The Cyberlaw Podcast

In this news-only episode, we cover the irresistible story of the week: Trump, Russia, and the Media.  It’s especially irresistible for us because we’ve had two of the protagonists on as guests.  I make the bold prediction that Shane Harris’s stories on Russia collusion and the Trump campaign will be seen as the moment when the media OCD fascination with Russia collusion finally jumped the shark.  Though in this case, the shark had already consumed at least one Pulitzer-prize winning journalist, Eric Lichtblau.  (And for the record, CNN, I am not advocating that more journalists should be eaten by sharks, and I refuse to accept the blame when they are.)

Unfortunately, journalists chasing nonstories can’t devote any attention to some very real stories involving government and IT.  So we do it for them.  Stephen Heifetz reports on the CFIUS logjam that is blocking close to a dozen transactions because the administration has not filled the subcabinet positions that could sort through the filings with a coherent policy in mind.

In other cyberwar logjam news, the UN Government Group of Experts (GGE) has failed to produce a consensus report following up on earlier reports endorsing some application of the law of war to cyberattacks.  Brian Egan explains what that means for the UN, the Trump administration, and the future of international cooperation on cyber norms.

Finally, Stephanie Roy explains the significance of the latest spat between Ajit Pai and Mignon Clyburn over online privacy regulation.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-172.mp3
Category:general -- posted at: 5:13pm EDT

Our guest, Ellen Nakashima, was coauthor of a Washington Post article that truly is a first draft of history, though not a chapter the Obama administration is likely to be proud of.  She and Greg Miller and Adam Entous chronicle the story of Russia’s information operations attack on the 2016 presidential election.

Want to know how it feels to have Donald Trump tweeting your article and taunting the last administration?  Don’t worry, we ask.  Also why was the NSA only moderately confident that Putin was trying to help Trump win, and how did the Obama administration manage to “choke” at every turn.  Jim Comey makes a cameo appearance, ironically refusing to go public with his agency’s assessment of the hack because it might look like he was trying to influence the election — whew! – that’s a bullet dodged!

We dwell on the Obama administration’s bad luck in announcing its judgment on Putin’s hack half an hour before the Access Hollywood story broke and an hour before Podesta’s emails were released.  Sometimes you win the news cycle; sometimes the news cycle wins you.

Finally, Ellen talks about the plan to implant cyberweapons in Russian infrastructure and where it stands.  What infrastructure, you ask?  Infrastructure so serious it was approved by a phalanx of Obama administration lawyers, of course.  It’s an echt-Obama moment, the kind of thing that is bound to be in history’s second draft as well.

We begin the news roundup, as our fans demand, with the latest in sex toy cybersecurity law.  On a more serious note, Jennifer Quinn-Barabanov asks whether the Seventh Circuit has stuck a fork in the data breach class action tactic of offering full damages to the named plaintiff.

Jon Sallet reviews the remarkable success of the Obama Justice Department in challenging mergers in court and argues that it’s likely to continue, if not with the same frequency.

Michael Vatis and I pan Justice Kennedy’s gassy ode to the “Cyber Age” in Packingham v. North Carolina, an opinion that is sure to be cited far more often for its overblown dicta than for its unsurprising holding.

Speaking of the Court, the Solicitor General is seeking review of the Microsoft Ireland case.  Michael and I assess the odds of an affirmance.

Meanwhile, Maury Shenk reports, European angst over the internet continues to force the pace of government action.  Despite a leak revealing its spying on the US Government, Germany is doubling down, expanding law enforcement’s authority to hack suspects’ phones.   And the European Council is calling on Member States to prepare to impose sanctions in response to cyberattacks.

And where will those attacks come from?  Ask the Western IT companies that have recently been forced to disclose their source code to Russian intelligence agencies.  Strictly for cybersecurity purposes, naturally.

And LabMD has at last had a judicial hearing for its objections to the FTC’s handling of its data security case.  Michael and I agree:  it was such a bad day for the FTC that the Commission’s decision to override its own ALJ opinion now looks like hubris of the first order.

And, finally, we cover the equally hubristic decision of some CIA staff to demonstrate their hacker cred by spoofing the Agency’s snack machines.  It may be some consolation to them in unemployment that their exploit was pretty clever.  Or, who knows, maybe they’ve been brought back to help the agency implant the Kremlin’s snack machines.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-171.mp3
Category:general -- posted at: 7:22pm EDT

This week’s episode is a news roundup without interview.  We lead with the Senate’s overwhelming adoption of unexpectedly tough Russia sanctions along with the Iran sanctions bill.  The mainstream press has emphasized that the bill will lock the Obama sanctions into legislation, but Anthony Rapa explains that the bigger story is just how tough the bill will be on investors in Russia’s energy sector, including European and other third-country firms.  This is going to put heavy pressure on the House and its Republican majority, where enthusiasm for punishing Russia has been more tepid.

In other legislative news, the Freedom Caucus has announced that it doesn’t know what it wants from 702 renewal, but it wants something.  At least that’s how I read the Caucus’s two sentence press release on Section 702 renewal.  In its entirety, the release says, “Government surveillance activities under the FISA Amendments Act have violated Americans’ constitutionally protected rights.  We oppose any reauthorization of the FISA Amendments Act that does not include substantial reforms to the government’s collection and use of Americans’ data.” In a rare show of Cyberlaw podcast consensus, Michael Vatis agrees.

Meanwhile, NSA and GCHQ are now linking WannaCry to North Korea.  The bad news is that North Korea is bringing the same spirit to cyberattacks that it has brought to nukes and missiles.  The good news is that the North Koreans are still bad at cyberattacks.  But they were bad at nukes and missiles once as well.

And we circle back to put the boot in on Reality Winner – the self-proclaimed “pretty, white, and cute” dingbat who leaked an NSA memo on Russia’s election hacking to the Intercept, which then managed to match her opsec cluelessness with its own.  

The export of exploits for internal security purposes is getting plenty of press, as the BBC goes after exports from Denmark to the Arab world while the New York Times exposes misuse of exploits to compromise critics of the Mexican government

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-170.mp3
Category:general -- posted at: 4:47pm EDT

In the news roundup, Benjamin Wittes makes a cameo appearance, defending Jim Comey (but not the FBI) from my suggestion that leaking has a long and unattractive history at the FBI.  Brian Egan takes us deep on federal records law.

Next, Ben actually finds himself to my right as we try to negotiate a quick resolution to the growing impasse over section 702.

I will never live it down. Nor will Ben.

Maury Shenk explains what the UK election means for tech.  Who knew?  The Unionists actually have a tech platform.

Maury and Brian muse on what the Qatar crisis tells us about cyberattacks – they may turn out to be much more effective as short-term one-offs than as sustained campaigns.

China has found a way to use its new cybersecurity law — to investigate Apple, naturally.  A better target would be the Chinese company Rafotech, which has installed something that looks a lot like spyware on 250 million machines.  I’ll be at the Irish government’s Data Protection Summit later this week, and I’ll be asking why the EU is wasting its human rights capital on fights with the US instead of China.

Finally, we cover Ukraine’s unusual new sanctions aimed at Russian social media companies, which are also Ukraine’s main social media companies?  No doubt there are censorship issues lurking in that program, but I can’t help wondering why human rights groups are riding the first amendment to the rescue of companies that dance to Vladimir Putin’s tune.

To close the episode, I interview Ben Buchanan, Fellow of the Cyber Security Project at the Harvard Kennedy School of Government.  I challenge the thesis of his book, The Cyber Security Dilemma: Hacking, Trust and Fear, and he holds up under the challenge pretty well.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-169.mp3
Category:general -- posted at: 6:05pm EDT

Episode 168 features the Tinkers-to-Evers-to-Chance of global censorship, as Filipino contractors earning minimum wage delete posts in order to satisfy US tech companies who are trying to satisfy European governments.  In addition to Maury Shenk, our panel of interlocutors includes David Sanger, Chief Washington Correspondent for The New York Times, and Karen Eltis, Professor of Law at the University of Ottawa. Even if you think that reducing Islamic extremist proselytizing online is a good idea, I conclude, that’s not likely to be where the debate over online content ends up.  Indeed, even today, controls on hate speech are aimed more at tweets that sound like President Trump than at extremist recruiting.  Bottom line:  no matter how you slice it, the first amendment is in deep trouble.

In other news, I criticize the right half of the blogosphere for not reading the FISA court decision they cite to show that President Obama was spying illegally at the end of his term. Glenn Reynolds, I’m talking about you!

The EU, in a bow to diplomatic reality, will not bother trying to improve the Safe Harbor deal it got from President Obama.  Instead, it will try to get President Trump to honor President Obama’s privacy promises. Good luck with that, guys!

Wikimedia’s lawsuit over NSA surveillance has been revived by the court of appeals, and I find myself unable to criticize the ruling.  If standing means anything, it seems as though Wikimedia ought to have standing to sue over surveillance; whether Wikimedia should be wasting our contributions on such a misconceived cause is a different question.

China’s cybersecurity law has mostly taken effect Maury explains how little we know about what it means.

Finally, David Sanger, in his characteristic broad-gauge fashion, is able to illuminate a host of cyber statecraft topics: whether the North Koreans are getting better at stopping cyberattacks on their rocket program; how good a job did Macron really did in responding to Russian doxing attempt; and what North Korean hackers are up to in Thailand.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-168.mp3
Category:general -- posted at: 2:02pm EDT

 

Episode 167 sees blockchain take over the podcast again.  With Stewart traveling, Alan Cohn hosts another of the podcast’s periodic deep dives into all things blockchain and digital currency.  Our guest is Meltem Demirors, Director of Development at Digital Currency Group.  Podcast regular Maury Shenk joins members of Steptoe’s Blockchain and Digital Currency Practice, including financial regulation practitioner Matt Kulkin, tax guru Cameron Arterton, and author of several recent smart contracts blog posts Jared Butcher, in breaking down the current state of affairs in the blockchain world.

Our episode begins by looking at the brewing controversy in the tax world.  Cameron skillfully takes us through IRS Notice 2014-21, which provided initial guidance for how virtual currencies would be treated for tax purposes, as well as the charmingly-named TIGTA Virtual Currency Report, released in September 2016, which told the IRS that it hadn’t done much beyond issuing this guidance to flesh out what it actually meant to consumers and businesses.  The IRS responded with the notorious Coinbase Summons, a John Doe summons that requested records of over 500,000 Coinbase subcribers.  Needless to say, this led to Coinbase users challenging the summons in court and moving to quash, while Congressional leaders question the wisdom of the IRS summons.  Cameron and Alan consider this an opportune moment for the IRS to work with the industry to develop additional guidance.

We then take on the emerging phenomenon of token sales, nicknamed Initial Coin Offerings or ICOs.  Matt and Alan tell us what in the world this is, how token sales work, and some of the legal challenges, including whether ICOs constitute sales of securities under the Howey test and the question of fiduciary duties.  Matt and Alan conclude that ICOs can vary significantly from each other and that ultimately virtual currencies and tokens may simply be a new asset class.

Steptoe has done a lot of writing lately on smart contracts, and Jared takes us through several recent Steptoe Blockchain Blog posts on reasons to put an arbitration clause in your company’s smart contracts, tips for drafting arbitration clauses in smart contracts, and best practices for limiting liability arising from smart contract vulnerabilities. Jared and Alan discuss the new approach companies need to take in considering issues like dispute resolution and liability limitations in the context of smart contracts.

We then go across the pond to Europe, where Maury gives us the status of the delayed EU proposal to extend AML regulation to virtual currencies.  Maury predicts that the legislation will pass this year forcing companies that provide virtual currency related services, such as exchanges and wallets, to comply with very burdensome requirements.

Finally, in the lightning round, Alan tells us about the recent surge in the price of bitcoin and other cryptocurrencies; Matt tell us about the future of leadership at the Commodity Futures Trading Commission and gives us an update on the Office of the Comptroller of the Currency’s proposed Fintech Charter, including a lawsuit by state regulators to head off this initiative.

In our interview, Meltem takes us through the current landscape of virtual currencies, including DCG’s recent launch of blockchain accelerator DCG Connect.  Meltem tells us about the current state of play for blockchain use cases and blockchain companies, and gives her thoughts on the ICO craze.  Meltem shares her thoughts on what she thinks are the most interesting things that she sees coming in the future, and she tells us what we should be looking for as signals that we’ve moved to the next stage of technical adoption of blockchain technology.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-167.mp3
Category:general -- posted at: 11:37am EDT

In episode 166, we interview Kevin Mandia, the CEO and Board Director of FireEye, an intelligence-led security company.  FireEye recently outed a new cyberespionage actor associated with the Vietnamese government.  Kevin tells us how FireEye does attribution and just how good the Vietnamese are (short answer:  surprisingly good but apparently small in scale).  Along the way, we also cover questions such as whether China has its own set of forensic cybersecurity firms, how confident we should be about the attribution of WannaCry to North Korea, and whether PLA Unit 61398 should treat its designation as APT1 as a prestige designation, sort of like having “bob@microsoft” as your email address.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: SteptoeCyberlawPodcast-166.mp3
Category:general -- posted at: 10:09am EDT

Episode 165 is a WannaCry Festivus celebration, as The Airing of Grievances overtakes The Patching of Old Machines. Michael Vatis joins me in identifying all the entities who’ve been blamed for WannaCry, starting with Microsoft for not patching Windows XP until after the damage was done.  (We exonerate Microsoft on that count.)

Another candidate for WannaCry Goat of the Year is (of course) NSA for allegedly letting a powerful hacking tool fall into the hands of the Shadow Brokers, who released it in time for WannaCry’s authors to drop it into their worm. Private industry’s fingerpointing at NSA has led to introduction of the PATCH Act, which tries to institutionalize (and tilt) the vulnerability equities process.  I raise a caution flag about trying to prevent harmful vulnerability leaks by spreading information about the vulnerabilities to a new batch of civilian agencies.  I also ask whether a rational equities process should require that companies  get the benefit of the process only if they agree to patch their products promptly and if they cooperate to the extent possible with law enforcement rather than forcing agencies to hack their products just to carry out lawful searches.  Somehow I’m guessing that will cool Silicon Valley’s enthusiasm for the whole idea.

Meanwhile, Shadow Brokers, widely thought to be Russian intelligence, may be having an equally awkward Festivus celebration with their masters, since the exploit they released seems to be causing more widespread discomfort in Russia than in the West, probably because of Russia’s high usage of unpatched pirate software.

The North Koreans should be on the carpet as well, since there is increasing reason to believe that WannaCry was a mostly failed effort by Kim Jong Un to raise money through cybercrime. The worm seems to have collected only $100 thousand in bitcoin for its authors, and the worst of its impact was likely felt in China, the world capital of pirated unpatched software.  Since North Korea seems to rely on China’s internet infrastructure to launch and control its cyberattacks, launching one that mainly hurts its host is typically shortsighted.

Finally, the victims don’t escape blame. The SEC unveiled its latest criticism of private sector security practices in the financial industry as the WannaCry publicity reached a peak.

Meanwhile, our own Jon Sallet joins the Oliver-Pai debate on net neutrality, and through the magic of radio, he is able to coffee-cup-shame both of them.  (Sound effects credit to www.zapsplat.com.)  As an encore, Jon explains why the European Commission fined Facebook $122 million over its acquisition of WhatsApp – without undoing the deal.

As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: Episode_165.mp3
Category:general -- posted at: 10:48am EDT

With our sound system back online, episode 163 is already a big step up from Lost Episode 162.  (Transcripts of 162 are available for those who wish by sending email to CyberlawPodcast@steptoe.com.)

Our interview is with Susan Munro, of Steptoe’s Beijing office.  Susan unwinds the complex spool of cyberlaw measures promulgated by the Chinese government.

In the news, Maury Shenk and I note that Putin reran his U.S. playbook in the French election, but the French were ready for him.  Indeed, what we originally thought to be crude Russian forgeries may actually be Macron “honey docs” meant to look like crude Russian forgeries. If so, my hat is off to Macron’s I.T. team. 

Meanwhile, Jennifer Quinn-Barabanov spots a new trend in cybersecurity litigation.  It’s nuts, but that’s not the new part.

The intelligence community’s latest transparency report reveals a shocking stat about “backdoor” FBI searches of 702 for criminal cases.  The bureau did that all of … one time.  Those who want to clog our security services with ever more burdensome processes are going to have to find a bigger scandal.  

The Republicans complaining about Susan Rice and “unmasking” can find more to work with in the report. Turns out that Americans were identified in masked or unmasked form in about 4000 reports last year, but by the time the report writers and the intelligence consumers were done, about 3000 reports had seen their Americans unmasked. With numbers like that, if the issue hadn’t been raised first by Republicans, every newspaper in America would be calling for an investigation of unmasking standards.

Okay, this is getting embarrassing.  The White House has now spent more time drafting a cyber EO calling for urgent reports from the departments than it’s giving the departments to write the urgent reports.  And so far, as Alan Cohn points out, all we have to show for it is … another leaked draft.

Jennifer explains why the latest Home Depot settlement is both good and bad for the plaintiffs’ bar. 

Alan dives deep for substance in the White House’s EO creating an American Tech Council.  He comes up empty.  The EO is purely procedural.

Maury explains the UK’s draft surveillance obligations, concluding there’s not much new in them.  And Germany’s intelligence service is complaining both about Russian hacking and about its lack of authority to, uh, hack back to destroy third party servers.  Chris Painter, call your office!

Alan tells us that DHS cybersecurity did pretty well in budget deal, but only if your point of comparison is EPA’s budget. 

At least DHS is making the right enemies.  Jennifer explains DHS backpedaling on the privacy rights of non-Americans.  And Alan and I flag the ABA’s interest in border searches of lawyers’ electronics.

Finally, in cybersecurity news, the Guardian plays the world’s smallest violin for billionaire superyacht owners, and the recent defeat of a common form of two-factor authentication will put new cybersecurity pressure on SS7.   

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-163.mp3
Category:general -- posted at: 4:52pm EDT

In this episode, I debate Michael Schmitt, a prime mover in two Talinn Manuals on international law and cyber operations. We are joined by an expert on the topic and a new Steptoe partner, Brian Egan, who was formerly the State Department legal adviser, among other accomplishments. And among the hypotheticals is indeed a DDOS attack on the United States by internet-enabled vibrators with unchangeable default passwords. Because, as the news roundup covers, the FTC may soon be wrestling with the question of how to regulate such security violations.

Meanwhile, Michael Vatis and I clash over the meaning of the NSA’s decision to abandon productive intelligence collection. I think it’s risk aversion and a return to September 10. Michael thinks it’s too early to make that judgment.

Stephanie Roy gives an overview of Ajit Pai’s plan to undo the last two Federal Communications Commissions’ net neutrality strategies.

Michael reports on two Silicon Valley giants who fell prey to $100 million (each) cyberscams. I wonder if this means that technologists will stop gloating that Snowden and Shadowbrokers show that only private companies can be trusted to do security right.

This week in news that isn’t news at all: The Russians who hacked Clinton are going after Emmanuel Macron in France, says Trend Micro.  

Finally, vigilante justice seems to be sweeping the internet, as the spousal spyware firm, Flexispy, is doxed, and Brickerbot starts securing insecure IOT devices the hard way—by bricking them.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-162.mp3
Category:general -- posted at: 4:55pm EDT

In this episode, Alan Cohn and Maury Shenk look at questions in Europe and elsewhere in Stewart’s absence. Maury delves into why Google was ordered to turn over foreign data accessible from U.S., a decision that seems at odds with the Microsoft Ireland case. Alan considers claims made by David Sanger and William Broad in The New York Times that U.S. blew up North Korea’s most recent missile test, and Jeffrey Lewis’s rebuttal in Foreign Policy.  Alan and Maury both remain skeptical.

Leaving the Korean peninsula, Maury discusses the current effort by EU data protection regulators to enact e-privacy regulations that would, among other things, put in place detailed standards for location tracking and content associated with metadata.  No surprises, but potentially more headaches for US industry.   And back on U.S. soil, Alan comments on the U.S. Justice Department’s apparent decisions to reconsider criminal charges against Wikileaks for the CIA cyber-tools leak.  Maury provides some color on the Trump Administration’s (lack of) views on Privacy Shield.

Finally, Alan reviews the bidding on dual-use export controls and cyber technologies, explaining both the most recent negotiations under the Wassenaar Arrangement and the EU’s efforts to amend its dual-use export controls to include cyber-surveillance technologies. 

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-161.mp3
Category:general -- posted at: 2:16pm EDT

This week the podcast features an extended news roundup with two guest commentators—Julian Sanchez of the Cato Institute and Gus Hurwitz of Nebraska Law School.  

We talk about the latest, mostly overhyped, Shadowbrokers dump, and whether Google Translate can be taught to render plain text into Shadowbrokerese as well as Klingon.

Stephanie Roy kicks off speculation about the future of net neutrality in the Pai FCC. The future looks bright for litigators.

Abbott Labs takes a short but brutal session in the woodshed from the FDA. Looks like Abbott’s now-subsidiary, St. Jude Medical, knew for years that its backdoor could be found by outsiders, but it stuck to the view that hardcoded access was a feature not a bug. Too bad Uber has already trademarked the name, because if ever there were a feature that deserved to be called “God mode,” this is it.

Burger King triggers a technical battle with Google and an editing war with Wikipedia with a commercial that begins, “Okay, Google, what’s a Whopper burger?” But, law nerds that we are, all we can talk about is whether Burger King is liable under the Computer Fraud and Abuse Act.  

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-160.mp3
Category:general -- posted at: 12:00pm EDT

Our guest interview is with Nick Weaver, of Berkeley’s International Computer Science Institute.  It covers the latest dumps of hacker tools, the vulnerability equities process, the so-bad-you-want-to-cover-your-eyes story of Juniper and the Dual_EC hacks, and ends with a tour of recent computer security disasters, from the capture of a bank’s entire online presence, to the pwning of Dallas’s emergency sirens and a successful campaign to compromise the outsourcing firms that supply IT to small and medium sized businesses.

In the news roundup, Maury Shenk, and Jamil Jaffer, of George Mason’s National Security Law & Policy Program, talk with me about the likely outcome of the European movement to regulate encryption.  The bad news for Silicon Valley is that the US isn’t likely to play much of a moderating role when the Europeans tighten the screws.

In other news, Jennifer Quinn-Barabanov explains the two-front battle that Wendy’s is facing (and mostly losing) over data breach liability.

I acknowledge the latest Silicon Valley fad:  filing lawsuits on behalf of their customers’ privacy.  So far, Twitter has chalked up a win, and Facebook a loss. 

LabMD has also chalked up another win, this time in a Bivens action to hold FTC officials personally liable for aggressively enforcing the law against the company as punishment for its outspoken critique of the Commission.  The case has mostly survived a motion to dismiss.  

Meanwhile in Massachusetts, outmoded privacy laws continue to burden would-be undercover journalists, and Jennifer reports that the prospects for invalidating a law banning recordings of oral conversations on first amendment grounds took a hit last week, at least as it relates to public officials.

Finally, in other computer security news around the globe, Germany’s security services are claiming a lack of authority to take needed action in response to cyber threats.  In India, in contrast, enthusiasts for better attribution of India’s populace are forcing everyone to register in a detailed identity database – despite the efforts of India’s top court to ensure that the system remains voluntary.  The death of anonymity will be a prolonged affair, but the outcome seems inevitable.
As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-159.mp3
Category:general -- posted at: 10:04am EDT

Episode 157 digs into the security of the medical internet of things.  Which, we discover, could be described more often than we’d like as an internet of things that want to kill us.  Joshua Corman of the Atlantic Council and Justine Bone, CEO of MedSec, talk about the culture clash that has made medical cybersecurity such a treacherous landscape for security researchers, manufacturers, regulators, and, unfortunately, a lot of patients who remain in the dark about the security of devices they carry around inside them.  

In the news roundup, Phil Khinda takes us through the likely trend in SEC cybersecurity enforcement in the new administration.  Stephen Heifetz does the same for the Committee on Foreign Investment in the United States, or CFIUS.

I claim that Eli Lake’s Bloomberg story finally explains why Republicans think that Obama administration surveillance and unmasking of Trump team members needs to be investigated.  Stephen calls it a distraction.

In other news, Buzzfeed gets taken down by a lawyer with a sense of humor, big claims are made for the impact of the third Wikileaks Vault7 document dump, and Donald Trump may have forgiven Apple.  Finally, Jim Comey’s twitter account may have been outed; that’s the story, because the tweets themselves are anodyne in the extreme.

For those wanting to dig deeper into medical device cybersecurity, Joshua Corman recommends the following links, all referenced in the interview:

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-157.mp3
Category:general -- posted at: 10:02am EDT

Our interview is with Michael Daniel, former Special Assistant to the President and Cybersecurity Coordinator at the White House and current President of the Cyber Threat Alliance. We ask Michael how the new guys are doing in his job, what he most regrets not getting done, why we didn’t float thumb drives filled with “The Interview” into North Korea on balloons, and any number of other politically incorrect questions. His answers are considerably more nuanced.

In the news roundup, we note that the second Wikileaks release is a damp squib, full of outmoded Apple exploits.

Michael Vatis and I unpack the Third Circuit ruling upholding imposition of contempt penalties on a defendant who has “forgotten” the password to his child porn trove.  It turns out that the case offers a road map for prosecutors and police who want to make sure no one ever forgets a password in their jurisdiction.

Stephanie Roy notes that Congress has begun the process of repealing the ISP privacy and security regulations adopted under Chairman Wheeler.  What, if anything, will replace them, and when, is a matter for lengthy speculation.

I note that the privacy zealots of Silicon Valley have fatally miscalculated the kind of support they’ll get in Europe for end-to-end encryption. Face it, guys, Europe hates you no matter what you do, and they’ll happily impose massive fines both for violating user privacy and for protecting it too well.

Does GCHQ spy on Americans for NSA? Nope. The real question is whether Rick Ledgett, number two at NSA, has already stopped sounding like a government employee when he talks to the press.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-156.mp3
Category:general -- posted at: 4:10pm EDT

Episode 155 of the podcast offers something new: equal time for opposing views. Well, sort of, anyway.  In place of our usual interview, we’re running a debate over hacking back that CSIS sponsored last week.  I argue that U.S. companies should be allowed to hack back; I’m opposed by Greg Nojeim, Senior Counsel at the Center for Democracy & Technology and Jamil Jaffer, Vice President for Strategy & Business Development of IronNet Cybersecurity.  (Jeremy Rabkin, who was supposed to join me in arguing the affirmative, was trapped in Boston by a snowstorm.)

In the news, we can’t avoid the unedifying—and cynical—spat between press and White House over wiretapping. Turning to legal news, I note the D.C. Circuit’s adoption of a cursory and unpersuasive reading of the Foreign Sovereign Immunities Act in the context of state-sponsored hacking of activists in the United States. Maury Shenk unpacks the latest ECJ opinion refusing to apply the “right to be forgotten” across the board to government databases. So far, the only clear application is to American tech giants. That’s also true of the latest German proposal to make the internet safe for censors, government and nongovernment alike. As Maury explains, the German Justice Minister is proposing fines up to $50 million for tech giants that don’t censor online speech fast enough or hire enough European private censors to keep up with the workload.

The Justice Department’s indictments in the Yahoo! hack show just how remarkably intertwined Russian intelligence and Russian cybercrime have become.

Alan Cohn and I chew over the latest developments in the new administration’s approach to cybersecurity—a determination to cripple botnets more effectively, and a willingness to exempt SHS cyber programs from what looks like a drastic set of budget cuts for nondefense agencies. Whether the administration can make progress on botnets while sticking to voluntary measures is uncertain; equally uncertain is whether the plus-ups for DHS cyber reflects satisfaction with the agency’s performance on that mission in recent years. 

Finally, Maury and I ask whether the German government is surrendering to reality in pursuing more effective video surveillance of possible criminals and terrorists.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-155.mp3
Category:general -- posted at: 5:40am EDT

In this week’s episode, we ask two acknowledged NSA cybersecurity experts, Curtis Dukes and Tony Sager, both from the Center for Internet Security, what they tell their family members about how to keep their computers, phones, and doorbells safe from hackers.

Joining us for the news round-up is Carrie Cordero, a Washington lawyer who focuses on national security law, homeland security law, cybersecurity and data protection issues.  She is also an adjunct professor of Law at Georgetown University.

Topping the news is the Wikileaks Vault7 release, including Assange’s mischievous offer to work with Silicon Valley to fix vulnerabilities before they’re disclosed.  Carrie, Markham Erickson, and I comment.

Stephanie Roy reports that the FCC is investigating a 911 outage at AT&T; so far the agency has been tight-lipped about the details.

Home Depot is nearing the finish line in its data breach ordeal, Jennifer Quinn-Barabanov reports. The banks that had to reissue credit cards were among the last holdouts; they’re getting $25 million, which sounds like a lot until you do the math and realize it’s two bucks a card.

Jennifer tells us that another defense effort to moot a TCPA class action by picking off a named plaintiff has been thwarted—this time by the Second Circuit.

Tom Graves (R-GA) has introduced a hackback defense to CFAA liability. Markham and I trade barbs over the wisdom of allowing hackback defenses, but we reach agreement on the depth of Uber’s greyballing problems—and the risk that more companies will use big data to disfavor some customers without telling them.

Carrie reports on developments in the FBI-Geek Squad imbroglio, and I mock the reporters who have bought the deeply unappealing defendant’s claim to be a civil liberties victim.

Last, and well worth the wait, Jennifer and I update our listeners on the latest in CyberSexToy privacy.  Turns out the records of interactions with your internet-enabled vibrator can be compromised for a surprisingly low settlement price. Maybe now we really ought to call the time of death for internet privacy.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-154.mp3
Category:general -- posted at: 1:57pm EDT

In this episode, Matt Tait, aka @PwnAllTheThings, takes us on a tour of Russia’s cyberoperations. Ever wonder why there are three big Russian intel agencies but only two that have nicknames in cybersecurity research? Matt has the answer to this and all your other Russian cyberespionage questions.

In the news, we mourn the loss of Howard Schmidt, the first cyber czar and one of the most decent men in government. Then we descend into the depths of the Trump wiretap story. I reprise some of my views from Lawfare. Michael Vatis is not persuaded.

After Microsoft’s refusal to provide data stored in the cloud outside the U.S. was upheld in the Second Circuit, things looked rosy for its position. But now two magistrates in a row have rejected that position.  Michael and I discuss the latest ruling.

Maury Shenk is now our official commentator on the legal consequences of Internet-enabled toys. This time it’s teddy bears, whose interactions with children and parents were exposed by hackers.

More seriously, Maury praises an impressive new analysis of China’s 50c army of tweeters. It turns out that everything we thought we knew about the 50c army is wrong. 

Just in time for an early spring, we have harbingers of the coming fight over reauthorization of the 702 intercept program. Director of National Intelligence candidate Dan Coats promises to put a number on the US persons whose communications are caught up in the program, the Electronic Frontier Foundation (EFF) and other NGOs turn on both the US government and Silicon Valley to urge that Privacy Shield be held hostage to changes in the program. And the incoming Commerce Secretary, Wilbur Ross, endorses Privacy Shield, a move that may validate EFF’s tactics.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785

Direct download: SteptoeCyberlawPodcast-153.mp3
Category:general -- posted at: 11:52am EDT

Our guest for episode 152 is Paul Rosenzweig, and we tour the horizon with him.

In the news roundup, Stephanie Roy outlines the deregulatory tangle around ISPs, privacy, security, and the FCC. Maury Shenk briefs us on the European legislation authorizing the quashing of terrorist advocacy on line. Jennifer Quinn-Barabanov explains when standing is a defense against privacy claims and when it isn’t. Together, we remark on the latest example of formerly stodgy banks embracing their inner plaintiffness.

Maury explains why the Germans have banned Cayla the talking (and listening!) doll. I ask whether the Germans next plan to ban speakerphones. (Likely answer: only if they come from America.)

Paul and I dig into the Amazon claim that the first amendment prevents enforcement of a criminal discovery order seeking Amazon Echo recordings. Hey, the suspect might have been ordering books, and that’s a First Amendment activity, says Amazon; and anyway, what Alexa said back to the suspect was an exercise of Amazon’s First Amendment rights. These arguments cry out for the command most frequently heard by my music-playing Echo: “Alexa, that’s enough.”

Almost as unpersuasive to Paul and me is magistrate judge David Weisman’s refusal to issue an order allowing the police to search a home and make anyone on the premises put their fingers on their iPhones to unlock them. That act is testimonial in Weisman’s opinion because, well, because he says it is. (His Fourth Amendment analysis is better, but hardly compelling.)

Paul explains the dramatic clash of cultures hidden in the otherwise esoteric battle between the GSA’s inspector general and “18F,” an Obama-meets-Silicon-Valley effort to streamline government IT development. Like any good tragedy, you knew from the start that this trainwreck was coming, but you still can’t look away.

The draft cyber executive order still isn’t out, despite what looks like a much more disciplined vetting process than other EOs went through. What’s the reward for running a good interagency process in a White House not noted for such discipline? The Homeland Security Council may get folded under the National Security Council.

No one has heard of the National Association of Secretaries of State in 50 years. And if you want to know why, we say, look no further than NASS’s foolish resolution objecting to the designation of electoral systems as "critical infrastructure."

Finally, Paul and I noodle over DHS’s request that Chinese visitors to the US voluntarily disclose their social media handles. I predict that this puts the frog in the pot and the stove on simmer. Meanwhile, Paul finds one border security measure that even I wouldn’t adopt.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 
Direct download: SteptoeCyberlawPodcast-152.mp3
Category:general -- posted at: 3:20pm EDT

In this episode, Stewart Baker goes to RSA and interviews the people that everyone at RSA is hoping to sell to—CISOs. In particular, John “Four” Flynn of Uber, Heather Adkins of Google, and Troels Oerting of Barclays Bank. We ask them what trends at RSA give them hope for the future, which make them weep, what’s truly new in cybersecurity, and what kind of help they would like from government. 

While Stewart’s traveling, Alan Cohn takes over the news roundup. We start with some news from the RSA Conference keynotes. Brad Smith, President of Microsoft, called for a cyber “Geneva Convention” on behalf of the sovereign nation of Microsoft. And Rep. Michael McCaul (R-TX), chair of the House Committee on Homeland Security, announced his opposition to backdoors in encryption, lining up with former Secretary of Homeland Security Michael Chertoff and former NSA and CIA Director Michael Hayden, but against current Attorney General Jeff Sessions and current FBI Director Jim Comey.

In news from across the pond, Maury takes us through the EU’s efforts to take on robots.  We coin the term #EURobotHammer in the process (it’s complicated). Maury also tells us whether the Russians are hacking the French elections (it’s complicated).

Back stateside, Alan asks what the cyber implications are of "out like Flynn, in with McMaster" at the National Security Council. Alan also confides in us about White House staffers’ use of confidential messaging apps like Confide (see what I did there?). 

Finally, Alan takes us through a few quick hits on CrowdStrike vs NSS Labs, the SASC’s new Cyber subcommittee, and Yahoo!’s $350M haircut.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-151.mp3
Category:general -- posted at: 5:48pm EDT

In our interview this week, we explore multiple worthwhile Canadian initiatives with Dominic Rochon, deputy chief of policy and communications for CSE, Canada’s version of the NSA and with Patricia Kosseim, general counsel and director general for policy at the Office of Canada’s Privacy Commissioner. Among other things, we take a close look at Canada’s oversight regime for intelligence, in which a retired judge gets to exercise executive authority over the CSE—in contrast to the US system where active judges do the same but pretend they’re carrying out a judicial function.

In the news roundup, Judge Robart is doing his best to hog the judicial headlines, not only blocking the Trump administration’s immigration policy but giving support to Microsoft’s suit to overturn discovery gag orders en masse. His opinion allows Microsoft to proceed with a lawsuit claiming that gag orders violated the First Amendment.

The Trump Administration could soon begin asking foreigners coming to the United States—particularly from some Muslim-majority countries—to turn over their social media accounts and passwords. This is a policy begun under the Obama administration and supported by bipartisan homeland security groups.  I predict that it will nonetheless soon be trashed by the press as an Evil Trump Initiative.

Tallinn 2.0 is out. It applies international law to cyber activity at and below the threshold of armed conflict. Color me skeptical.

The cybersecurity Executive Order that’s been hanging fire for weeks is still hanging fire. A new draft has been leaked, though, and it’s better.

Hal Martin is indicted for stealing massive amounts of data from NSA and perhaps others. According to a Washington Post report, US officials think Martin may have stolen 75%of the NSA’s hacking tools. Ouch.

In other news, Rick Ledgett, the No. 2 official at the NSA is leaving but not because of TrumpAnd Google has told several prominent journalists that state-sponsored hackers are trying to break into their inboxes.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-150.mp3
Category:general -- posted at: 2:38pm EDT

Our guest for episode 149 of the podcast is Jason Healey, whose Atlantic Council paper, “A Nonstate Strategy for Saving Cyberspace,” advocates for an explicit bias toward cyber defense and the private sector.  He responds well to my skeptical questioning, and even my suggestion that his vision of “defense dominance” would be more marketable if paired with thigh-high leather boots and a bull whip. #50ShadesofCyber.

In the news roundup, we experiment with, uh, actual legal discussion.  The Microsoft Ireland case has company; Google recently lost a similar argument before a magistrate judge – maybe because it couldn’t say where the data it wanted to protect from disclosure actually was.  Michael Vatis explains.

Meredith Rathbone and I take a victory lap over CNN and its reporters, noting that if they’d listened to the podcast, they’d have known a month early that US sanctions had unexpectedly prevented US companies from filing license applications with Russian intelligence agencies – and that allowing companies to make such filings wasn’t an opportunity for hyperventilating about President Trump’s bromance with Putin.

Michael and I also deconstruct Supreme Court nominee Neil Gorsuch’s opinion in US v. Ackerman.  The opinion calmly and clearly puts a hole below the waterline in a longstanding approach to collecting evidence in child porn cases.  If this case gives a clue to his jurisprudence, it seems unlikely that a Justice Gorsuch will be a pushover for government arguments.

Can American companies sue governments that hack them in the US?  I hope so, but that depends on whether the Foreign Sovereign Immunities Act provides protection for malware sent from abroad that does its damage here.  In an unlikely-bedfellows moment, I’m depending on EFF to make that argument to the DC Circuit.

And, to follow up on two stories we covered earlier, Brexit authority slips quickly through the House of Commons, while Google’s penny-pinching settlement of a massive “wiretapping” class action is approved over objections to the cy pres payments to the usual NGOs.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-149.mp3
Category:general -- posted at: 5:13pm EDT

Our guest for episode 148 of the podcast is Corin Stone, the Executive Director of the National Security Agency.  Corin handles some tough questions – should the new team dump PPD-28, how is morale at the agency after the Snowden and Shadowbroker leaks, and will fully separating Cyber Command from NSA mean new turf fights?  I give Corin plenty of free advice and, more usefully, our first in-person award of the coveted Steptoe Cyberlaw Podcast coffee mug.

In the news, Alan Cohn and I cover the Second Circuit’s much-ado-about-nothing package of opinions on rehearing the Microsoft-Ireland case.

Maury and I discuss what the new White House executive order on the privacy rights of foreigners means – as well as Donald Trump’s meeting with Theresa May (including whether they talked about Russia sanctions).  Also on the agenda:  Has Donald Trump already surpassed Barack Obama’s lifetime record for holding hands with prominent White House visitors?

Speaking of Peter Thiel, Jennifer Quinn-Barabanov and I speculate about whether FTC commissioner Maureen Ohlhausen will pull the FTC back from the ledge on suing companies for security flaws that don’t cause demonstrable consumer harm.  And whether Peter Thiel is looking for someone else to chair the FTC.

In other news, no new executive order on cybersecurity yet, despite (or because of) the leaks China disses attribution.  And ADT settles an early IOT security class action.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: Episode_148.mp3
Category:general -- posted at: 12:37pm EDT

Our guest interview is with Jack Goldsmith, Shattuck Professor of Law at Harvard and co-founder of Lawfare. We explore his contrarian view of how to deal with Russian hacking, which leads to me praising (or defaming, take your pick) him as a Herman Kahn for cyberconflict. Except what’s unthinkable in this case are his ideas for negotiating, not fighting, with the Russians.

In the news roundup, I ask Michael Vatis whether the wheels are coming off the FTC’s business model, as yet another company refuses to succumb to the commission’s genteel extortion. 

The Obama Administration came to an end last week, and its officials left behind a lot of paper to remind us why we’ll miss them—and why we won’t. A basically sympathetic review of the administration’s cyber policies ends with a harsh judgment on President Obama: “He did almost everything right and it still turned out wrong.”

Among the leftovers served up last week: a farewell statement on privacy that seems unlikely to prove relevant in the new administration, a workman-like report on cyber incident responsea wistful FCC public safety bureau report on the commission’s cybersecurity initiatives, and a zombie notice that showed up in the Federal Register three days into the Trump administration, implementing the Umbrella Agreement on data protection with the EU. Maury Shenk evaluates the agreement and its prospects.

And just to make sure we haven’t forgotten the new team’s rather different approach, it posted a policy statement on how good its cyber policy will be. It reads, in its entirety, “Cyberwarfare is an emerging battlefield, and we must take every measure to safeguard our national security secrets and systems. We will make it a priority to develop defensive and offensive cyber capabilities at our U.S. Cyber Command, and recruit the best and brightest Americans to serve in this crucial area.”

I try a quick explanation of the flap between security researchers and the Guardian over an alleged “back door” in WhatsApp messaging. Somehow, the Iran-Iraq war makes an appearance.

And, in a first for the Steptoe Cyberlaw Podcast, Alan Cohn reports as our roving foreign correspondent from, where else, Davos. Want to know what the global 1% are worried about—other than you? Alan has the answers.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-147.mp3
Category:general -- posted at: 1:15pm EDT

Would it violate the Posse Comitatus Act to give DOD a bigger role in cybersecurity? Michael Vatis and I call BS on the idea, which I ascribe to Trump Derangement Syndrome and Michael more charitably ascribes to a DOD-DHS turf fight.

Should the FDA allow implants of defibrillators with known security flaws—without telling the patients who are undergoing the surgery?  That’s the question raised by the latest security flaw announcement from the FDA, DHS, and St. Jude Medical (now Abbot Labs).

Repealing the FCC’s internet privacy regulations is well within Congress’s power if it acts soon, says Stephanie Roy, who stresses how rare it is for a Republican president to control both houses of Congress.  (And who says President Obama didn’t leave a legacy?)

The European Commission isn’t done complaining about U.S. security programs, Maury Shenk tells us. Vera Jourova wants to know more about the U.S. request that Yahoo! screen for certain identifiers and hand over what it finds. That’s apparently too useful for finding terrorists to satisfy delicate European sensibilities  Speaking of which, Angela Merkel is in the bulls-eye for Russian doxing.  And to hear Maury tell it, Russia has probably been collecting raw material for years.

Should we start treating Best Buy computer support as though its geeks work for the FBI? And would that be a defense if they find bad stuff on our computers without a warrant? Michael thinks it’s more complicated than that.

Speaking of overhyped stories, Michael and I unpack the claim that President Obama’s team is handing out access to raw NSA product with unseemly haste and enthusiasm. In fact, this proposal has been kicking around the interagency for years, and the access is heavily circumscribed. As for the haste, it could be the outgoing team is afraid its proposal will be unduly delayed—or that all its circumscribing will be second-guessed. You make the call!

And for something truly new, we offer “call-in corrections,” as Nebraska law professor Gus Hurwitz tells us about the one time the FTC discussed the NIST Cyber Security Framework.  It’s safe to say that this correction won’t leave the FTC any happier than my original charge that the agency can’t get past “Hey! I was here first!”

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-146.mp3
Category:general -- posted at: 10:29am EDT

Steptoe Cyberlaw Podcast – Interview with Davis Hake and Nico Sell

Episode 145:  What Donald Trump and “Occupy Wall Street” have in common

We interview two contributors to CSIS’s Cybersecurity Agenda for the 45th President.  Considering the track record of the last three Presidents, it’s hard to be optimistic, but Davis Hake and Nico Sell offer a timely look at some of the most pressing policy issues in cybersecurity.

In the news roundup, it’s more or less wall to wall President-elect Trump. Michael Vatis, Alan Cohn, and I talk about Russian hacking, the American election, Putin’s longtime enthusiasm for insurgent movements from “Occupy Wall Street” to “Make America Great Again,” and the President-elect’s relationship with the intelligence community.

In other news, I’m forced to choose between dissing the New York Times and dissing Apple’s surrender to Chinese censorship. Tough call, but I make it. Speaking of censorship, Russia is rapidly following China’s innovation in app store regulation.  For legal antiquarians, I suggest that the Foreign Agent Registration Act deserves a comeback.

It seems to be solidarity week.  Lots of amici have leapt to support LabMD in court now that it looks like a winner Meanwhile I stick up for Mike Masnick, the man who puts the dirt in Techdirt. He may be an colorfully opinionated jerk, but he doesn’t deserve to be a defendant.  And I congratulate Lawfare for joining the Europocrisy campaign on Schrems and China.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

 

Direct download: SteptoeCyberlawPodcast-145.mp3
Category:general -- posted at: 4:07pm EDT

We start 2017 the way we ended 2016, mocking the left/lib bias of stories about intercept law.  Remember the European Court of Justice decision that undermined the UK’s new Investigatory Powers Act and struck down bulk data retention laws around Europe?  Yeah, well, not so much.  Maury Shenk walks us through the decision and explains that it allows bulk data retention to continue for "serious" crime, which is really the heart of the matter.

We can’t, of course, resist an analysis of the whole Russian election interference sanctions brouhaha.  The FBI/DHS report on Russian indicators in the DNC hack is taking on water, and its ambiguities have not been helped by a Washington Post article on alleged Russian intrusion into Vermont Yankee’s network.  That story had to be walked way back, from an implicit attack on the electric grid to an apparently opportunistic infection of one company laptop.  No one is surprised that there’s an increasingly partisan split over who’s going to answer the phone now that the 1980s really have called to get their foreign policy back. 

Meredith Rathbone walks us through the revamp of the Obama Administration’s cyber sanctions in an attempt to address election meddling.  And we manage to find a legal twist to the new sanctions on the FSB.  Turns out that large numbers of U.S. tech firms have to deal with the FSB, not as a buyer of services but as a regulator, both of encryption and intercepts inside Russia.  If the sanctions prohibit dealing with FSB as a regulator, Maury reports, they could end up imposing unintentionally broad restrictions on a lot of US companies doing business in Russia.

Meredith also updates us on the Wassenaar effort to control exports of “intrusion software”—which some European governments seem to want to regulate in a way that does maximum damage to cybersecurity.  The overreaching was blunted in a recent Wassenaar meeting, but not nearly as much as the U.S. government—and industry—had hoped.  The issue won’t go away, but it will soon become an appropriate job for the author of “The Art of the Deal.”

Finally, Jennifer Quinn-Barabanov takes us on a tour of the dirtier back streets ofprivacy class action practice—otherwise known as cy pres awards and their challengers.  It sounds like “genteel corruption” to me, but you be the judge.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-144.mp3
Category:general -- posted at: 11:01am EDT

Fresh off a redeye from Israel, I interview Matthew Green of the Johns Hopkins Information Security Institute. Security news from the internet of things grows ever grimmer, we agree, but I get off the bus when Matt and the EFF try to solve the problem with free speech law.

In the news roundup, Matt joins Michael and me to consider the difficulties of retaliating for Putin’s intrusion into the US election. There just aren’t that many disclosures that would surprise Russians about Vlad, though the Botox rumors are high on my list.

In other news, the EU’s cybersecurity agency, ENISA, issues a report on crypto policy that has a surprisingly musty air.

Two new settlements show the limits of privacy law. Michael Vatis covers them both. Ashley Madison settles with the FTC and is assessed a large fine that has to be partially forgiven because the company can’t pay. We all thought that adultery was a more durable business model. And Google settles a class action for unlawful wiretapping by agreeing to scan everyone’s email a few microseconds later than it used to. To spike the football in its victory, Google offers most victims of the violation damages that amount to, well, nothing.

Ah, but Europe marches on, convinced that more privacy regulation will solve the twenty-first century for Europe. Given a choice between more privacy regulation or less, the EU of course chooses more. Maury Shenk explains.  Meanwhile faced with the problem of “fake news” and the real risk that Vladimir Putin will use doxing and propaganda against Angela Merkel in her election next year, Europe has the answer: more regulation, especially regulation that puts all the blame on American social media companies. The first amendment rights of Americans look to be collateral damage.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-143.mp3
Category:general -- posted at: 9:25am EDT

Too busy to read the 100-page Presidential Commission on Enhancing National Security report on what the next administration should do about cybersecurity? No worries. Episode 142 features a surprisingly contentious but highly informative dialog about the report with Kiersten Todt, the commission’s executive director.

In the news, Lindsey Graham, John McCain, and a host of Dems want to investigate Russia’s role in the recent election, while the President-elect thinks it’s, well, fake news, to borrow a lefty trope. Michael Vatis presses me to pick a side. Long-time listeners won’t be surprised at my answer.

The Ninth Circuit offers ginger approval for the use of FISA-derived evidence in a criminal trial.

Gen. John Kelly is picked to head DHS. What does that say about its role in cybersecurity? Nothing, I venture. On crypto, though, we could finally see a commission. Chairman McCaul supports the idea, and it’s just possible that foreign government action and the Trump presidency will finally make Silicon Valley nervous enough to stop stonewalling and start talking.

We close with a definitive five-minute briefing on the future of net neutrality. The quick answer is that the dingoes are running the child care center.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-142.mp3
Category:general -- posted at: 2:35pm EDT

We ask Rihanna to sum up the latest U.S.-EU agreement:

And that’s when you need me there
With you I’ll always share …
You can stand under my umbrella

RiRi’s got the theory right:  The Umbrella Agreement was supposed to make sure the U.S. and EU would always share law enforcement data.  But when the Eurocrats were done piling on the caveats, it’s clear what concessions that US has made but it isn’t clear if the EU has made any at all. Meanwhile, the Investigatory Powers Act has gained royal assent, Maury Shenk walks us through both developments.

The Trump administration is hinting at a change in responsibility for protecting critical infrastructure from cyberattack, and it’s consistent with the President-elect’s enthusiasm for turning hard jobs over to generals. Congress is doing its bit, elevating Cyber Command to full combatant command status. But the Obama administration may still be toying with the idea of firing Adm. Rogers.

In good news, DOJ and a boatload of other countries have sinkholed Avalanche botnet. Michael Vatis has the details.

Kudos to Sen. Cornyn, who held off a series of left/lib attacks on the changes to Rule 41 needed to catch even moderately sophisticated child porn and cyber law breakers.

Tom Donilon’s Commission on what the next administration should do about cybersecurity has delivered recommendations. The response:  crickets.

Lastly, Saudi Arabia suffers major Iranian attack.

We then turn to an interview with Scott Charney, Corporate Vice President for Trustworthy Computing at Microsoft.  I’ve known Scott for 25 years and he’s an acute observer of the international cybersecurity scene.  He discusses international pressures on technology companies including the conflicted roles of governments dealing with encryption.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: SteptoeCyberlawPodcast-141.mp3
Category:general -- posted at: 10:03am EDT

Episode 140 features long-time New York Times reporter, John Markoff, on the past and future of artificial intelligence and its ideological converse—the effort to make machines that augment rather than replace human beings. Our conversation covers everything from robots, autonomous weapons, and Siri to hippie poetry of the 1960s and Silicon Valley’s short memory on use of the term “cyber.”

In the news, Maury Shenk reports that five EU members now say they want EU-wide crypto controls. And that’s not counting France and Germany.  Maybe the real question is whether any EU countries oppose encryption regulation.  We can’t find any. Tongue firmly in cheek, I thank Tim Cook for bringing the need for government crypto regulation to the attention of governments around the world.

It turns out that the FBI actually hacked more than 8,000 computers in 120 countries in a single child porn investigation. Wow. And the Justice Department is lecturing me on the risk that active defense could cause unexpected foreign relations problems? Well, I guess they would know.

We-Vibe’s undisclosed collection of data about users of its smart-phone enabled vibrators spurs a class action. Or should that be a “lacks class” action? I confess to being nonplussed by the uses to which an Internet-connected vibrator app can be put. And even more nonplussed when Jennifer Quinn-Barabanov explains how We-Vibe could contribute to the law of standing.

The Wages of Defeat, part one: Election hack fever seizes the left, and I ask Alan what the law should do about vulnerable election infrastructure. Jill Stein is almost certainly wrong about election hacking this year (or in it for the money), but now that everyone has some reason to question the integrity of our election process, Alan and I ask whether there’s room for bipartisan improvements in electoral systems.

Wages of Defeat, part two: Fake news fever seizes the left. For sure it’s a real problem, and Putin is part of it, but solutions are hard to find. Fake news is often in the eye of the beholder, and neither the mainstream media (see, e.g., here or here) nor the barons of social media (Milo Yiannapoulos, call your office) have been exactly even-handed in dealing with conservative views. If we want to go after foreign government sponsored fake news, I suggest, maybe an updated Foreign Agent Registration Act is worth looking at. Between the first amendment and a lack of trust in would-be fake news umpires, there aren’t a lot of other attractive solutions out there.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-140.mp3
Category:general -- posted at: 11:54am EDT

In this week’s episode, we guess at the near-term future with Betsy Cooper and Steve Weber of UC Berkeley’s Center for Long Term Cybersecurity. In all of their scenarios, the future is awash in personal data; the only question is how it’s used. I argue that it will be used to make us fall in love—with our machines.

In the news of the week, we explore the policy consequences of President-elect Trump’s personnel choices. I point out that the quickest route to the new administration’s short list seems to be an interview on the Steptoe Cyberlaw Podcast.

The internet advertising industry is trying to stamp out ad malware so that firms following a set of guidelines will earn a seal of approval Katie Cassel explains. Color me skeptical: would you buy an antivirus product that proclaimed that it scans “a reasonable percentage of” incoming code?

It’s apparently guidelines week in cybersecurity-land, as agencies rush to release their work before the transition. Two agencies issued guidelines on security practices. The Department of Homeland Security released the recommendations for internet-connected devices that Rob Silvers forecast on the podcast last month. Alan Cohn summarizes the principles, which include steps like security by design and regular vulnerability patches. Meanwhile, Katie tells us, NIST has released its  guidance for small business network security. We compare its guidance to the FTC’s. NIST wins.

Two Chinese Android phone backdoors have emerged in one week. Researchers at Kryptowire have uncovered a secret backdoor in large numbers of Android phones that ships users’ personal data, including their SMS messages and location, back to China. The company responsible, Shanghai Adups Technology Company, says it was a mistake, and that the software wasn’t supposed to be installed on phones for sale in the US.  Or perhaps the mistake was in getting caught. Investigations will follow, one hopes.

The second backdoor is an unsecured firmware upgrade channel that would allow a man-in-the-middle to add arbitrary code to an upgrade. I point out that Apple uses the same backdoor—just better secured—for the same purpose.  So its claim that it’s fighting the FBI to protect us from backdoors and their security risks is balderdash.

The 1990s have called, and they want their competition policy back. At least that seems to be the gravamen of Kaspersky’s complaint that Microsoft Defender is killing third party antivirus companies.

In other news that isn’t new, the effort to override Rule 41 changes still looks as dead as General Franco. That doesn’t mean that a forlorn left-right coalition will give up, of course, since there is still sympathetic lib/left press coverage to be milked from the issue.

Finally, in a sign of just how serious the cybersecurity crisis is, almost 2 in 5 American adults said they would give up sex for a year in exchange for never having to worry about being hacked.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-139.mp3
Category:general -- posted at: 10:32am EDT

We couldn’t resist.  This week’s topic is of course President-elect Trump and what his election could mean for All Things Cyber.  It features noted cybercommentator Paul Rosenzweig and Daily Beast reporter Shane Harris. 

In the news, we’re reminded of the old Wall Street saying that bulls and bears can both make money in the market but pigs eventually get slaughtered. The same goes for the pigheaded, as the FTC has learned. Whatever modest satisfaction the FTC got from denying a stay of its order against LabMD surely evaporated when it forced the Eleventh Circuit to make an early call on the stay. The result: the court of appeals practically overrides the FTC decision on the motion. Or was the Commission just trying to make sure the proposed television series about LabMD had an ample supply of villains? If so, way to go, guys!

Katie Cassel announces her imminent retirement from the podcast. She also explains the DMCA’s new exemption for security researchers

This is getting ugly: Yahoo now says that some of its employees knew about its massive data breach in 2014 – two years before it was disclosed. Why the delay?  Yahoo says it’s investigating – and that it can’t be sure Verizon will follow through on the deal to buy the company.

Russia is getting ready to put some teeth in its data localization law. LinkedIn looks like the sacrificial goat, Maury Shenk tells us, and that’s just the camel’s nose under the tent.

How can section 230 immunity provide protection against one claim but not another based on the same facts? Katie makes it sound almost reasonable. Boy, are we going to miss her.

The Germans have revived an investigation of Facebook for not blocking Germany’s idea of hate speech, which probably includes hats that say “Make America Great Again.” Oh, this is going to be a fun four years.

Speaking of which, I wonder if the GRU woke up with the same hangover as the rest of the United States, suddenly realizing that they had no freaking clue what policies a Trump administration would follow. That would explain the rash of phishing attacks on Washington think tanks.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-138.mp3
Category:general -- posted at: 9:59am EDT

The episode features a vigorous and friendly debate between me and Frank Cilluffo over his Center’s report on active defense, titled “Into the Gray Zone.”  It’s a long and detailed analysis by the Center for Homeland and Cyber Security at GW University. My fear: the report creates gray zones for computer defense that should not be seen as lawful—and turns far too many genuine gray zones black. 

Maury Shenk returns after missing last week due to the British determination not to follow US daylight savings practice. He updates us on challenges to the Privacy Shield Agreement in EU courts by privacy true believers (two and counting) and EU court challenges to government data practices in China, Russia, Algeria, and Saudi Arabia (none in evidence). Speaking of which, China has actually adopted the cybersecurity law it’s been threatening Western tech companies with for months, if not years.

Congress is starting to notice the FDA’s hapless response to medical device security. I predict that the FDA will not take serious notice until heart implants start tweeting: “I’d give this guy a cardiac arrest shock, but I’m too busy DDOSing the DNC.” 

Michael Vatis tells us what’s in the FTC’s Business Guide to Data Breach Response. It’s pretty good, but even if it weren’t, no one can ignore it, since it’s as close to rulemaking as the FTC gets in this field.

A remarkable official leak says that U.S. Cyber Command has pwned Russia’s IT infrastructure from its power grid to its military command system and is ready to strike if the Russians mess with the US election. Is it true? Clint Eastwood has the best answer.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-137.mp3
Category:general -- posted at: 5:01pm EDT

Jonathan Zittrain, who holds a surfeit of titles at Harvard, is our guest for episode 136. Among other topics, we explore the implications of routine doxing of political adversaries. Along the way I extract kind words from Jonathan for Sarah Palin and welcome him to the club of those who think mass doxxers are evil punks.  It’s a wide-ranging, informative, and un-ideological performance of the sort we’ve come to expect from Jonathan.

In the news, I note that the FBI seems to be getting reinforcements in the Great Crypto War, as European prosecutors prepare the battlefield with complaints about Islamic State use of Western encryption.

We’re seeing the rise of a new kind of security disclosure mandate, Katie Cassel tells us. First DOD and now Treasury are requiring their industry to disclose not just personal data breaches but the details of security breaches. But only Treasury was clever enough to do it without new regulatory authority.

NHTSA proposes some pretty thin cybersecurity guidance for vehicles, says Michael Vatis, and a couple of Senate Dems predictably call for tougher mandatory standards.

In more dog-bites-man news, European data protectionists have more hassles for US tech companies; this time it’s WhatsApp and Yahoo in the crosshairs.

Michael leads a tour of the FCC’s new “opt-in” privacy rules for ISPs. I make a bold prediction about how the privacy fight will shake out, and Michael—remarkably—thinks I may be right.

Katie explains HHS’s latest fine for a company that allowed file-sharing of medical files on one of its servers. Mike Daugherty, time to call your office.

Would the revolting magistrates have scuppered the FBI's effort to extract Huma's emails from Weiner's computer? Michael and I debate Orin Kerr's suggestion that there's a legal problem with expanding the search (or the seizure) to a new and different investigation. We mostly disagree with Orin.

And in continuing Rule 41 news, I narrowly escape an NFL taunting penalty while reporting that a whopping 23 out of 535 lawmakers are whining about expanded searches of pedophile computers.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-136.mp3
Category:general -- posted at: 5:32pm EDT

Our guest for the episode is Rob Silvers, the assistant secretary for cybersecurity policy at DHS.  He talks about what the government can and should do about newly potent DDOS attacks and the related problem of the Internet of Things. The only good news: insecure defibrillators and pacemakers may kill you, but they haven’t yet been implicated in any DDOS attacks.

In the news, Michael Vatis and I debate whether the netizen reaction to a search warrant that also allows the FBI to collect phone security fingerprints during the search is overheated or justified. Maury Shenk explains an unusual UK tribunal ruling, holding that GCHQ’s and MI5’s bulk collection of data was once a violation of the European Convention on Human Rights. Luckily for the UK government, that illegality was cured by the government’s acknowledgment of the collection.

The financial industry faces new cybersecurity regulations; Katie Cassel explains. Then, as the junior member of the podcast crew, Katie also finds herself called on to explain when defense contractors have to disclose cyberattacks to the Department.

In other news, NSA contractor Harold Martin is looking less like a hoarder and more like a serious threat to national security, thanks to the Justice Department motion opposing bail. Maury explains why the EU’s top court thinks that even dynamic IP addresses are personal data. And I explain (or try to) why Julian Assange is a First Amendment cover boy when he blows national security secrets but apparently the second coming of Josef Stalin when he blows politically embarrassing secrets of the Clinton Global Initiative.  Or is the real problem the risotto recipe?

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-135.mp3
Category:general -- posted at: 1:31pm EDT

Episode 134 features John Carlin’s swan song as assistant attorney general for national security.  We review the highs and lows of his tenure from a cybersecurity point of view and then look to the future, including how the U.S. should respond to Russia’s increasingly uninhibited use of cyberpower.  I introduce John to Baker’s Law of Post-Government Policy Advice: “The good news about leaving government is that you can say what you think. The bad news is that you can say what you think because nobody cares.”

In the news roundup, we explore the Geofeedia flap, in which large Silicon Valley companies are claiming the right to deny law enforcement access to public postings, even when that access is limited to particular geographic areas, such as the location of an ongoing riot.  Remarkably, they seem to think we ought to be praising them for this antisocial stand.

Maury Shenk updates us on the UK’s new privacy guidelines—and China’s effort to make its internet more protective of children, and the state.

Michael Vatis and I mull over the troubling news that Carbanak is targeting SWIFT endpoints. The G7 has financial cybersecurity guidelines, but it seems unlikely that they’ll turn the tide of an increasingly at-risk banking system.

Michael and I also touch on an Akamai report confirming that the Internet of things isn’t exclusively used to launch DDOS attacks on Brian Krebs; sometimes it’s used to launch mass credential theft attacks as well. Maybe, I suggest, this is a problem that lawsuits can address.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_134.mp3
Category:general -- posted at: 1:51pm EDT

In episode 133, our guest is The Grugq, famous in hacker circles but less so among Washington policymakers.  We talk about the arrest of an NSA employee for taking malware and other classified materials home, the Shadow Broker leak of Equation Group tools, and the Grugq’s view that the United States has fundamentally misunderstood the nature of cyberconflict.

In the news, Alan Cohn and I discuss the DHS/DNI fingering of Russia – and Putin – for the DNC hack.  We ask whether this means that sanctions will follow, and I characterize the administration’s stance so far as an updating of Groucho Marx’s position:  “These are my red lines.  If you cross them, well, I have others.”  

I award “stupidest privacy scandal of the year” to the complaints that Yahoo! (gasp!) scanned email content in a search for a terror-related signature.  

Continuing what will become a rant-filled episode, I nominate the Third Circuit for membership in a Hall of Judicial Shame.  The court of appeals has joined the European Court of Justice in giving legal effect to the early Guardian articles claiming that PRISM allowed NSA to scan all emails in US webmail services.  That might have been a mistake in 2013, but in 2016, it can only be characterized as a lie, and not one the judiciary should be party to.  Katie Cassel hoses me down.

Maury Shenk, back from honeymoon in Jordan, explains why the TalkTalk case has such prominence in the UK – and why the company was lucky to be assessed one of the highest fines ever imposed by the UK data protection authority.

Katie explains the FCC’s revised proposal for privacy regulations.  But she can’t explain the FTC’s embarrassingly juvenile grandstanding in its ongoing turf war with the FCC.

And, to end the roundup on a choleric note, Alan goads me with HHS’s latest and most astonishingly nit-picking fine ‒ $400,000 for having a supplier contract that hadn’t been updated since the HI-TECH Act modified HIPAA.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_133.mp3
Category:general -- posted at: 9:19am EDT

In episode 132, our threepeat guest is Ellen Nakashima, star cyber reporter for the Washington Post.  Markham Erickson and I talk to her about Vladimir Putin’s endless appetite for identifying ‒ and crossing ‒ American red lines, the costs and benefits of separating NSA from Cyber Command, and the chances of a pardon for Edward Snowden.  Ellen also referees a sharp debate between me and Markham over the wisdom of changing Rule 41 to permit judges to approve search warrants for computers outside their district.

In the news roundup, Meredith Rathbone explains the remarkably aggressive, not to say foolish, European proposal to impose export controls on products that would enable state surveillance in cyberspace.  Apparently locked in a contest with Brussels over who can propose the dumbest regulation of cyberspace, California has adopted a law that purports to prohibit entertainment sites like IMDb from publishing the true ages of actors and actresses.  Markham and I debate the constitutionality of the measure.

In other California news, Markham brings us up to date on the surveillance lawsuit against Google.  He also explains the deep Washington maneuvering over FCC Chairman Wheeler’s plan for cable set top boxes.  I call for a rule that requires cable CEOs to wait at home for days of rescheduled calls to find out whether they’re going to get the result they want.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_132.mp3
Category:general -- posted at: 2:02pm EDT

Our interview in episode 131 is with Matt Cutts and Lisa Wiswell from the Pentagon’s Defense Digital Service.  Matt joined the Digital Service from Google where he authored their SafeSearch content filter.  Lisa is a bureaucracy hacker with the Defense Digital Service and previously spent years working on cyber-warfare in DOD’s policy shop and in DARPA.  They both stress that the Service is looking for good code and policy hackers -- and that their Digital Service recruiting link is https://www.usds.gov/join

 

After a musical intro featuring the Beatles as reimagined by artificial intelligence, Michael Vatis explains why Microsoft's new German datacenters may succeed in putting customer data beyond the reach of US agencies, and why Microsoft might not want to state its goal quite that way.

 

Jennifer Quinn-Barabanov explains how a new lawsuit on behalf of Gilbert Chagoury will test whether the US government will punish leakers and whether the EU succeeds in its effort to get the Privacy Act to cover European nationals.  

Jen and I also tackle the record-breaking Yahoo! breach, and what it says about the actual impact of data breach risk on companies and investors.  Jen reveals this shocking statistic:   the median cost of a breach is $200,000 by some measures, hardly enough to get even the plaintiffs’ bar out of bed.  And, it turns out, nearly half of corporate GCs have already lived through a breach, so they likely know their own exposure pretty well.  

Speaking of records, Brian Krebs, a podcast alum, experienced his own unenviable record:  victim of world’s biggest DDOS attack, fueled by the Internet of things.  What next?  Networked Fords launching a denial of service attack on GM dealers?

Sliding seamlessly into the interview, Matt Cutts and I dive into the latest OpenSSL bug, the reasons Google launched BoringSSL, and the ways in which being boring is also being secure.  (As pretty much any overprotected ten-year-old boy could have told us.)

Matt and I debate whether SSL everywhere is just good, prudent security or the fruits of a Crypto Derangement Syndrome on the part of a Valley that hopes to secede from the United States (guess which side I took).

We take a long look at the Digital Service and what it has done so far.  Lisa Wiswell brags on “Hacking the Pentagon,” which paid the first bug bounties ever offered by a US government agency.   I congratulate her on avoiding the alternative ‒ filing a STFU lawsuit against the security researchers, unlike some I could mention (*cough* St. Judes *cough*).  This leads to a colloquy on what it will take to fix IT procurement in the US government.  We make a little progress, but find no silver bullets.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Episode_131.mp3
Category:general -- posted at: 11:39am EDT

In a law-heavy news roundup, Katie Cassel and I talk about New York’s dangerously prescriptive cybersecurity regs for banks and insurers. Maury Shenk and I uncover the seamy industrial politics behind the EU’s latest copyright and telecom proposals.  The Sixth Circuit deepens a circuit split over standing and how much injury it takes to support a federal data breach lawsuit – and then, oddly, decides not to publish its opinion.  Michael Vatis explains.

In other news, Michael notes that the CFTC has adopted its own very prescriptive cybersecurity testing rules.  At least pen testers should be happy; their specialty is increasingly required by regulators.  Katie hoses me down on the significance of the Ninth Circuit’s latest “failure to warn” decision for section 230 of the Communications Decency Act.  Good news for section 230, not so much for Match.com.

Finally, the FTC continues to vie for the title of federal agency with the least sense of moderation. The FTC is opposing a motion to stay in the LabMD case.  Pending appeal, it wants to impose strict cybersecurity procedures on a business whose servers are probably stored in Mike Daugherty’s garage.  As Winston Churchill said about nuclear weapons, at some point all you’re doing it making the rubble bounce.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: Episode_130.mp3
Category:general -- posted at: 4:02pm EDT

This week’s podcast interview is with Ciaran Martin, the chief executive of the UK’s National Cyber Security Centre. While the US political climate makes it implausible that the National Security Agency would be asked to head a nationwide cybersecurity center designed to work with the private sector, that’s exactly the job that the United Kingdom given to GCHQ, the British equivalent of NSA. I ask why, and a lot more too.

Direct download: Episode_129a.mp3
Category:general -- posted at: 9:35am EDT

In episode 129, Alan Cohn and I dive deep on the Government Oversight Committee’s predictably depressing and unpredictably entertaining report on the OPM hack.  Cheeky Chinese hackers register their control sites to superhero alter egos.  And poor, patriotic Cytech finds an intruder during a sales demo, rushes to provide support without a contract, and ends up not just stiffed but accused of contributing to a violation the Antideficiency Act. The overmatched OPM security team launches a desperate operation Big Bang to oust one team of hackers, while another is safely ensconced in the network, biding its time before exfiltrating all its data.  

And for those who’ve complained that we never talk about cybertax law, a feast:  Steptoe’s premier international tax partner (and head of the firm) explains everything you need to know about the fight between Apple and the EU over Ireland’s tax regime for the company.  I am shocked to discover that Brussels is doing, well, what Brussels usually does.  

Alan and I talk about one more PlayPen decision, United States v. Torres.  It may be the last word on the subject, in part because it’s so sensible (the FBI did perform a search, it had a warrant and probable cause, the warrant didn’t conform to Rule 41, but so what?  No suppression) and in part because the Supreme Court has agreed to change the Rule.  I confidently predict that Sen. Wyden’s effort to stop the rule change will fail.

 

Direct download: Episode_129.mp3
Category:general -- posted at: 11:28am EDT

The podcast is back with a bang from hiatus.  Our guest, Scott DePasquale, is the CEO of Utilidata, an electric utility IoT and cybersecurity company.  Scott talks about his contribution to the Internet Security Alliance’s upcoming book, The Cyber Security Social Contract.  

Episode 128 also brings you a news roundup from the most momentous August in cybersecurity history.  Maury Shenk brings the SWIFT hack to life by describing his own brush with cyber bank fraud.   I cover the Shadow Brokers’ disclosure of what most believe to be an NSA hacking toolkit.   Meanwhile, Russia is hacking our political process and only the side whose ox is being gored seems to care.  

The EU, with an instinct for the capillaries, continues to fight the US on these issues.  Privacy Shield is up, and a lot of serious companies are signing up, despite the uncertainties.  Maury and I note the entry of France and Germany into the Great Crypto World War – at a comfortably leisurely pace.  And, in a welcome move, the European Court of Justice has reaffirmed that there are still some (modest and blurry) limits to the assertion of data protection jurisdiction over internet merchants.

The FTC had a busy month.  It served LabMD a mess of home cookin’ and the company is now free to argue its case before an unbiased court of appeals.  Speaking of which, the ninth circuit court of appeals shot down the FTC’s effort to steal the FCC’s common-carrier-regulating turf, and the FTC has finally deigned to notice (and even pat on the head) NIST’s Cybersecurity Framework. 

The UK’s terror watchdog has more or less endorsed the value of bulk collection of personal data.  And Baltimore has put it into effect, adopting an “eye in the sky” technology that has solved serious crimes without harming anyone’s privacy; naturally the privacy lobby is determined to make sure it’s never used again.

In privacy class action news, the lawyers for CareFirst deserve a bonus; they’ve now killed three class action cases (here, here, and here) where the breach was serious but the plaintiffs couldn’t claim that the stolen data was ever used to harm them.  And Judge Koh, to her shame, has approved $4 million in legal fees for the lawyers who brought a class action against Yahoo! and settled for a no-damages injunction that lets Yahoo! keep reading its users emails, but after it’s been sent, not before.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

 

Direct download: Episode_128.mp3
Category:general -- posted at: 10:41am EDT

I know we promised to take August off, but I was inspired by the flap over the DNC hack and the fact that I’m at the Aspen Homeland Security Working Group meeting in Colorado. I waylaid two former intelligence community members on the Aspen campus and asked for their views on the DNC hack.  Well, to be accurate, I start the interview by asking whether Putin really has the balls to step into the US electoral campaign in this way.  Answering the question are two men with the perspective of long years dealing with Soviet and then Russian intelligence:  Charles Allen, who became intelligence chief for DHS after a full career at CIA, and John McLaughlin, who ended his career at CIA as the Deputy Director and Acting Director.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.!

Direct download: Episode_127.mp3
Category:general -- posted at: 10:07am EDT

If Vladimir Putin can do it, so can we. This week the podcast dives deep into the US presidential campaign.

I of course talk with Maury Shenk about evidence that the Russians are behind “Guccifer 2.0” and the DNC data leak – aided by a Wikileaks that looks more and more like an FSB front.  I compare the largely indistinguishable Dem and GOP platform planks on encryption ‒ and draw a lesson from the straddles:  there’s little doubt that every lobbyist who contributed to the platforms was working for Silicon Valley, so the failure to endorse the Valley’s view may spell trouble for techie triumphalism.  I also spike the football for the Justice Department, whose policy views on the dangers of hacking back were swamped when the GOP called for letting victims of hacking have their way with the hackers.

Our interview this week touches on the insider threat. Andy Irwin describes the new DOD rule requiring contractors to devise insider monitoring plans for cleared personnel, and two industry leaders, Ed Hammersla, CSO of Forcepoint, and Brian White, COO of RedOwl Analytics, talk about what technology can do to spot incipient employee defections and data theft.  A discussion of the role of natural language processing naturally reminds me of George Carlin and the seven dirty words you can’t say on the radio.

In other news, Katie Cassel unpacks another in a long line of increasingly incoherent 9th Circuit rulings on when it violates the CFAA for unwanted visitors to log on to a site.  Katie also explains why the outcome of another data breach lawsuit might persuade Scottrade to change its name to Scot-Free.

Maury updates us on UK politics, from Theresa May’s honeymoon to the possibility that UK data retention law will survive review in the European Court of Justice.  I flag a good (and, sadly, already outdated) House Homeland Security Committee report on 100 ISIS-linked terror plots against the West since 2014, a surprise reprieve for Silent Circle, and Whatsapp’s continuing “If it’s Tuesday we must be shut down; if it’s Wednesday we must be back up” drama in Brazil.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Episode_126.mp3
Category:general -- posted at: 5:28pm EDT

In the news roundup, Michael Vatis covers Microsoft’s surprising Second Circuit victory over the Justice Department in litigation over a warrant for data stored in Ireland.  The hidden issue in that case was data localization – the same issue driving the Justice Department’s new legislative proposal to allow foreign nations to obtain information from US data repositories.  That proposal is unpacked by special guest David Kris, former Assistant Attorney General for National Security and author of the treatise, National Security Investigations and Prosecutions.

In other news, LabMD has found yet another defendant in its campaign against Tiversa.  Michael discusses what may be the first judicial decision requiring a warrant to use a Stingray to locate a criminal suspect.  And HHS tries to achieve a plausible policy goal with an overreaching legal interpretation; as Michael explains, the result could be massive unintended consequences.

In quick hits:  more evidence that foreign nations are targeting our energy grid, FDIC engages in a surprisingly successful breach cover-up, a Chinese browser sends data back to China unmolested (all because we still haven’t funded the Europocrisy Prize, I argue), and the cyberwar on ISIS is going slowly, mainly, I argue, because cyberwar on ISIS is not all that good an idea.

What’s the argument in favor of hacking back that is best calculated to infuriate the State Department?  We talk hackback with the father and son team that produced a thoughtful paper on the topic for the Hoover Institution.  Jeremy, a law professor at the Scalia Law School, and his son, Ariel Rabkin, a computer scientist out of Berkeley, have the expertise to deal gracefully and concisely with the policy debate over hacking back.  Their proposal charts a middle ground while cheerfully eviscerating State’s hand-wringing about the international consequences of permitting hacking victims to act outside their networks.  Bonus feature:  lifetime career advice from yours truly!

Our interview is with Jeremy Rabkin and Ariel Rabkin, author of Hacking Back without Cracking Up, published by the Hoover Institution.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Episode_125.mp3
Category:general -- posted at: 9:45am EDT

What’s the difference between serving in Congress and spying in the back alleys of a Middle Eastern bazaar?  Why not ask the one Congressman who’s done both – Rep. Will Hurd (R-TX).  He also has cybersecurity chops from his career in industry, so he makes the perfect guest for episode 124a of the podcast.  Just running through his week takes us from the difficulty of setting red lines in cyberspace to what we know about foreign penetration of the Clinton email server.  But we manage as well to cover the declining fortunes of the Massie-Lofgren amendment and the reasons (and possible cures) for the disaster that is federal IT procurement.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Episode_124a.mp3
Category:general -- posted at: 1:27pm EDT

This week’s news roundup is dominated by the Ninth Circuit and the European Union.  The EU parliament has approved the Privacy Shield that replaces the Safe Harbor.  Michael Vatis, Alan Cohn and I ask whether companies should seek protection under what may prove to be a pretty leaky Shield.  And the EU has approved cybersecurity rules for critical industries and verdammte amerikanische Unternehmen … er, digital service providers.  You may not like the EU penchant for regulation as a first resort, but Alan and I conclude that the initiative on cybersecurity standard-setting may finally have moved to Brussels.

In Ninth Circuit news, the Nosal case has come back for another round of appellate decision-making, and this time the decision goes against Mr. Nosal.  Michael and I debate whether sharing a password should lead to criminal penalties.  In other news, the lib/left continues its campaign to impose a warrant requirement on reuse of section 702 data.  They’ve already lost in two courts, and my guess from oral argument in US v. Mohammud is that they won’t do better in the third.  

Elsewhere, Russia has finally adopted its aggressive new law regulating digital service providers in the name of fighting terrorism. The FCC privacy regs attract some support from other agencies, notably the FBI and Secret Service.  Silent Circle, already silently circling the drain, has dropped its faddish warrant canary “for business reasons.”  And kudos to Yingmob for its new business model; the Chinese company seems to have combined legitimate adtech business lines with a line of malware that has infected ten million Android phones.  No word yet on whether Yingmob employees can take a break from writing malware to play foosball.  

Our interview with Will Hurd will follow later in the week.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Episode_124.mp3
Category:general -- posted at: 10:01am EDT

Edward Snowden criticizes Russia’s mass surveillance law, and a Russian official retaliates by outing him ‒ as a Russian intelligence source. Silent Circle, the phone company that built its marketing on fear and loathing of the NSA, is nearing bankruptcy. And members of the dominant European Parliament faction are asking the Commission, “Hey! How come you keep demanding more data export and privacy concessions from the US without asking for bupkis from China?” And the FBI now has three politically viable paths to win back authority to obtain electronic communications transaction records with a National Security Letter.

Truly, episode 123 feels like a reward for living through 2013.

In other news, Alan Cohn and Katie Cassel report on the Bank for International Settlements’ surprisingly sophisticated cybersecurity standards. I whinge about Bob Litt’s 18 pages of binding commitments to Europe on how the US will conduct intelligence from now on. Alan and I compliment CBP on its technical savvy in easing border clearance ‒ and ponder the role of stools in protecting the homeland.

I report that Belgian courts have reversed a verdict by the local DPA against Facebook, and Maury Shenk comments on broader implications for EU data protection. Katie notes that FTC commissioner Maureen Olhausen continues to tout the advantages of her agency’s “flexible” privacy and security standard and to diss the FCC’s more explicit approach. I mock the ACLU for demanding the right to violate criminal law to get information from private companies and ask if I can do the same to get the ACLU to answer my questions about whether it provides real security for its clients. And Maury reports that China is still rolling out new internet regulations, from online search standards to where to store Chinese citizens’ personal data (China, natch).

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Episode_123.mp3
Category:general -- posted at: 4:05pm EDT

Was Iran’s cyberattack that bricked vast numbers of Saudi Aramco computers justified by a similar attack on the National Iranian Oil Company a few months’ earlier? Does NSA have the ability to “replay” and attribute North Korean attacks on companies like Sony? And how do the last six NSA directors stack up against each other? Those and other questions are answered by our guest for episode 122, Fred Kaplan, author of Dark Territory: The Secret History of Cyber War.

In the news roundup, we explore British corollary of the Pottery Barn Rule: “You Brexit, you owns it.” As the UK and the EU struggle to deal with fallout from the historic UK vote, all the incentives seem to be in place for the EU to do what it does best: vindicate the worst instincts of the European elite. In the name of deterring other departures, the EU is unlikely to offer the UK much in the way of concessions. On data protection, for example, Maury Shenk points out that the UK will likely have to keep its current law -- and adapt to the new regulation -- just to avoid a claim that British privacy law is inadequate.

In other news, DHS has released final guidelines for protecting privacy while sharing cyber threat information; I think they’re pretty good.

Michael Vatis and I also puzzle over the dicta adopted in a recent EDVA opinion that the utter insecurity of personal computers leaves users without a reasonable expectation of privacy and allows the FBI to use hackers’ tools without a warrant. I love it when a district court stakes out territory that makes even me feel like a civil libertarian.

The FTC drops a heavy fine on inMobi. Michael points out the much heavier weaponry that COPPA allows the Commission to deploy in privacy cases that involve children. But we have trouble mustering much sympathy for inMobi. 

Finally, we’re still trolling for listener feedback on whether we should go to the trouble of trying to arrange CLE credit for listening to the podcast. Based on reaction so far, we won’t. So if you’d like to get CLE credit for the podcast, it’s time to send your vote to CyberlawPodcast@Steptoe.com.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-122.mp3
Category:general -- posted at: 4:35pm EDT

With Stewart on vacation, the blockchain takes over the podcast! In episode 121, Jason Weinstein and Alan Cohn talk all things bitcoin, blockchain, and distributed ledger technology, and interview Jamie Smith, Global Chief Communications Officer for the BitFury Group, one of the largest full-service blockchain technology companies.

In the news roundup, Alan led off with a discussion about Etherium and the DAO, which of course begins by answering the question, “What is Etherium and what is the DAO?” As Alan explains, Etherium is a public blockchain similar to the Bitcoin blockchain, with code written in such a way as to optimize programming of “smart contracts,” self-executing contracts that transmit funds or take other actions based on the occurrence of defined events. Etherium is run by a non-profit organization, the Etherium Foundation, and has its own native currency called Ether. The DAO is an acronym for a “distributed autonomous organization,” which is essentially an organization that can operate in a decentralized manner (for example, on a blockchain) based on its programmed code rather than the actions of any governing individuals. In this instance, “The DAO” is the first of these types of organizations, which was created to fund projects that would work on Etherium. For most of May, people could purchase DAO tokens using Ether, and the DAO tokens gave their holders the ability to vote “Yes” or “No” on funding proposals made to the DAO by companies or individuals wanting to build things. The submission of proposals, the voting, and the funding of projects were all programmed to take place essentially without human intervention, all based on the DAO’s programmed code. (Whew!)

Now for the news—the first major splash made by the DAO was not the funding of its first project, but rather an attacker’s “recursive call” attack which allowed him/her/them to withdraw approximately 3.6 million Ether—worth about $55M at the time of the attack—by exploiting an element of the code meant to allow people to withdraw from the DAO and convert their DAO tokens back to Ether. As Alan explained (and probably needed a glass of water and maybe a snack by this point), the DAO’s creators and the Etherium Foundation were left with only a few responses, none of them ideal—void the attacker’s transactions but by doing so, demonstrate that transactions on a public blockchain can be voided; lock up the funds and figure out the next steps, which probably leads to a voiding of the transaction; roll back the entire Etherium ecosystem to just before the attack (kind of like reverting your iPhone to a backup) but effectively constituting a “bailout” of the DAO; or concluding that “the code is its own documentation” and anything done under the code is permissible, which preserves the integrity of the DAO (and Etherium) but leaves the attacker holding a lot of other peoples’ money.

For listeners who made it through all of that, Jason explained how the New York State Department of Financial Services issued its second BitLicense, this time to Ripple (the global settlement network, not the fortified wine), and at this pace, would get to double digits in terms of BitLicenses issued by 2022. Jason noted that this comes at the same time as industry efforts to focus attention on the dangers inherent in state-by-state licensing systems, although a single federal approach seems far off at this time.

Alan described the European Parliament’s recent resolution concerning virtual currencies, which was hailed as an anti-money laundering and counter terrorism financing action but in fact covers many aspects of virtual currencies and distributed ledger technology. The main headline was Parliament’s call on the European Commission to create a Task Force on virtual currencies. Alan channels Stewart for a moment, noting that the resolution actually says that Parliament “recalls that the internet, despite attempts to promote a multi-stakeholder approach, is still governed by the National Telecommunication and Information Administration, an agency of the United States Department of Commerce.” That must still sting.

Jason notes that the blockchain has also come to DC in a big way, with one day of a three-day symposium run by the Federal Reserve, the World Bank, and the International Monetary Fund dedicated to blockchain. The White House also got into the game, holding a FinTech summit with various White House and Administration officials. The President’s Council of Advisors on Science and Technology heard from industry leaders on blockchain, and the White House Commission on Enhancing National Cybersecurity heard testimony on blockchain technology in one of its first meetings.

Finally, Alan reports on the Central Bank of Canada’s experiment with developing a digital version of the Canadian dollar based on blockchain technology. Dubbed “CAD-coin” and running on the “Jasper” Distributed Ledger Settlement Platform (rather than something more inspired and Canadian, like “Molson”), the Central Bank’s experiment with a private blockchain is meant to “better understand the technology first-hand,” and we applaud them for that.

In the interview, Jamie Smith first debunks rumors that she is, in fact, Satoshi Nakamoto, the original creator of Bitcoin (“We are all Satoshi,” Jamie graciously explains.) Jamie describes how she first got involved in the blockchain space, her experience leaving a comfortable post-Administration job at a global PR firm to join the BitFury Group, and her process of realizing that Bitcoin is not “criminal money” and that blockchain technology can change the world for the better. Jamie describes recent initiatives backed by the BitFury Group, including the Blockchain Trust Accelerator launched in conjunction with the think tank New America and the National Democratic Institute, and the Global Blockchain Business Council. Jamie also describes events at the second Blockchain Summit on Sir Richard Branson’s Necker Island (Jason attended the first Blockchain Summit last year, and Alan attended this year’s Summit). Jamie gives a shout-out to the Blockchain Alliance, the organization co-founded by the Chamber of Digital Commerce and Coin Center to create a forum for the blockchain industry to engage with law enforcement (full disclosure: Steptoe serves as counsel to the Blockchain Alliance and Jason serves as its Director).

Next week, Stewart will be back and the podcast will turn back to cybersecurity issues. As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 (202) 862-5785.

Direct download: PC122w_music.mp3
Category:general -- posted at: 11:09am EDT

European hypocrisy on data protection is a lot like the weather. Everyone complains about it but no one does anything about it. Until today.

In episode 120, we announce the launch of the Europocrisy Prize. With the support of TechFreedom, we’re seeking tax deductible donations for a prize designed encourage the proliferation of Schrems-style litigation, but with a twist. We’ll award the prize to anyone who brings complaints that force Europe to apply the same human rights and data export standards to Russia, China, and Saudi Arabia as it applies to the US. More on the prize here.

We’re inspired to this announcement, because as Katie Cassel tells us in the news roundup, the data protection commissioner in Hamburg is hot-dogging on the privacy issue, and with relish. He has imposed fines on US companies for the offense of being caught by surprise when the Safe Harbor went down. Naturally, as far as we can tell, no similar cases have been launched against Russia, China, or any of the other countries that never even bothered to negotiate over privacy with the EU. The Europocrisy Prize, though, should go a long way to even the score.

We’re joined for the news roundup by Paul Rosenzweig of Red Branch Consulting, and he clues us in on the fight over ICANN’s future now being waged in Congress. Meanwhile, Alan Cohn explains why standing is such a high threshold for data breach plaintiffs, leading us to muse on exactly how much harm we can show from the disclosure of our naked pictures on the internet (in contrast to viewers, for whom injury may be presumed).

I highlight a workmanlike opinion from Judge Doumar on the FBI’s remote hacking of child porn aficionados. I also thank Sen. Cornyn and others on the Judiciary Committee for exposing just how little privacy groups care about ECPA reform. Sen. Cornyn has offered an amendment that would give back to the FBI the NSL access they had in 2008 to electronic communications transactions records. In order to keep Sen. Cornyn’s amendment off their reform bill, they’ve apparently ditched the whole bill.

In other privacy misrepresentation news, the UK press is full of headlines claiming that the “controversial” Investigatory Powers Act is moving forward “despite hacking and snooping fears.” Clue for the press: When the House of Commons vote to send a bill to the House of Lords is 444 to 69, calling it “controversial” just makes you look stupid and ideological. Most significantly, the bill goes out of its way to make clear that, if Apple makes the same arguments in the UK that it made against the FBI, it will lose. Tim Cook’s publicity campaign is really paying dividends, eh?

Katie explains the US Justice Department’s proposal to modify US law and streamline the production of electronic evidence to foreign governments. If they do that without extracting an end to EU data export restraints, the DOJ’s license to practice diplomacy should be revoked.

In other news, the French government has convicted Uber and two of its executives of failing to show sufficient respect to French officialdom. And the right to be forgotten turns out to be unworkable (who could have foreseen that!?).

Finally, we poll DHS alumni on whether the department’s cybersecurity organization, NPPD, should be raised to the status of a full-blown DHS component. Suzanne Spaulding will be pleased with the answer.

Note: Our interview with Rep. Will Hurd was delayed at the last moment, so we’re releasing it separately from the episode 120 news roundup.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: E_120.mp3
Category:general -- posted at: 11:32am EDT

Our guest for episode 119 is Kevin Kelly, founding executive editor of Wired Magazine and author of The Inevitable: Understanding the 12 Technological Forces that will Shape our Future. Kevin and I share many views – from skepticism about the recording industry’s effort to control their digital files to a similar skepticism about EFF’s effort to control private data – but he is California sunny and I am East Coast dark about where emerging technology trends are taking us. The conversation ranges from Orwell and the Wayback Machine to the disconcerting fluidity and eternal noobie-ness of today’s technological experience. In closing Kevin sketches a quick but valuable glimpse of where technology could take us if it comes from Shenzhen rather than Mountain View, as it likely will.

The news roundup leavens deep thoughts about the future with loose talk about sex and politics. I ask whether the FOIA classification review of Hillary Clinton’s email is compounding the damage done by her use of a homebrew server. I discover the weird connection between leak defenders like Julian Assange and Jacob Appelbaum and sexual extortion – and even offer a theory to explain it (caution: involves threesomes). And we award the Dumbest Journalism of 2016 prize to Jason Leopold, Marcy Wheeler, and Ky Henderson for a VICE article that spends thousands of words trying in vain to justify its headline – and also manages to bury the only interesting news the reporters turned up. (They have pole-dancing competitions in China? And the organizer invited Edward Snowden’s girlfriend to compete, just as Snowden was getting ready to release NSA’s files? Sounds like a great story, but the authors dropped it in favor of tendentious NSA bashing.) And to cap the week off, North Korea cloned Facebook for its nomenklatura, only to have a Scottish teen take it over because the logon credentials were left at “admin” and “password.”

More seriously, I report that USTR will in the future try to negotiate limits on data localization even for financial institutions. Maury Shenk reports on the successful EU jawboning of big American tech companies to crack down on “hate speech” on line.

Organizations whose hate speech has mainly been aimed at Smith v. Maryland and the third party rule had a bad week, I note, as the only circuit to require warrants for cell-site location recedes in an en banc opinion that drastically cuts the Supreme Court’s incentive to grant cert on the issue.

Maury reports on delays to the EU’s Paris-related changes in anti-money-laundering regulation. And I puzzle over the newfound enthusiasm in Republican and cable industry circles for FTC-style privacy regulation.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 119th episode (mp3).

Direct download: Podcast_119.mp3
Category:general -- posted at: 4:19pm EDT

Episode 118 digs deep into DARPA’s cybersecurity research program with our guest, Angelos Keromytis, associate professor at Columbia and Program Manager for the Information Innovation Office at DARPA. Angelos paints a rich picture of a future in which we automate attribution across networks and international boundaries and then fuse bits of attribution data as though they were globules of the Terminator reassembling into human form. 

Direct download: Podcast_118.mp3
Category:general -- posted at: 8:20am EDT

Our guest, Patrick Gray, is the host of the excellent Risky Business security podcast. He introduces us to the cybersecurity equivalent of decapitation by paper cut and offers a technologist’s take on multiple policy and legal issues. In the news roundup, Michael explains the many plaintiff-friendly rulings obtained by the banks suing Home Depot over its data breach. We wonder whether the rulings are so plaintiff-friendly that the banks will eventually regret their successes. Michael also explains just how deliberately meaningless is the Supreme Court decision in Spokeo, Inc. v. Robins.

Alan Cohn lays out the new DOD rule requiring government contractors to adopt basic cybersecurity measures. Michael explains why the court rejected Mozilla's bid to intervene in the big FBI-child porn case. I cheer Google on in its appeal of the egregious CNIL ruling extending French “right to be forgotten” censorship to the world – and mock the handful of Senators who have gone on record as favoring legislation to overturn the Rule 41 changes and make the internet safe for child exploitation. Finally, Alan explains why the SEC thinks cybersecurity is the top threat to financial systems 

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail toCyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_117.mp3
Category:general -- posted at: 12:56pm EDT

Ransomware is the new black. In fact, it’s the new China. So says our guest for episode 116, Dmitri Alperovitch, the CTO and co-founder of CrowdStrike. Dmitri explains why ransomware is so attractive financially – and therefore likely to get much worse very fast. He and I also explore the implications and attribution of the big bank hacks in Vietnam and Bangladesh.

 

In the news roundup, Michael Vatis reports on the new federal trade secrets law. In addition, inspired by the Edelson firm’s sealed complaint against a Chicago-based law firm for cybersecurity failings, Steptoe’s chair emeritus, Roger Warin, charts the legal and strategic terrain of suing law firms for bad security. The hazards of class action litigation in this field are illuminated by the district court’s recent ruling on the Zappos breach, which Michael unpacks for us.

 

Unable as always to resist a sitting duck, I quote the FTC’s condescending Congressional testimony promising to give the FCC the benefit of its 40 years of security expertise. It plans to offer comments on the FCC’s proposed privacy regulations. But the FTC fails to note that in all those 40 years, it has never had occasion to ask anyone for comment on its own privacy or security standards – which are scattered haphazardly across a series of brochures and weblinks and consent decrees. As I point out, that makes it hard not just for companies that want to comply, but also for the FTC, which has no way to amend its outdated security guidance, most notably the bad advice it gave several years ago about requiring employees to change passwords frequently. Maybe it’s time for the FCC to return the favor, and give the FTC the benefit of its own years of experience in actually issuing and taking comment on proposed regulations.

 

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_116.mp3
Category:general -- posted at: 4:46pm EDT

Does the FISA court perform a recognizably judicial function when it reviews 702 minimization procedures for compliance with the Fourth amendment? Our guest for episode 115 is Orin Kerr, GWU professor and all-round computer crime guru. Orin and I spend a good part of the interview puzzling over Congress’s mandate that the FISA court review what amounts to a regulation for compliance with an amendment that is usually invoked only in individual cases. Maybe, I suggest, the recent court ruling on 702 minimization and the Fourth amendment doesn’t make sense from an Article III point of view because the FISA judges long ago graduated from deciding cases and controversies to acting as special masters to oversee the intelligence community. We also explore an upcoming Orin Kerr law review piece on how judicial construction of the Fourth amendment should be influenced by statutes that play in the same sandbox. 

In the news roundup, Maury Shenk provides an overview of the data protection logjam now building up in Brussels, including EU Parliament approval of the new US-EU law enforcement agreement. In FTC news, Katilin Cassel explains why Amazon is liable for kids’ in-app purchases; I seize on recent UK government advice not to change passwords too often to mock the FTC for its outmoded advice on the topic and its inability to shed its old guidance gracefully; and Maury and I examine how and why the FTC is enforcing quasi-voluntary privacy regimes like the Privacy Shield/Safe Harbor.

Katie explains HHS’s remarkable new enforcement policy – imposing large fines on health providers who voluntarily disclose a paperwork omission that caused no actual privacy harm. I flag the First Circuit’s decision to create a circuit conflict on the meaning of the Video Privacy Protection Act.

I express astonishment that the tech press continues to think there’s a constitutional problem with forcing someone to use his fingerprint to unlock a phone. The Onion and Operation Vowel Lift also make an appearance.

Direct download: Podcast_115.mp3
Category:general -- posted at: 1:44pm EDT

Our guest for episode 114 is General Michael Hayden, former director of the NSA and CIA; he also confirms that he personally wrote every word of his fine book, Playing to the Edge: American Intelligence in the Age of Terror. In a sweeping interview, we cover everything from Jim Comey’s performance at the AG’s hospital bedside (and in the Clinton email investigation) to whether the missed San Diego 9/11 calls were discovered before or after the 215 program was put in place. Along the way, we settle the future of Cyber Command, advise the next president on intelligence, and lay out the price the intelligence community is paying for becoming so darned good at hunting terrorists.

Michael Vatis and I do the news roundup. It’s bad news this week for the same child porn defendants who got good news last week, when a court overturned the search warrant used to search their computers after they visited an FBI-run Tor node. Now, though, the Supreme Court has approved a change to Rule 41 authorizing geographically unbound search warrants in computer cases. Unless Congress comes to their rescue by rejecting the proposed rule change, an unlikely prospect indeed, the new rule will take effect at the end of the year.

Well, that was fast, at least by the standards of Washington lawyers. We’ve gone from attribution to proposed retribution in less than two years. Indictments in 2014 charged that the Chinese government had broken into US Steel’s computer network. Now US Steel is claiming that the hackers stole advanced steel technology and gave it to a Chinese competitor, and it’s asking the International Trade Commission to exclude the competitor’s products from the United States, on the ground that stealing secrets is an unfair trade practice. With the government eager to send a message on commercial cyberespionage, look for plenty fireworks over the next year as the case is brought to judgment.

The big FISA news revolves around notices given to litigants when section 702 played a role in their cases. A rare notice of that kind has been given to an Iraqi refugee accused of traveling to Syria. He has promised a constitutional challenge. Meanwhile, if you’re wondering whether OFAC uses 702 intelligence to issue sanctions, and whether the targets get notice when that happens, the New York Times is fighting to get those answers, using FOIA. It’s losing. Congress is also taking a harder look at 702, with fourteen of the usual suspects asking DNI Clapper to estimate how many Americans’ communications are swept up in the program.

In other news, Michael notes that Nebraska has expanded its breach law to cover more data – and to make sure that the encryption exception only applies to encryption that’s not fatally compromised.

Direct download: Podcast_114.mp3
Category:general -- posted at: 2:34pm EDT

No holds are barred as a freewheeling panel of cryptographers and security pros duke it out with me and the Justice Department over going dark, exceptional access, and the Apple-FBI conflict. Among the combatants: Patrick Henry, a notable cryptographer with experience at GCHQ, NSA, and the private sector; Dan Kaminsky, the Chief Scientist at White Ops; Kiran Raj, who is Senior Counsel to the Deputy Attorney General; and Dr. Zulfikar Ramzan the CTO of RSA Security. Our thanks to Catherine Lotrionte who generously agreed to let me record this one-hour panel at her remarkable Annual International Conference on Cyber Engagement.

In the news roundup Maury Shenk discusses the real and mythical import of the UK’s pending surveillance bill, and I mock the journalists who claimed to find scandal in GCHQ’s elaborate compliance regime for access to bulk personal data. Alan Cohn and I return to the Apple-FBI fight, and I can’t help pointing out that Apple, the self-proclaimed champion of security, didn’t bother to tell its customers that it was no longer providing security patches to QuickTime on Windows. Alan manages to explain Apple’s thinking with two words: “on Windows.”

The FBI’s decision to manage a child porn distribution node for a few weeks and prosecute its customers has come a cropper, but not for the reason you might think. Instead, Alan reports, at least one court is now willing to enforce the limits of Rule 41 and declare that a Virginia magistrate cannot issue a search warrant for a computer located in Massachusetts. That ups the stakes for the ongoing effort to amend this problem out of the Federal Rules.

I read an 80-page FISA opinion so you don’t have to. One of the technolibertarians’ favorite proposals – requiring warrants for searches of already-collected 702 data – has now been briefed to the court by one of the first FISA amici. And rejected. The argument was slapped down in an opinion by Judge Hogan. In the old days, government critics would have been able to press such an argument for years; now, thanks to the vigilant FISA amici and the transparency in FISA opinions that they cried for, that argument has suffered a body blow before it has even built up a head of steam.

And, just to show that we yield to no one in condemning abusive government data collection, I brief our listeners on where all the data created by their cheap Chinese drones is ending up – and which government has access to it. Suddenly, European-style data export bans are acquiring a strange new appeal.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_113.mp3
Category:general -- posted at: 11:40am EDT

European news and sensibilities dominate episode 112. I indulge in some unseemly gloating about Europe’s newfound enthusiasm for the PNR data it wasted years of my life trying to negotiate out of the US counterterrorism toolbox. I pester our guest, Eric Jensen, about his work on the Tallinn 2.0 manual covering the law of cyberwar; the manual seems to offer an ever-more-European take on cyberweapons and the law of armed conflict. And if you think that’s a compliment, you haven’t been listening.

In other European news, Michael Vatis notes that the European Parliament has formally approved the EU’s sweeping new data protection regulation. And Maury Shenk tells us the Privacy Shield is acquiring a few dents, particularly from the Article 29 Working Party of data protection regulators, who are raising hard questions about US intelligence policy.

The fad for ruling that phone location records can only be obtained with a warrant may be receding. Michael says that another circuit has rejected the claim, while the last circuit to credit the notion has now gone en banc.

There’s better news for privacy campaigners in the House, where the Judiciary Committee has reported out a bill requiring warrants for even very old email content. It will face more scrutiny in the Senate, I predict, and with luck will attract a few balancing amendments that favor law enforcement and intelligence.

In Apple news, the FBI files the world’s shortest brief, saying “Yes we still want the data on that New York iPhone.” Leakers say the FBI hasn't learned much from the unlocked San Bernardino iPhone, a phone which it appears the FBI paid professional hackers a one-time fee to crack.

Alan Cohn and I have fun unpacking a report that the US government has worse cybersecurity than any other industry segment. Among agencies the FTC fares far better than NASA, and I manfully admit that the Commission must be doing something right.

Michael notes that the Seventh Circuit has again found plaintiffs to have standing in a data breach case, this time on grounds that will make future breach notices a lot less user-friendly.

Alan and I offer at least faint praise for the White House Commission on Enhancing National Cybersecurity. And Uber issues a transparency report that (surprise!) does more to serve the company’s interests than to educate the public.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_112.mp3
Category:general -- posted at: 11:51am EDT

Just how sophisticated are the nations planning and carrying out cyberattacks on electric grids? Very, is the short answer. Our guest for episode 111, Suzanne Spaulding, DHS’s Under Secretary for the National Protection and Programs Directorate, lays out just how much planning and resources went into the attack on Ukraine’s grid, what it means for US industry, the information sharing that can mitigate the consequences, and why the incident reinforces the need to stand up the Cyber and Infrastructure Protection Agency at DHS.

Our news roundup concentrates on the draft Senate bill on encryption from Senators Burr and Feinstein. Not surprisingly, I find the critics to be mostly off point and occasionally unhinged in inimitable tech-sector fashion. Sen. Wyden condemns the bill, and no one is surprised. The White House ducks a fight over the legislation, and mostly no one cares any more. I offer the view that as more Silicon Valley firms adopt easy, universal, unbreakable crypto, the tide will slowly turn against them, as the list of crypto victims keeps getting longer.

Kaitlin Cassel and Alan Cohn unpack the consequences for law firms of the Mossack Fonseca leak, and Suzanne Spaulding weighs in with advice for the legal profession.

The US adds China’s Internet controls to its list of trade barriers. Kaitlin and I muse on the significance of that step (short term: none; long term: we could see a WTO case against China).

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_111.mp3
Category:general -- posted at: 10:51am EDT

Steptoe recently held a client briefing in its Palo Alto office on developments in the Chinese legal and regulatory environment that are impacting US technology companies operating in China. I took advantage of the event to sneak in a quick discussion with Susan Munro and Ying Huang of Steptoe's China practice, on how China is regulating the Internet, with special emphasis on data protection, data localization, and more.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_110.mp3
Category:general -- posted at: 10:45am EDT

In episode 109, we interview Perianne Boring of the Chamber of Digital Commerce on the regulatory challenges of bitcoin and the blockchain. In the news roundup, we bring back Apple v. FBI for what we hope will be one last round, as the San Bernardino magistrate voids her All Writs Act motion for mootness and attention shifts to other investigators hoping to crack iPhone security, both in the US and in Europe. 

In a change of pace, I dip into the Hillary Clinton email scandal, wondering whether US intelligence agencies caught foreign spies exploiting Clinton’s unsecured emails on her first trip to Asia. Alan Cohn reminds me that using government networks wouldn’t have exactly guaranteed their security.

Kaitlin Cassel makes her first appearance on the podcast, explaining the FCC’s new ISP privacy rules. We all try, unsuccessfully, to figure out why the FTC is so sure it knows more about privacy and security regulation than the FCC.

Alan and I explore the flap over insider-trading attacks on BigLaw, and I wonder out loud whether the whole story is hype. What’s not hype, however, is a breaking story on the biggest data spill in history, which outs the hidden assets of everyone from Putin cronies to Icelandic pols.

The FBI’s reluctance to expose its investigative techniques to the world did not begin with the iPhone, I remind listeners; the Bureaus is fighting a court order demanding that it turn over its Tor exploit source code to a defendant in a child porn case.

And speaking of “privacy” tools that turn out to be mostly boons for criminals, the US government-funded Tor Project is sinking ever deeper into swamps of human depravity. According to Cloudflare, 94 percent of Tor traffic is per se malicious. And according to other sources, most of the remaining 6% is to child porn and other criminal sites. I’m not sure how many more privacy victories like that the tech world can afford. And if you were wondering whether that’s just a one-off, check out the remarkable story of everyone’s favorite encryption program – which it turns out was mostly created by a Deep Nerd who evolved into a no-kidding, murder-for-hire monster. But don’t worry. I’m sure there’s no connection between a burning desire for privacy and a burning desire to do things abhorred by the overwhelming mass of humankind. It’s probably just a coincidence.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_109.mp3
Category:general -- posted at: 2:27pm EDT

It’s an extended news roundup with plenty of debate between me and Nuala O’Connor, the President and CEO of the Center for Democracy and Technology (CDT). We debate whether and how CDT should pay more attention to Chinese technology abuses and examine the EU ministers’ long list of privacy measures to be rolled back and security measures to be beefed up in the wake of the Brussels and Paris Daesh attacks.

Meredith Rathbone reports on the sanctions case of the decade, as ZTE gets hit with a bag full of bricks – or is it marshmallows? – for its role in flouting US export controls. We speculate about why the US danced an enforcement two-step in this case – and who its next dance partner might be.

The Justice Department has launched a second set of indictments against foreign cyber hackers, this time aimed at Iranians who DDOS’s US banks and tried to flood the basements of Rye, NY, suburbanites. Michael Vatis and I speculate on whether other finance ministers might agree that sanctions should be imposed on those who hack banks – and on whether the Southern District will overreach in its forfeiture tactics.

I fume over the French bureaucracy’s claim that it can regulate what Americans are allowed to read on line. Nuala weighs in, and we find ourselves – mirabile dictu – in broad agreement about the dangers of the “right to be forgotten.”

I confess to uncharacteristically muted views about whether NSA should share raw traffic with other agencies. Nuala almost does the same.

And as a palate cleanser, who can resist a bitter, pointless turf fight, complete with public disparagement of one regulator by another? Hatfield v. McCoy? Stalin v. Trotsky? Hamilton v. Burr? They got nothin’ on FTC v. FCC, as FCC Commissioner Ohlhausen makes the imprudent decision to hold up FTC’s inscrutable security regulation as a gold standard – just when LabMD is making it look more like a protection racket.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_108.mp3
Category:general -- posted at: 12:23pm EDT

What kind of internet world order does China want, and will it succeed? That’s the question we ask Adam Segal, Maurice R. Greenberg Senior Fellow at the Council on Foreign Relation and author of The Hacked World Order. We review China’s surprising success at getting tech companies to help it build an authoritarian Internet – the technological equivalent of persuading Jello to nail itself to the wall. Meanwhile, every nation, it seems, is busy reasserting sovereignty over cyberspace. Except the United States. Which raises the question whether other countries will decide to assert sovereignty over our cyberspace. We’re the Syria of cyberspace!

In the news roundup, I note that an apparent FBI raid on Tiversa is making the FTC look more and more like the dumb muscle called in to enforce someone else’s shakedown scheme. Imagine Edith Ramirez as The Hulk: “LabMD bad! FTC smash!”

Maury Shenk examines the latest Spanish decision on Google and the Right to Be Forgotten and I conclude that it’s classic TL;DR material.

Turning next to the FBI-Apple fight, I thank the President for opening SXSW for me and muse on his surprisingly strong endorsement of the FBI’s position. I also dissect the “lawyerly” affidavit submitted by Apple to deflect (though not answer) the questions I asked in an earlier blog post.

Maury and I consider whether WhatsApp is likely to be hit with an Apple-style wiretap order due to its strong end-to-end encryption, and I am surprised to hear that WhatsApp may have its own intercept backdoor, which makes an Apple order more likely.

Alan Cohn explains how a lost laptop can cost you $3.9 million. And I claim vindication when the Home Depot breach lawsuits settle at or below the Baker Range of $.50 to $2.00 per victim. Home Depot gets its bill down to $.10 to $.50 per victim – though that’s before the banks take their cut.

If you’re left feeling sorry for the plaintiffs’ bar, though, I have one word for you: malvertising. Alan notes that I’ve waited a lifetime to be able to sue the BBC and New York Times, but that time has come, as both have apparently infected their readers with ransomware.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_107.mp3
Category:general -- posted at: 4:06pm EDT

In bonus episode 106, Stewart and Alan interview Phil Reitinger, former DHS Deputy Undersecretary for Cybersecurity and Sony Corporation CISO and current Director of the new Global Cyber Alliance, making up for the famous “lost episode” that Stewart and Alan recorded with Phil on the sidelines of the RSA Conference (“The best interview I ever conducted,” according to Phil).

Stewart first asks Phil about his old organization, DHS’s National Protection and Programs Directorate (NPPD).  Phil waxes eloquent about the triumphs and travails of NPPD, and also wonders what the impact on NPPD will be from President Obama’s recent creation of a Federal Chief Information Security Officer in the Executive Office of the President (Alan wonders—less eloquently—about that too).  Phil also notes that “we are all medieval barbers” when it comes to knowing how to treat today’s cybersecurity ills (“We know where to put the leeches, but that’s about it,” says Phil).

We then get to the meat of the interview.  Alan asks Phil all about the new Global Cyber Alliance, launched in partnership with the Center for Internet Security, the New York County District Attorney’s Office (and its asset forfeiture funds), and the City of London Police Department.  Phil explains that the Alliance will not follow the example of other organizations that are long on talk and short on action, and instead will gather subject matter experts to focus specific things, using the mantra of “Do Something.  Measure It.”  The Alliance will look in particular for issues where the global cyber community has an answer to a problem, but is struggling with implementation; the Alliance will provide the project management backbone to allow ad hoc groups of subject matter experts to drive towards implementation of the solution.  Ultimately, the Alliance wants to move from addressing specific risks to measuring and mitigating systemic cybersecurity risk—for example, the global risk of DDOS attacks— but the Alliance has no intention of leaving discrete problems unsolved while it searches for ways to address systemic problems.  Phil also explains that despite its founding partners, the Alliance will not be solely focused on cybercrime or prosecution issues, but rather will be focused on prevention.

Finally, Stewart and Phil talk about the FTC and FOIA, noting that Steptoe represented Phil in a FOIA action against the FTC to get it to disclose exactly what standards it is holding business to regarding cybersecurity and data privacy.  Phil colorfully explains the different ways in which the FTC told him to “pound sand,” and also throws around fancy legal terms like the “non-delegation doctrine."

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail toCyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_106.mp3
Category:general -- posted at: 10:52am EDT

Doing our best to avoid turning this into the Applelaw podcast, episode 105 begins with Maury Shenk unpacking the new US-EU Privacy Shield details.  His take: more hassles for companies accused of noncompliance, more detailed privacy disclosures and compliance obligations for most members, and a modicum of pain for the intelligence community, but it’s still basically the same framework as the Safe Harbor.

Plenty of news from the FTC, as we ask how embarrassed the Commission should be now that one of its “common sense” security requirements has been discredited by its own chief technologist; we also ponder one Commissioner’s decision to weigh in on encryption regulation, and the Commission’s foray into security for the Internet of Things. 

Michael Vatis tells us the significance of the CFPB’s first data security enforcement order and the FCC’s new privacy rules for Internet providers.  Maury brings us mixed news on data protection skirmishes in Germany.  Hamburg’s biggest privacy hot dog looks more like chopped liver after a court ruling undercuts its jurisdictional claims, but Facebook’s “like” button may require its own “I consent” button. 

Finally, we return to the Apple-FBI case, submerge under a flood of amicus briefs, gauge the level of anger in the US government’s brief, and brace for the hearing on March 22.  In other news, I explain what Doris Day can teach us about Tim Cook, and Apple lawyers respond to concerns that China induced Apple to install probably-backdoored encryption algorithms in Chinese iPhones.  Relax, Apple’s lawyers have told journalists, the decision to install secret Chinese government crypto “was a trade issue, not a security issue.”  Well, whew!  No worries then.

In the interview, Alan Cohn and Jason Weinstein talk to Robin Weisman and Peter Van Valkenburgh from Coin Center.  Robin and Peter explain Coin Center’s ongoing work to educate policy makers about digital currencies and blockchain technology, and they correct two of the most common misconceptions about bitcoin – that it’s anonymous and that it’s unregulated.  They also discuss other possible applications for blockchain technology and help us make sense of the debate about private blockchains vs. the bitcoin blockchain. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 
 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm. 

Direct download: Podcast_105.mp3
Category:general -- posted at: 1:33pm EDT

Live from RSA, it’s episode 104, with special guest Jim Lewis, CSIS’s renowned cybersecurity expert and Steptoe’s own Alan Cohn.  We do an extended news roundup before an RSA audience that yields several good questions for the panel.  We had invited Bruce Sewell, Apple’s General Counsel, to participate, but he didn’t show.  So we felt no constraint as we alternately criticized and mocked Apple’s legal arguments for not providing assistance to the FBI in gaining access to the San Bernardino terrorist’s phone.  We review the bidding on encryption on Capitol Hill and observe that the anti-regulatory forces have lost ground as a result of the fight Apple has picked. That leads into a discussion of China’s backdoors into the iPhone and Baidu’s role in compromising users of its products.   

We pivot to the latest details on the unfortunately named Privacy Shield,  which apparently is what you call a warmed-over Safe Harbor with a few dispute resolution tweaks.  Jim Lewis speculates on whether Europe is likely to launch an effective attack on the US 702 program.  I advance the theory that Europe is happy to hate US tech companies both for cooperating with law enforcement and for not cooperating with law enforcement.  And as Brazil’s jailing of a Facebook executive shows, that sentiment is not confined to Europe. 

In other news, North Korea’s hacking team has been pantsed in a recent Novetta report that strengthens the FBI’s attribution of the Sony attack – but raises questions about how effectively the administration has deterred continuing North Korean intrusions. 

In response to a question about whether Apple could solve its legal problems by building a phone that Apple itself can’t update, I point out that no one wants an unpatchable phone that can’t accept security updates.   Jim Lewis gives a quick update on his project to give advice to the next administration on cybersecurity.  Jim, Alan, and I offer bets on how long it will take for Internet companies to be regulated for security. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 
 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_104.mp3
Category:general -- posted at: 3:02pm EDT

Due to technical difficulties, the interview for the 103rd episode will be released as a separate post next week.  In the news roundup, we explore Apple’s brief against providing additional assistance to the FBI in its investigation of the San Bernardino killings. Michael Vatis finds good and bad in the brief – some entirely plausible arguments about burden mixed with implausible ones aimed more at the public than at the magistrate judge. I suggest that the burden argument may be weaker than it seems, both because the costs can be spread over many requests for assistance and because the accounting of work to be done feels “as padded as a no-bid government contract offer.” Which, now that the FBI has offered to pay Apple’s costs, is pretty much exactly what it is.

In other news, Michael and Jason Weinstein look at the California AG’s breach report, and its unlikely suggestion that the states adopt a unified approach to breach reporting. And I offer highlights and lowlights from the DHS guidelines for information sharing, shining particular light on a troubling proposal that some shared fields will have to be scrubbed by human beings before the information is passed on to at-risk sysadmins. In the words of Silicon Valley, human review doesn’t scale.

As always, the Cyberlaw Podcast welcomes feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_103.mp3
Category:general -- posted at: 11:59am EDT

What is the most surprising discovery a law firm partner makes when he jumps to the National Security Agency? I direct that and other questions at Glenn Gerstell, who has just finished six months in the job as General Counsel at the National Security Agency.

In the news roundup, we begin, of course, with the fight between Apple and the Justice Department. I open the discussion by reminding the audience that the war on terror cannot be a war on one of the world’s great religions and insisting that Apple remains a religion of peace. Michael Vatis describes the Justice Department’s latest filing, and we trade for deep discovery, not only at the FBI but also at Apple.

CFIUS has released its annual report – only eighteen months late – and the report shows continuing tough review standards from the Committee, Stephen Heifetz reports. There is no sign yet that Chinese acquisitions will experience a smoother ride in future.

Michael and I report on Google’s new effort to accommodate European data censors by geolocating users of google.com.

Finally, the judiciary is allowing defense lawyers to take a close look at the code used by the FBI to capture data about users of a child porn site seized by the Bureau.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_102.mp3
Category:general -- posted at: 6:18pm EDT

The Second Annual Triple Entente Beer Summit again filled the Washington Firehouse loft with an audience at least as knowledgeable as the panel, which consisted of Ben WittesShane Harris,Stewart BakerTamara Cofman Wittes, and Alan Cohn. The Triple Entente Beer Summit brings together members of the LawfareRational Security, and the Steptoe Cyberlaw podcasts.

The topic of the day was the confrontation between Apple and the Justice Department over gaining access to the iPhone used by one of the terrorists responsible for the mass killing in San Bernardino, California. Suffice it to say that the podcast was not sponsored by Apple, nor will it be any time prior to the heat death of the universe.

We also dig into the Nitro Zeus story, claiming that in 2009 the United States prepared a massive cyberattack on Iran as an alternative to kinetic action in the event that nuclear talks failed and Iran began a nuclear breakout.

Finally, the panel explores the administration’s rekindled enthusiasm for CVE – countering violent extremism. We provide a definitive answer to the question, “Do we need more GS-14s tweeting on terrorism?” And Tamara Wittes challenges us to find the difference between late Obama and late Bush in the messaging department.

Then the audience takes over, greatly raising the tone of the podcast with a series of thoughtful questions for the panel.

It was a fine evening, and we look forward to another reunion soon.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: Podcast_101.mp3
Category:general -- posted at: 12:06pm EDT

We devote episode 100 to “section 702” intelligence – the highly productive counterterrorism program that collects data on foreigners from data stored on US servers. What’s remarkable about the program is its roots: President Bush’s decision to ignore the clear language of FISA and implement collection without judicial approval. That decision has now been ratified by Congress – and will be ratified again in 2017 when the authority for it ends. But what does it say about the future of intelligence under law that our most productive innovation in intelligence only came about because the law was broken?

Our guest for the episode, David Kris, thinks that President Bush might have been able to persuade Congress to approve the program in 2001 if he’d asked. David may be right; he is a former Assistant Attorney General for National Security, the coauthor of the premier sourcebook on intelligence under law, "National Security Investigations & Prosecutions,” and the General Counsel of Intellectual Ventures. But what I find surprising is how little attention has been paid to the question. How about it? Is George Bush to FISA what Abraham Lincoln was to habeas corpus?

My interview with David leaves Lincoln to the history books and instead focuses entirely on section 702. David lays out the half-dozen issues likely to be addressed during the debate over reauthorization, including the risk that the legislation will attract efforts to limit overseas signals intelligence, now governed mainly by Executive Order 12333. He then pivots to the issues he thinks Congress should grapple with but probably won’t – from the growing ambiguity of location as a proxy for US citizenship to the failure of current intelligence law to adequately extract intelligence from the technologies that have emerged since 9/11, particularly social media and advertising technology.

In the news roundup, Maury Shenk and Michael Vatis take us deep into the US-EU agreement on “Privacy Shield” – a replacement for the Safe Harbor. The short version: there’s many a slip twixt cup and lip, but the EU has once again taken off the table its unenforceable threat to stop transatlantic data flows.

In other news, Michael and Alan explain how HIPAA became a divorce lawyer’s dream weapon.

The Brits, meanwhile, are lapping the United States in creative use of intelligence law. Maury and Michael explore how the UK proposes to bring the big webmail providers to heel.

I note the controversy at Berkeley over some garden-variety network monitoring, adopted in response to a serious health data breach. University academics are appalled to discover that protecting patient privacy might limit their ability to do what they want on university networks. HIPAA enforcers v. entitled academic lefties: all I ask is more popcorn.

Hey, remember Norse Security, the company that went to the press to say that the FBI was all wet when it attributed the Sony attack to North Korea? Well, Norse imploded last week, after a laid-off employee’s published criticisms were amplified by security blogger Brian Krebs. Choicest bit from the Norse co-founder’s post: the company’“demonstrat[es] how today’s media can be manipulated by persons to suit their purposes or personal vendettas and how facts can be misrepresented to lead an entire industry astray.” Yep. You know what they say: Live by the flashy but inaccurate press report, die by the flashy but inaccurate press report.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_100.mp3
Category:general -- posted at: 3:30pm EDT

Our guest is Amit Ashkenazi, whom I interviewed while in Israel.  Amit is Legal Advisor of The Israel National Cyber Bureau and a former general counsel to Israel’s data protection agency.  Israel is drafting its own cybersecurity act, and we discuss what if anything that country can learn from the US debate – and what the US can learn from Israel’s cybersecurity experience.  We explore the challenges Israel will face in trying to start a new cybersecurity agency, how Israel strikes the balance between security and privacy, the risks of using contractors to staff a new agency, the danger of stating agency authorities with too much specificity, and why the agency is likely to look more like DHS than the FBI. 

In the news roundup, I discuss the dynamics of the Safe Harbor talks with Maury Shenk, boldly predicting that the EU will cave on the remaining issues once it’s convinced the US means business.

Jason Weinstein and I talk about the Judicial Redress Act and the gratifying Senate Judiciary Committee amendment – an amendment that the EU must have seen as a bad sign for the future if the Safe Harbor talks fail.  The Act is intended to facilitate the Justice Department’s “umbrella” agreement over data protection and law enforcement.  We conclude that it is a largely one-sided set of concessions by the United States in return for an illusory “data peace in our time.”  We nonetheless find a fine reason for the Obama administration to have accepted all these limits. 

Alan Cohn and I check in on the status of DHS’s Einstein cyberdefense  
program and the reasons why GAO has criticized its progress.  And we close with a bit of “dog bites man” crypto news

As always, the Cyberlaw Podcast welcomes feedback.  Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_99.mp3
Category:general -- posted at: 6:51pm EDT

If there really is another crypto war in Washington, then this week’s podcast features several war correspondents and at least one victim of PTSD.  Our guest is Melanie Teplinsky, former cybersecurity lawyer at Steptoe, adjunct professor at American University’s Washington College of Law, advisory board member for Crowdstrike, and a regular columnist on privacy and security issues for the Christian Science Monitor.  

We cover crypto news from Davos to the New York legislature.  We also discuss my latest policy provocation, designed to unveil yet another example of European hypocrisy where privacy, data protection, and the United States are concerned.  Inspired by the still-stalled Safe Harbor talks, I announce plans to award a Europocrisy Prize for filings that force European data protection authorities to assess the adequacy of surveillance law in important European trading partners who aren’t the United States, such as China, Russia, Saudia Arabia, and Algeria.  Amazingly, in twenty years of bitter attacks on US privacy adequacy, that’s never been done. 

We dig into several developments in the world of litigation.  Michael Vatis and Alan Cohn discuss several new cases:  a lawsuit claiming that fake emails should be covered by a forgery insurance policy, a hacked casino’s effort to recover from the security consultant that incorrectly told the casino its security problems had been solved, and a Minnesota decision that shoots down still more creative arguments for injury from the breach plaintiff’s bar.   

Michael tells us why the FBI isn’t apologizing for running a child porn site for two weeks in order to catch pedophiles.  And I predict with a bit of enthusiasm that the Senate Judiciary Committee will add more conditions to the Judicial Redress Act, as Congressional patience with Europocrisy begins to wear thin.   

Finally, Alan reveals that the Obama administration has just created the worst Schedule C job in government.  

Direct download: Podcast_98.mp3
Category:general -- posted at: 12:38pm EDT

Back for a rematch, John Lynch and I return to the “hackback” debate in episode 97, with Jim Lewis of CSIS providing color commentary. John Lynch is the head of the Justice Department’s computer crime section. We find more common ground than might be expected but plenty of conflict as well. I suggest that Sheriff Arpaio in Arizona may soon be dressing hackers in pink while deputizing backhackers, while Jim Lewis focuses on the risk of adverse foreign government reactions. We also consider when it’s lawful to use “web beacons” and whether trusted security professionals should be given more leeway to take action outside their customers’ networks. In response to suggestions that those who break into hacker hop points might be sued by the third parties who nominally own those hop points, I suggest that those parties could face counterclaims for negligence. We close with a surprisingly undogmatic discussion of Justice Department “no-action letters” for computer security practitioners considering novel forms of active defense. 

In the news roundup, Alan Cohn and I consider whether Twitter should worry about being sued for providing material support to ISIS.  Answer:  Yes, at least a little.  Tim Cook, too, for that matter.  

Meredith Rathbone leads us through the Wassenaar wilderness, providing glimpses of a promised land.  And Maury Shenk brings good news for sane corporate security programs from the unlikeliest of sources – the European Court of Human Rights.   

Maury reports incremental progress on cybersecurity in the only law-writing process that makes Congress’s adoption of the Cyber Security Act look expeditious.  

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 
 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm. 

Direct download: PC_97.mp3
Category:general -- posted at: 12:57pm EDT

How do you graduate as a conservative with two Harvard degrees? We learn this and much more from Sen. Tom Cotton (R-AR), our guest for episode 96 . We dive deep with the Senator on the 215 metadata program and its USA FREEDOM Act replacement. We ask what the future holds for the 702 program, one of the most important counterterrorism programs and just entering yet another round of jockeying over renewal; Sen. Cotton has already come out in favor of making the program permanent. To round things out, Sen. Cotton assesses the risks of Going Dark for our intelligence community and the difficulties that the Safe Harbor negotiations pose for US intelligence.

In the news roundup, evidence mounts that someone has hacked the Ukrainian electric grid.  Michael isn’t ready to point the finger at Russia yet; but I pretty much am. Whoever gets the blame, this probably means another aspirational cyberwar norm down the tubes.

In the United Kingdom, US tech firms are lobbying against a security bill, but Maury Shenk questions whether they’re mainly complaining about rules that are already part of UK law.

In the US, administration officials and Silicon Valley are happy talking about cooperation to discourage terrorist use of social media, but Michael isn’t sure what will come of the effort. I unveil a half-baked proposal to activate a Mom Squad, on the theory that the best weapon against radicalization of adolescents is letting their parents know what they’re up to. Michael reminds me that the government can’t tell Mom without getting a search warrant for private content, just as my daughter calls to say she’s been reading my blog and I need an intervention.

File this one in the bulging folder labeled “Privacy protects the privileged”: Volkswagen says it can’t comply with US government investigative demands because of the privacy of its employees – apparently including the privacy of employees who lied to US investigators. Maury and I explore VW’s data protection justifications, all of which seem, well, arguable.

And in short takes, as predicted, Justice wants to moot the Klayman/Leon victory over NSA. Meanwhile, NSA's General Counsel makes his maiden public statement in Lawfare, and says a few things that the Cruz campaign will welcome. Defense counsel are making explosive charges against the FBI’s handling of a child porn investigation. And in the tastiest privacy irony of the week, the EU’s otherwise pointless "cookie notice" requirement turns out to be great news for malware distributors, if no one else. Where would we be without the steady hand of wise European data protection officials?

Finally, after weeks of cajoling, our listeners have come through. We have entries in the iTunes podcast reviews, and we’re averaging five stars. Many thanks!

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the ninety-sixth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Direct download: Podcast_96.mp3
Category:general -- posted at: 1:09pm EDT

We’re back from hiatus with a boatload of news and a cautiously libertarian technologist guest in Nick Weaver of the International Computer Science Institute in Berkeley.  To start Episode 95 of the podcast, Michael Vatis and I plumb the meaning of the Cyber Security Act’s passage.  The big news?  Apparently Santa is real, state laws prohibiting employer access to social media credentials may have been preempted, at least a bit, and ISPs just got new authority to monitor traffic to find bits that threaten other people.  Now if we could just find something useful to do with the defensive measures provision … 

Maury Shenk and Alan Cohn dig into the latest deal moving a new European data protection regulation forward – and the slow-motion disaster around the Safe Harbor. 

Maury and Michael note that the encryption debate just won’t stay dead, no matter how much Silicon Valley keeps pounding the stake into its heart.  In addition to the FBI, tech companies are seeing a whole bunch of new eyes gleaming in the dark – China’s new security law, Pakistan’s fight with Blackberry, the new UK legislation, and Brazil’s shot across Whatsapp’s bow.  In every case, government has crowded Silicon Valley hard for more cooperation on access to customer data – but without (quite) insisting on a built-in backdoor.   

Speaking of governments, Michael tells us that regulators closed 2015 with a bang, with HIPAA, COPPA, and order-enforcement fines up to $100 million.  And Alan points to the CFTC’s new testing rules, which I contend may have smuggled something close to strict security liability into the Federal Register.   

Michael brings us up to date on the never-ending turmoil over what access in excess of authorization means under the CFAA.  None of us are surprised that courts think it includes access in violation of a court order

The interview with Nick Weaver explores the charms and evils of bulk surveillance, not to mention its inevitability.  Nick analyzes the two Silicon Valley business models – which he shorthands as selling shiny stuff and selling people’s souls.  (Guess which model he disapproves of.)  Which leads us to the question of tracking terrorists as though we wanted to sell them beheading videos.  Call it Son of 702.  Which leads me to ask how soon it will be before the government blocks the sale of an online ad network to China on national security grounds.

Direct download: Podcast_95.mp3
Category:general -- posted at: 10:26am EDT

With Wyndham’s surrender to the FTC after a brutal court of appeals opinion, the last outpost of resistance to the FTC’s cybersecurity agenda is Mike Daugherty, CEO of LabMD.  Daugherty refused to take the easy road and enter into a consent decree with the FTC to settle its claim that the company’s security was insufficient because of a file-sharing program installed on the corporate network.  That decision has cost Daugherty his company.  LabMD has ceased operations.  And it took him on an extraordinary odyssey through Washington that he has described in his book, The Devil Inside the Beltway, and speeches.  I caught up with Mike at the Black Hat Executive Summit where we were both speakers, and he kindly agreed to a short interview describing some of that odyssey. 

I offered the FTC equal time to offer their perspective.  So far, they haven’t taken me up on the offer, but it remains open. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Episode_94.mp3
Category:general -- posted at: 11:25am EDT

Our guest for episode 93 is cybersecurity’s Renaissance Man. Rod Beckstrom started DHS’s National Cybersecurity Center, then headed ICANN; before and after those gigs, he was a Silicon Valley investor and officer in security startups as early as the 1990s and as recently as this year. Our interview spans Rod’s career and what it has taught him about security, privacy, law, and government.

In the news roundup, Alan Cohn and Jason Weinstein talk about proposals to require social media sites to do more about online terrorist activity. Alan and I take a dive into the EU’s achingly slow progress toward new cybersecurity rules for critical infrastructure – and how those rules will affect US companies.

Michael Vatis tells us that Michael Daugherty of LabMD is officially the only challenge facing the FTC as it sets (or at least enforces) cybersecurity requirements for American business. That’s because Wyndham Hotels has officially given up the ghost, agreeing to twenty years of privacy and security monitoring by the FTC.

Finally, Michael Vatis and I agree that encryption has become the Donald Trump of tech issues – but each of us for different reasons.

The podcast will be on hiatus over the holidays, but we won’t completely abandon you. While I was at a BlackHat Executive conference last week, I had a chance to do a short interview of Mike Daugherty about his LabMD experience, and we’ll be releasing that as a special bonus edition of the podcast over the Christmas break. (We’re holding it because I’ve offered the FTC a chance for equal time.  But we’ll be releasing the interview next week in any event, with or without the FTC’s input.)

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_93.mp3
Category:general -- posted at: 4:47pm EDT

Did China’s PLA really stop hacking US companies for commercial secrets? And does it matter? In episode 92, we ask those questions and more of two experts on the topic ‒ Washington Post reporter Ellen Nakashima, who has broken many stories on PLA hacking, and Tony Cole, the Global Government CTO with FireEye, who has fought off his share of PLA hackers.

In the news roundup, Jason Weinstein and Michael Vatis explain how the ‘cannibal cop’ beat the rap for violating the Computer Fraud and Abuse Act. Maury Shenk and Michael mull the fate of the Safe Harbor negotiations – and question whether a deal can be done before the Christmas holidays. Meanwhile, privacy activist Max Schrems is doing his best to close off the other options US companies have used to cushion the blow from losing the Safe Harbor.

The same Europeans who want to punish US tech giants for helping fight terrorism also want to punish them for not helping fight terrorism. Michael and Maury consider the heavy pressure falling on tech companies from the EU, France, Pakistan, and even the Oval Office.

Only the judicial branch still seems like safe ground for the companies. Jason and Michael explain the immunity for ISPs whose typographic errors expose innocent people to computer searches for child porn – as well as the courts’ refusal to give effect to Congress’s plan to impose liquidated damages for privacy violations. In the most strikingly newsworthy item in the podcast, Michael accuses me of not being conservative enough. And in the least newsworthy item, Jason tells us that there is still a stalemate over a law requiring a warrant for the contents of email.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_92.mp3
Category:general -- posted at: 11:27am EDT

Is the internet really worth it? Our guest for episode 91, Jason Healey of the Atlantic Council and Columbia University, recaps a study finding that, even with a worst-case Clockwork Orange Internet, the economic benefits of networking still outweigh the losses from security failures – though the closer we get to the worst case, the more likely we are to get Leviathan Internet, where the inherently controlling aspects of the network are embraced by governments around the world.

Our post-Thanksgiving news roundup is dominated by leftovers – edible and otherwise. Larry Klayman and Judge Leon have apparently run out of time to challenge the now-deceased NSA metadata program, Michael Vatis and I note, while Section 702 has survived a rare judicial challenge.

Meanwhile, it’s beginning to look as though the FTC and LabMD really deserve each other. The FTC has launched an ill-advised appeal in its ill-advised pursuit of LabMD, Michael reports, and LabMD has returned the favor by launching a lawsuit against the three FTC staffers who pursued the company so improvidently. 

The Google cookie case has mostly crumbled, Michael tells us, but the plaintiffs still have one big bite left, raising the chilling prospect of California law as interpreted by Third Circuit judges. 

Alan Cohn describes the NRC’s new cyberattack reporting requirements – and Iranian social media attacks on government workers who don’t usually get any attention at all.

Finally, with help from loyal listener Michael Farrell, I report that China’s use of the Great Cannon to infect Western computers has been emulated by Comcast, which is using China’s technique to inject copyright warnings into users’ screens. I predict that EFF and CDT, who ignored China’s Great Cannon attacks on Western computer users and companies, will go to battle stations now that it turns out the tactic is being used by an Axis of Evil that they actually care about – Big Copyright aligned with Big ISPs.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_91.mp3
Category:general -- posted at: 10:37pm EDT

Our guest for episode 90 is Charlie Savage, New York Times reporter, talking about Power Wars, his monumental new book on the law and politics of terrorism in the Obama (and Bush) administrations.  I pronounce it superb, deeply informative, and fairly unbiased, “for a New York Times reporter.”  With that, the fat is in the fire, and Charlie and I trade views – and occasional barbs – about how the Bush and Obama administrations handled the surveillance issues that arose after 9/11.

In the news roundup, Michael Vatis and I puzzle over the FTC’s astonishing loss on its own home court.  We wonder why the FTC failed to do the right thing and drop the LabMD case when the FTC’s source began to lose credibility by the shovel-load.  I suggest that FTC leadership was suffering from the rarely spotted “Darrel Issa Derangement Syndrome.”     

Jason Weinstein deconstructs the claim that the European Union is “cracking down” on bitcoin in response to the attacks in Paris. 

Stepping out of character, I defend the value of diplomatic “words on paper,” finding promise in the G20’s announcement that all twenty members join in condemning cyberespionage for commercial purposes.  

Michael recaps the latest in litigation over the nearly expired NSA 215 program.  D.C. Circuit Judge Kavanagh has explained why Judge Leon is wrong about the program, depriving the district court judge of the last word on the subject and demonstrating that its lawfulness can be assessed without resort to exclamation points.

Working a technology help desk could drive a man to suicide.  Until ISIS opened its own terrorist help line, though, we thought that was a bug not a feature.  In the same vein, I mock Glenn Greenwald for insisting that Snowden taught ISIS nothing about security about a week before we got to see a tech manual, apparently in use by the terror group, which invokes Fast Eddie’s advice about which remote storage systems are safe to use. 

Direct download: Podcast_90.mp3
Category:general -- posted at: 8:10pm EDT

The NSA metadata program that is set to expire in two weeks was designed to provide early warning of a terror attack planned in a foreign safe haven and carried out inside the United States.  Those are some of the most deadly terror attacks we’ve seen, from 9/11 to Mumbai.  And now Paris.   

Our guest for the podcast is Mark Shuttleworth, founder of Thawte and Canonical/Ubuntu.  He makes it clear from the start that he could hardly disagree with me less on issues such as encryption and intelligence collection.  But we nonetheless get a great tour of the technology horizon.  Mark is helping to build the future of computing, from the internet of things to mobile phones, the desktop, and the cloud.  We explore what that means for privacy and security; we even touch on artificial intelligence and just how suddenly its risks will be upon us.    

In other news, Michael Vatis and I unpack Microsoft’s ground-breaking effort to avoid US jurisdiction over its cloud -- by storing data in Germany under the control of a German company.  

deal appears to be within reach in principle; the main question is how many additional enforcement concessions the EU can wring from the US.  The Paris attacks will make US concessions less likely and weaken European determination to extract them, we suspect. 

Finally, Michael explains how New York is showing its determination to out-regulate the feds when it comes to bank and insurance cybersecurity. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

So should the United States be terminating the 215 program just as the Paris attacks show why it was created?  That’s the question I ask in Episode 89 of the podcast as we watch the DC circuit cut short Judge Leon’s undignified race to give the program one last kick before it’s terminated.   Meanwhile, Alan Cohn and I handicap the US-EU talks aimed at reaching Safe Harbor 2.0.  

deal appears to be within reach in principle; the main question is how many additional enforcement concessions the EU can wring from the US.  The Paris attacks will make US concessions less likely and weaken European determination to extract them, we suspect. 

Finally, Michael explains how New York is showing its determination to out-regulate the feds when it comes to bank and insurance cybersecurity. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_89.mp3
Category:general -- posted at: 10:57pm EDT

Where the hell are the FTC, Silicon Valley, and CDT when human rights and privacy are on the line? If the United States announced that it had been installing malware on 2% of all the laptops that crossed US borders, the lawsuits would be flying thick and fast, and every company in Silicon Valley would be rolling out technical measures to defeat the intrusion. But when China injects malware into 2% of all the computers whose queries cross into Chinese territory, no one says boo. Not the US government, not CDT or EFF, and not the big browser companies. That’s the lesson I draw from episode 88 of the podcast, featuring an in-depth discussion of China’s Great Cannon with Adam Kozy and Johannes Gilger of Crowdstrike. They expand on their 2015 Blackhat talk about China’s deployment of Great Firewall infrastructure to hijack American and Taiwanese computers and use them in a DDOS attack against Github. 

China’s first internet email, in 1987, said “Across the Great Wall we can reach every corner of the world.” And boy, did they mean it. The question now is what the other corners of the world are going to do about it. 

In other news, Michael Vatis covers the latest Safe Harbor developments, as the European Commission releases a statement saying, more or less, that American companies can expect years of litigation over the adequacy of US privacy law. Remarkably, that’s meant to be good news. 

Speaking of dubious European claims to offer good news, Michael and I note that the UK deputy data protection commissioner has announced with pride that the Right to Be Forgotten hasn’t actually “stopped the internet working.” So far; but the net is young. 

I summarize an earlier blog post claiming that the crypto wars are over and USTR has handed Jim Comey a loss while Mary Jo White gets a win. This because the Trans-Pacific Partnership trade deal included language prohibiting members from demanding encryption keys for most purposes other than financial regulation. I also acknowledge a significant caveat drawn to my attention by Simon Lester of Cato: Despite the TPP, a member is free to adopt any measure “that it considers necessary for … the protection of its own essential security.” If Jim Comey’s lawyers can’t squeeze his key access proposals into that provision, the “essential security” of their jobs is seriously at risk. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm. 

 

Direct download: Podcast_88.mp3
Category:general -- posted at: 11:26am EDT

What good is CISA, anyway?

Now that both the House and Senate have passed information sharing bills that are strikingly similar but not identical, the prospects for a change in the law are good. But what are those changes, and how much difference will they make to network defenders?

That’s the topic we explore in episode 87 with our guest, Ari Schwartz. Ari has just finished a tour as senior director for cybersecurity on the United States National Security Council Staff at the White House. He and I and Alan Cohn go deep into the weeds so you won’t have to. Our conclusion? The main value of the bill is that it frees some companies from aging privacy rules that prevented information sharing with groups that include the government. It also enables companies to monitor their networks without fear of liability under even older privacy laws preventing interception of communications without all parties’ consent. The other lesson to be drawn from the bill is that privacy groups are still something of a paper tiger without business support. More than seventy senators voted for CISA over the bleeding bodies of every privacy group in the country.

In other news, Maury Shenk and I unpack the latest claim that the US and EU have agreed in principle on a deal to replace the Safe Harbor struck down by the European Court of Justice. We’re profoundly skeptical that a deal will be reached quickly, or that it will actually give companies much in the way of safety. 

Jason Weinstein provides a blow-by-blow recounting of the fight between Apple and the Justice Department. The real question is whether Magistrate Judge Orenstein will call the fight for Apple before the defendant is sentenced. We think he will.

Also in the category of “Put me in the newspaper, I’m a pro-privacy judge,” the Fourth Circuit panel that insisted on a warrant for historical cell tower location data had better enjoy their fifteen minutes of fame now. Their opinion is going to be reviewed en banc – and Jason and I are betting it won’t survive.

Finally, it looks as though privacy groups didn’t just waste money asking the Second Circuit to block the last month of the section 215 bulk collection program. They actually managed to effectively overrule the only court of appeals decision finding the program unlawful. In rejecting the privacy campaigners’ motion for an injunction, the Second Circuit declared that Congress had knowingly authorized it and therefore that it no longer violated the relevant statute. Pyrrhus salut.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_87.mp3
Category:general -- posted at: 4:58pm EDT

Are Russian hacker-spies a bunch of lethargic government drones more interested in smash-and-grabs than stealth? That’s one of the questions we pose to Mikko Hypponen in episode 86 (right after we ask about how to pronounce his name; turns out, that’s harder than you think). Mikko is the Chief Research Officer at F-Secure and a long-time expert in computer security who has spoken and consulted around the world for over 20 years. His company recently published a lengthy paper on Russian government cyberspies, which F-Secure calls “the Dukes.” Mikko describes the Dukes’ targets and tactics, including a remarkably indiscriminate attack on a Tor exit node. I press him on whether attribution is really getting better, and on whether F-Secure’s paper eases or heightens concerns about Kaspersky’s ties to Russian intelligence.

Mikko also joins us for the news roundup, where we do a damage assessment from the ECJ’s Safe Harbor demolition and I critique Brad Smith’s implausible solution to the transatlantic data rift. We explain why Israel has decided to cut off data transfers to the U.S. (hint: it’s not concerns about aggressive counterterror surveillance). 

And I wonder whether the House of Representatives passage of the Judicial Redress Act makes Jim Sensenbrenner the abused spouse of the European Commission (“I was going to give you this nice cause of action for your citizens when you slapped me upside the head with the Safe Harbor ruling. So, uh, here it is anyway. Now do you love me?”).

CISA comes to the floor at last. I scope the pending amendments. Two of them would greatly increase the “privacy tax” on information sharing; the only good thing about Senators Wyden and Heller’s proposals is how much business it will create for lawyers. Senator Franken has an amendment that strips the mask from the privacy lobby. The privacy groups that support the Franken amendment aren’t just pro-privacy, they’re anti-security. The amendment would prevent companies from sharing information that might disclose a security risk and require instead an individualized determination that the signature makes a compromise “reasonably likely.” The fight over the Cotton amendment to allow sharing with the FBI or Secret Service rather than DHS, meanwhile, looks like a turf fight disguised as a privacy issue.

In other news, we absolve CIA director Brennan of accusations of bad security in his email hack. And in the back of the paper, where the dog-bites-man stories go, CrowdStrike finds that Chinese cyberspies haven’t yet stopped stealing commercial secrets.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_86.mp3
Category:general -- posted at: 4:28pm EDT

Want to see cyber attribution and deterrence in action? In August, a hacker pulled the names of US military personnel and others out of a corporate network and passed them to ISIL. British jihadist Junaid Hussain exulted when ISIL released the names. “They have us on their ‘hit list,’ and we have them on ours too…,” he tweeted. On the whole, I’d rather be on theirs. Two weeks after his tweet, Hussain was killed in a US airstrike, and two months after that, the hacker was arrested in Malaysia (subscription required) on a US warrant.

We explore that story and more with Gen. Michael Hayden, the only person to serve as both Director of the National Security Agency and of the Central Intelligence Agency. Gen. Hayden explains why he differs with FBI Director Comey on encryption and with the European Court of Justice on whether the US sufficiently respects privacy rights, along with other topics.

Our news roundup dwells again on the ECJ’s decision and the Article 29 Working Party press release on the decision, a release characterized by far more bold font than bold thinking. In other news, magistrates are revolting again, or maybe still, as Magistrate Judge Orenstein hints that Apple’s desire to thwart law enforcement should trump law enforcement’s interest in getting evidence off a locked phone.

Cyber insurance rates are rising, raising questions about who should be covered and whether insurance companies will do the security regulating the government is reluctant to do.

Meanwhile, we’re treated to dueling Wassenaar leaks from government. State says the intrusion software language will be revised not rewritten, while Commerce insists nothing is decided (subscription required). There’s really nothing like the last year of an administration, when every agency has its own policy agenda – and apparently its own spin room. If there were any doubt about whether Commerce is right to want an explanation from the Europeans about how (or, more accurately, whether) they’re enforcing this provision, Citizen Lab provides it with a new report showing that the surreptitious access tool sold by Europe’s FinFisher is present in more than 30 countries, not all of whose civil liberties laws meet a standard set by the United States – or even the lower bar set by the European Union.

Direct download: Podcast_85.mp3
Category:general -- posted at: 11:08am EDT

In episode 84 our guest is Jack Goldsmith, Professor at Harvard Law School, a Senior Fellow at the Hoover Institution at Stanford University, and co-founder of the Lawfare blog. Before coming to Harvard, he served as Assistant Attorney General, Office of Legal Counsel and as Special Counsel to the Department of Defense. From cyberespionage to the right to be forgotten and the end of the Safe Harbor, we explore the many ways in which a globalized economy has tied the US government’s hands in cybersecurity matters – and subjected the United States to extensive extraterritorial “soft power” at the hands of Europeans. 

In the news roundup, the headline news is the continuing fallout from the ECJ’s attack on the Safe Harbor. Michael Vatis and Maury Shenk bring us up to date. Jason Weinstein explains why the latest convicted hacker thinks he should be a civil liberties hero/victim – and why weev is every bit the loathsome troll we thought he was when he went to prison.

Michael Vatis explains DOD’s latest cybersecurity rules for contractors. We conclude that DOD is boldly going where no agency has gone before – mandating cybersecurity with traditional command and control regulation. It’s an experiment that many will be watching.

And in another turnabout, banks have discovered the joys of bringing a plaintiffs’ class action – against Target for its credit card breach. We ask whether this means they’ll join the plaintiffs’ bar to oppose further class action reform. Jason also explains the latest ruling in a data breach claim against Coca Cola.

And the White House has made a decision on whether to seek legislation on law enforcement access to encryption. The memo offered three options:

  1. Don’t seek legislation and brag about it.
  2. Don’t seek legislation and keep hoping for help from Silicon Valley.
  3. Continue the current course of not seeking legislation.

To no one’s surprise, the White House has chosen not to seek legislation.

Also to no one’s surprise but almost everyone’s embarrassment, Judge Leon is still stumping relentlessly after his white whale, the NSA section 215 program, crying “You can’t die! I haven’t had a chance to kill you yet!” It looks like the program won’t be the only thing put out of its misery by the end of November.

Speaking of which, our intro music has been put out of its misery after 83 episodes and not a few complaints. Thanks to all who voted to help us choose a new theme song. And thanks especially to Jason Weinstein’s son, who won the contest going away.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_84.mp3
Category:general -- posted at: 3:26pm EDT

Bruce Schneier joins Stewart Baker and Alan Cohn for an episode recorded live in front of an audience of security and privacy professionals.  Appearing at the conference Privacy. Security. Risk. 2015., sponsored by the IAPP and the Cloud Security Alliance, Bruce Schneier talks through recent developments in law and technology.

The three of us stare into the pit opened by an overwrought (and overdue and overweening) European Court of Justice advisor. If the European Court of Justice follows his lead (and what seems to be its inclinations), we could face a true crisis in transatlantic relations.

VW’s decision to hack its own emissions control software leads to a deep dive into the internet of things that lie to us, the value (or not) of open source, and whether plausible deniability is the next skill that programmers will have to learn.

We also talk China, the OPM hack, and the unique value and unique vulnerability of biometric authenticators. Bruce and Alan dig into the proposed export control rules for intrusion software; when they’re done, so is the case for the rules. The right to be forgotten leads to an exploration of when we should delegate law-making to private companies. I promise a detailed analysis in the future of Google’s law-making to date, and hint that it will not make us more fond of private and hidden law making.

Finally, I ask a hard question about Edward Snowden that no one has asked since he first burst on the scene: Is he so in the tank for the Digital Millennium Copyright Act that he can’t imagine intelligent life anywhere in the universe without it?

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.  More importantly, we need feedback on whether to replace our theme music, and with what.  Please take a listen to the samples at www.steptoe.com/cybermusic and vote for your favorite.  Voting closes on October 9.

Direct download: Podcast_83.mp3
Category:general -- posted at: 12:38pm EDT

Cyberlaw negotiations are the theme of episode 82, as the US and China strike a potentially significant agreement on commercial cyberespionage and Europeans focus on tearing up agreements with the US and intruding on US sovereignty.

Our guest for the episode is Jim Lewis, a senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies.  Most importantly, Jim is one of the most deeply informed and insightful commentators on China and cybersecurity.  He offers new perspectives on the Obama-Xi summit and what it means for cyberespionage.

Meanwhile, the news roundup is full of flamboyant European attacks on US sovereignty and US agreements with Europe.  In a pending case involving Facebook, a highly influential advisor to the European Court of Justice has fired both barrels pointblank at the Safe Harbor privacy agreement with the United States.  First, he concludes that any data protection authority is free to defy the primacy of Brussels and refuse to give effect to the EU’s determination that US practices under the Safe Harbor are “adequate” for data transfer purposes.  Second, he concludes that US practices are not adequate because section 702 of the Foreign Intelligence Surveillance Act and other US law permits intelligence collection of European data on a mass scale.  Maury Shenk and I agree that, if followed by the Court, this will be an enormous problem for the transatlantic relationship.  I wonder why we’re giving Europeans the protection of the Privacy Act when their institutions are actively seeking to thwart one of our most effective counterterrorism intelligence programs.

Not to be outdone, Paris put the boot in as well, telling Google that censoring search results on google.fr was not enough.  The right to be forgotten had to be extended to google.com, so that Americans and the rest of the world could be censored at the command of privacy bureaucrats in France’s data protection authority.  Maury and I identify the biggest unanswered question:  Has Google already started to censor its .com search results?

And India seems intent on playing on both sides of the US debate over encryption and lawful access.  After coming down hard for Jim Comey’s side in a draft regulation, Michael Vatis and I note, the Indian government has had a change of heart, withdrawing the draft while leaving uncertain what will replace it.

Finally, in one piece of domestic news, Jason Weinstein unpacks a ruling that refuses to enforce an SEC demand for the passcodes needed to unlock phones.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.  More importantly, we need feedback on whether to replace our theme music, and with what.  Please take a listen to the samples at www.steptoe.com/cybermusic and vote for your favorite.  Voting closes on October 9.

Direct download: Podcast_82.mp3
Category:general -- posted at: 6:18pm EDT

Episode 81 features China in the Bull Shop, as the White House prepares for President Xi’s visit and what could be ugly talks on cyber issues. Our guest commentator, Margie Gilbert, is a network security professional with service at NSA, CIA, ODNI, Congress, and the NSC. Now at Team Cymru, she’s able to offer a career’s worth of perspective on how three Presidents have tried to remedy the country’s unpreparedness for network intrusions.

In the news roundup, there’s a high likelihood that President Obama will be accusing and Xi will be denying China’s role in cyberespionage. You might say it’s a “he said, Xi said” issue. Alan Cohn and I debate whether the US should settle for a “no first use” assurance to protect critical infrastructure in peacetime.  

On encryption, the White House (and Silicon Valley) are certainly raising the issue’s visibility. But they aren’t necessarily persuading anyone who isn’t already persuaded. From MI5 to the NYDFS to the new Indian government, dissing strong encryption is a surprisingly popular pastime.

The never-ending saga of when email content can be obtained with something less than probably cause and a warrant seems to be winding down to a bizarre resolution. Agencies investigating terrorists and white collar fraud that costs consumers hundreds of millions will have to jump through the warrant hoop. Agencies looking to impose regulatory penalties or file civil claims will not. Michael Vatis, Jason Weinstein, and I wonder aloud whether this realpolitik accommodation between politicians who love civil liberties and politicians who hate banks will survive its internal contradictions.

After a decade of stutter-stepping, the EU is bailing on its own data retention law, leaving the issue, and the mess, to member states. Maury Shenk provides a definitive short analysis.

Elsewhere, Judge Leon gets the section 215 plaintiff he sought with everything short of a personal ad in Craigslist,  practically guaranteeing another storm of exclamation points in F.Supp. – followed by a lengthy proceeding to have his opinion vacated as moot.

In good news, a Heartland hacker pleads guilty. Jason Weinstein celebrates – as much as is seemly for someone involved in the case. And in a rare moment of humility, I confess to having learned something from listener criticism, as Robert Horn schools me on some of the lesser-known risks associated with health data breaches.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. More importantly, we need feedback on whether to replace our theme music; please take a listen to the samples at http://www.steptoe.com/cybermusic and vote for your favorite. Voting closes on October 9.

Direct download: Podcast_81.mp3
Category:general -- posted at: 11:28am EDT

Still trying to dig out from under our hiatus backlog, we devote episode 80 to our regulars. We’ll bring back a guest next week. This week it’s a double dose of Jason Weinstein, Michael Vatis, Stewart Baker, and Congress-watcher Doug Kantor

Michael offers an analysis of the Second Circuit’s oral argument in the Microsoft lawsuit over producing data stored in Ireland. The good news: it was a hot bench, deeply engaged, that let oral argument go to triple the usual length. The bad news for Microsoft: by far the hottest member of the panel was Judge Lynch, who made no secret of his deep opposition to Microsoft’s arguments. 

I offered a skeptical view of the US-EU umbrella “deal” on exchange of law enforcement data and the “Judicial Redress Act” that Congress seems ready to rush through in support of the agreement. The problem? It looks as though DOJ sold out the rest of government and much of industry. Justice promised to make the one change in US law the EU wants, granting Europeans a right of action under the Privacy Act, in exchange for, well, pretty much nothing except a bit of peace of mind for DOJ. Since the EU is more a receiver than sender of data, it already has a lot of leverage in data exchanges and there haven’t been many attempts to thwart the exchange of strictly criminal evidence. What the US really wants is for the EU to stop threatening the Safe Harbor, to stop penalizing US companies to pressure the US government about its use of data, and to guarantee that it isn’t holding the US to higher privacy standards than it imposes on EU governments. The DOJ-led negotiations got none of those concessions. And I’m willing to bet that the EU didn’t even give up the right to bitch, moan, and cut off data flows in the future if it doesn’t like how the umbrella applies. (On top of everything, the agreement is still under wraps, so the rush to praise and implement it is particularly imprudent.)

Michael and Jason deliberate on why Justice would obtain a text intercept order for Apple and then not react to the utterly predictable claim by Apple that it had no way to implement such an intercept. We note the further irony of Apple simultaneously defying the US government on privacy grounds while rushing to comply with Russia’s anti-privacy localization law.

The administration seems unable to impose sanctions on China’s cyberattackers or to stop talking about imposing sanctions on China’s cyberattackers. Sounds like a job for Stewart Baker! I offer my proposed sanctions for the Github attack, already laid out in detail here and here.

One barrier to sanctions may be the fear of hitting the wrong target, and in that regard, the Justice Department is wearing a full coat of egg after dropping its indictment of a purported Chinese spy amid allegations that it had simply misunderstood the technology in question. 

Doug Kantor offers a detailed and surprisingly upbeat assessment of the information-sharing bills’ chances for passage later this year. We also alert defense contractors to an expanded breach disclosure obligation.

And, finally, we decide to crowdsource the decision whether to keep our current theme music or to adopt one of three challengers. One of the candidates gets a heart-tugging endorsement from Jason that you’ll have to listen to the podcast to hear. Here’s the link to listen and vote for your favorite: www.steptoe.com/cybermusic.

 

The Cyberlaw Podcast is now open to feedback. Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_80.mp3
Category:general -- posted at: 10:51am EDT

The cyberlaw podcast is back from hiatus with a bang. Our guest is Peter Singer, author of Ghost Fleet, a Tom Clancy-esque thriller designed to illustrate the author’s policy and military chops. The book features a military conflict with China that uses all the weapons the United States and China are likely to deploy in the next decade. These include China’s devilishly effective sabotage of the US defense supply chain, Silicon Valley’s deployment of a letter of marque, and some spot-on predictions of the likely response of our sometime allies. 

Episode 79 also recaps some of the most significant cyberlaw developments of the past month.

First, to no one’s surprise, the cybersecurity disaster just keeps getting worse, and the climate for victims does too: breach losses are being measured in the tens or even hundreds of millions of dollars, with a networking company losing $30 million and unlawful insider trading profits reaching $100 million.

Meanwhile, the courts are less than sympathetic. The Seventh Circuit cleared the way for a breach suit against Neiman Marcus, while the FTC and the Third Circuit were kicking Wyndham around the courtroom and down the courthouse steps. We wonder what exactly Wyndham did to earn the court’s ire. 

Next, we savor the “long, withdrawing, roar” of 215 metadata litigation, as privacy groups try with ever more desperation to pile a judicial ruling on top of their Congressional win. We ask what the hell the DC circuit’s splintered ruling means, and whether Judge Leon is really determined to jam still more exclamation points into the case despite its imminent mootness. (Answer from Judge Leon: Hell, yes!!!). Privacy groups are agitating for the Second Circuit to issue an injunction against the program. We ask: is that as dumb and violative of ordinary judicial procedures as it sounds? Stay tuned.

Finally, the messy fight over location data and the warrant requirement just won’t die, and may be metastasizing. Judge Koh and the Fourth Circuit say a warrant is needed for location data, revitalizing a circuit conflict that looked as though it was curing itself. Meanwhile, DOJ gets in the act, declaring as a matter of policy that federal use of stingrays needs a warrant. The result is that thousands of Baltimore cases could be at risk as a result? Luckily, Jason Weinstein hints, most of those cases wouldn’t have yielded a conviction.

 

The Cyberlaw Podcast is now open to feedback. Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_79.mp3
Category:general -- posted at: 12:04pm EDT

Bonus Episode 78: Dmitri Alperovitch, Harvey Rishikof, Stewart Baker, and Melanie Teplinsky debate whether the United States should start doing commercial espionage. 

I know, I know, we promised that the Cyberlaw Podcast would go on hiatus for the month of August.  But we also hinted that there might be a bonus episode.  And here it is, a stimulating panel discussion sponsored by the Atlantic Council and moderated by Melanie Teplinsky.  The topic is whether the United States should abandon its longstanding policy of refusing to steal the commercial secrets of foreigners to help American companies compete.  The discussion is lively, with plenty of disagreements and an audience vote at the start and finish of the discussion to gauge how persuasive we were.  Enjoy!

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Episode_78.mp3
Category:general -- posted at: 11:13am EDT

Our guest for episode 77 is Bruce Andrews, the deputy secretary of the Commerce Department. Alan Cohn and I pepper Bruce with questions about export controls on cybersecurity technology, stopping commercial cyberespionage, the future of the NIST cybersecurity framework, and how we can get on future cybersecurity trade missions, among other things.

In the news roundup, Alan and I puzzle over the administration’s reluctance to blame China for its hacks of US agencies.

The furor over cybersecurity export controls continues unabated, with a couple of hundred hostile comments filed and Congress beginning to stir. Alan Cohn fills us in.

The UK high court ruling on data retention makes history but maybe only the most evanescent of law. Alan and I discuss whether the ruling will resemble Marbury v. Madison in more ways than one.

France finalizes expansion of surveillance. Bush administration figures come out against back doors. Cyberweek begins and, the cyber left hopes, ends without progress on CISA.

This Week in Prurient Cybersecurity: The first Ashley Madison subscriber is outed. And he’s Canadian. Looks like the nights really are longer up there. Ottawa apparently leads the world in percentage of would-be adulterers, followed by Washington, DC. No further comment seems necessary.

And Bloomberg says that the Chinese attempt to build a database on Americans didn’t begin with OPM or Anthem, but with the compromise of travel databases two years ago.

This time, Alan hints, the FTC may throw away the key, as it once again takes action against LifeLock. And the Seventh Circuit wades into the debate over how much harm a data breach plaintiff must suffer to have standing to sue.

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_77.mp3
Category:general -- posted at: 3:37pm EDT

Episode 76 of the podcast features the power couple of privacy and cybersecurity, Peter Swire and Annie Antón, both professors at Georgia Institute of Technology. I question them on topics from the USA FREEDOM Act to the enduring gulf between writing law and writing code. 

In the news roundup, as our listeners have come to expect, we do indeed return to our recurring feature, This Week in Prurient Cybersecurity, with a riff on the Ashley Madison hack. But you’ll have to wait until the end, when we’re loosened up. 

We begin more soberly, with Jason Weinstein and Michael Vatis covering the courts’ mopping up after passage of the USA FREEDOM Act. The DC Circuit has received supplemental briefs on Section 215, and the ACLU is leading the hopeless charge against the 215 program in the Second Circuit.

The Hacking Team doxxing draws attention to the risk involved in hiring hackers. When they’re disgruntled, they don’t just slam the door on the way out. Still, Alan Cohn and I can’t help but be fascinated by the Hacking Team proposal to use drones to hover over the target, intercepting his Wi-Fi connection.

In regulatory news, Alan Cohn and Jason Weinstein discuss the FERC’s revisions to the CIP cybersecurity requirements, with a focus on supply chain practices, and a Boston hospital’s settlement of HIPAA charges, prompting me to ask whether HHS’s Office of Civil Rights is the most hypocritically aggressive privacy regulator in government.

Russia’s Right to Be Forgotten law is signed, after further tweaks. And Google announces that it has officially tipped more than one million links into the dustbin of history.

I respond to listener feedback by walking back my mockery of Tony Scott’s “TLS Everywhere” initiative, noting that it might have some modest security benefits after all. Instead of “privacy theater” perhaps I should have called it a “privacy skit.” And as attribution gets better, so does the temptation to fly false flags. It looks as though the Russians will pioneer this particular development, attacking US sites under the nom de guerre of the Cyber Caliphate. And the US government response to the Russian attacks? A predictable silence.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_76.mp3
Category:general -- posted at: 4:29pm EDT

Bitcoin and the blockchain – how do they work and what do they mean for financial and government services and for consumers? And who holds massive stores of bitcoin that can’t be spent without solving one of the great financial mysteries of our time? Our guest for episode 75 is Michael Casey, former senior columnist for the Wall Street Journal and – as of last week – senior advisor at the MIT Media Lab’s Digital Currency Initiative. Michael is also the author, along with his former Wall Street Journal colleague Paul Vigna, of The Age of Cryptocurrency:  How Bitcoin and Digital Money Are Challenging the Global Economic Order. Alan Cohn and Jason Weinstein interview him about bitcoin and its underestimated enabling technology, the blockchain.

In the news roundup, Meredith Rathbone, Alan Cohn, and I dive into the Commerce Department’s sweeping proposal for new regulation of the cybersecurity industry under the Wassenaar arrangement. With comments due on July 20, security companies are beginning to identify a host of unintended regulatory consequences.

The FBI and Justice Department had a surprisingly good week complaining about technologists’ deployment of ubiquitous unbreakable encryption. A group of cryptographers offered a contrary view, and I critiqued their position in the roundup and in a blog post.

Hacking Team was itself hacked, with its internal correspondence spread across the internet. One quick lesson: if anyone is expecting export controls to stop sales of hacking tools to repressive regimes, they aren’t paying attention to the Italian government’s licensing policies.

Finally, the right to be forgotten looks like a bad idea whose time has come. Jason doubts that Consumer Watchdog will succeed in smuggling the right to be forgotten into the FTC Act, perhaps because the act is already bulging at the seams. Canadian courts, in contrast, seem happy to impose their speech rules on Americans – whether or not Canadian courts have, you know, jurisdiction over the Americans.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Episode_75.mp3
Category:general -- posted at: 4:30pm EDT

Our guest commentator for episode 74 is Catherine Lotrionte, a recognized expert on international cyberlaw and the associate director of the Institute for Law, Science and Global Security at Georgetown University.  We dive deep on the United Nations Group of Government Experts, and the recent agreement of that group on a few basic norms for cyberspace.  Predictably, I break out in hives at the third mention of “norms” and default to jokes about “Cheers.”

In the news roundup, Michael Vatis and I sort through China’s ever-growing list of vague laws expressing determination to control technology for security purposes.  Jason Weinstein explains the FTC’s settlement with the makers of a stealthy digital currency mining app.  He and Michael also note the remarkably belated filing of a class action arising from the Anthem hack – and cast doubt on whether the class can be sustained.

Speaking of class actions, the OPM hack has also led to litigation.  All the Cyberlaw commentators are in the class, and none of us expect the litigation to succeed.  And speaking of the FTC, it has released new security guidance, a kind of Restatement of FTC Security Law, explaining just how wisely the FTC settled its 50-plus security cases.  I provide a quick update on the status of my FOIA lawsuit on behalf of Phil Reitinger, in which we try to find out what security standards the FTC is actually using to decide which companies are in violation of the law.

In NSA news, the Foreign Intelligence Surveillance Court says the Second Circuit’s opinion on NSA’s 215 metadata program was unpersuasive and mischaracterized the program.  In judicial circles, the trash talk doesn’t get much trashier.  Since this all becomes irrelevant when the program ends later this year, the FISC will likely have the last word.  And WikiLeaks is rolling out more alleged NSA docs, this time focusing on Germany and Brazil.  The documents don’t seem to be from Snowden, and WikiLeaks offers no provenance for them.  Hmm.  Maybe we ought to take another look at those stories claiming that WikiLeaks has been infiltrated by Russian intelligence.  

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_74.mp3
Category:general -- posted at: 4:14pm EDT

Our guest for Episode 73 is Rob Knake, currently the Council on Foreign Relations Senior Fellow for Cyber Policy and formerly with DHS, the White House, and the Richard Clarke finishing school for cybersecurity policymakers. Rob and I are quickly embroiled in disagreement; as usual, I mock the cyberspace “norms” that Rob supports and disagree with his surprisingly common view that the US shouldn’t react strongly to Chinese hacking of the OPM database. But we come together to condemn the gobsmackingly limp US response to China’s attack on Github.

In the news roundup, Alan Cohn and Jason Weinstein explain attribution problems in the Cardinals-Astros hacking case. Somehow the Broncos also figure in the discussion.

Want to know why President Obama was foolish to promise he wouldn’t spy on the French President’s communications? The answer is supplied by WikiLeaks, which discloses that the last French President was caught trying to end run the United States on Palestinean issues. WikiLeaks of course thinks that shows American perfidy.

Google, meanwhile, fought the good fight to overcome a gag order and disclose an investigation of WikiLeaks soulmate Jake Applebaum. Most interesting item in the 300 pages of documents released by the Justice Department?

The Department’s hint that those who Twitter-bully tech companies over their transparency records may be engaged in witness intimidation.

And in a recurring feature, This Week in Prurient Cyberlaw, we unpack the surprisingly complex problem of how Google identifies and delinks revenge porn.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_73.mp3
Category:general -- posted at: 11:50am EDT