development, Dave Aitel points to persuasive reports from two forensics firms that an Indian government body has compromised the computers of a group of Indian activists and then used its access not just to spy on the activists but to load fake and incriminating documents onto their computers. 

In the EU, meanwhile, crisis is drawing nearer over the EU General Data Protection Regulation (GDPR) and the European Court of Justice decision in the Schrems cases. David Kris covers one surprising trend. The court may have been aiming at the United States, but its ruling is starting to hit European companies who are discovering that they may have to choose between Silicon Valley services and serious liability. That’s the message in the latest French ruling that websites using Google Analytics are in breach of GDPR. Next to face the choice may be European publishers who depend on data-dependent advertising whose legality the Belgian data protection authority has gravely undercut.

Scott and I dig into the IRS’s travails in trying to implement facial recognition for taxpayer access to records. I reprise my defense of face recognition in Lawfare. Nobody is going to come out of this looking good, Scott and I agree, but I predict that abandoning facial recognition technology is going to mean more fraud as well as more costly and lousier service for taxpayers.

I point to the only place Silicon Valley seems to be innovating—new ways to show conservatives that their views are not welcome. Airbnb has embraced the Southern Poverty Law Center (SPLC), whose business model is labeling mainstream conservative groups as “hate” mongers. It told Michelle Malkin that her speech at a SPLC “hate” conference meant that she was forever barred from using Airbnb—and so was her husband. By my count that’s guilt by association three times removed. Equally remarkable, Facebook is now telling Bjorn Lonborg that he cannot repeat true facts if he’s using them to support the Wrong Narrative.  We’re not in content moderation land any more if truth is not a defense, and tech firms that supply real things for real life can deny them to people whose views they don’t like.

Scott and I unpack the EARN IT Act  (Eliminating Abusive and Rampant Neglect of Interactive Technologies Act), again reported out of committee with a chorus of boos from privacy NGOs. We also note that supporters of getting tough on the platforms over child sex abuse material aren’t waiting for EARN IT. A sex trafficking lawsuit against Pornhub has survived a Section 230 challenge. 

Download the 394th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.