Our interview is with Sultan Meghji, CEO of Neocova. We cover the large Chinese investment in quantum technology and what it means for the United States. It’s possible that Chinese physicists are even better than American physicists at extracting funding from their government. Indeed, it looks as though some quantum tech, such as the use of entangled particles to identify eavesdropping, may turn out to have dubious military value. But not all. Sultan thinks the threat of special purpose quantum computing to break encryption poses a real, near-term threat to U.S. financial institutions’ security.

In the News Roundup, we cover the new California Consumer Privacy Act regulations, which devote a surprising amount of their 24 pages to fixing problems caused by the Act’s feel-good promise that consumers can access and delete the information companies have on them. Speaking of feel-good laws that are full of liability land mines for companies, the Supreme Court has let stand a Ninth Circuit ruling that allows blind people to sue under the Americans with Disabilities Act if websites don’t accommodate their needs. Nick Weaver and I explore the risks of making law by retroactively imposing liability.

Weirdly for a populist administration that says it hates the big social platforms for restricting speech, the Trump trade negotiators are actually expanding Section 230 immunities for Silicon Valley that both left and right have begun to question. The expansion is buried in hard-to-amend and even-harder-to-repeal trade agreements. By way of explanation, I explain the Realpolitik of trade deals. As if to prove my point, the U.S. and Japan have signed a Digital Trade Agreement that has much the same provision.

Nick and I muse on the rise of Commerce Department sanctions on individual companies. In a way, such sanctions are a less harsh alternative to OFAC boycotts, but like antibiotics, they either destroy the target or teach it to develop better resistance for the future.

Does TLS stand for “Tough Luck, Sucker?” That’s the message of a new and clever form of malware, softly attributed to the Russian FSB.

Apple, having banned, then unbanned an app that locates police activity in Hong Kong, has re-banned it. Tim Cook’s explanation triggers Nick’s bovine excrement detection system. In a Final Four of Hypocritical Surrender, LeBron and the NBA give ESPN a run for its money. South Park fails to qualify.

Matthew Heiman and I discuss India’s effort to create a national facial recognition system. Naturally BuzzFeed News thinks it’s evil.

Nick and I consider DHS’s request for the power to subpoena ISPs to identify owners of compromised systems. I critique Herb Lin’s suggestion that the ISPs can solve the problem without giving data to DHS.

As Matthew notes, it was just last month that the French government gave the world a stiff-necked little lecture on respecting sovereignty in cyberspace. So why are French police helping reprogram computers in Latin America? Because it’s different when the French are doing it than when it’s done to them, I surmise.

A recent “good guy with a keyboard” story offers me one more chance to ask why someone who’s rescued hundreds from ransomware should have to worry for one minute about liability for the compromised C2 machines he re-compromised in the rescue.

Matthew and I try to simplify a complex ruling from two FISA courts. Among the takeaways: The FBI has been running a lot of searches against 702 databases (3.1 million a year!), and the FISA courts are overusing the Fourth Amendment, which in FISA minimization cases is like trying to do brain surgery with a chainsaw.

Argh! That embarrassing Bloomberg Supermicro story is back. Sort of. Wired has shown that something like this could really be done. Which, Nick points out, we already knew.

I give a shoutout to Jennifer Daskal and Peter Swire for their useful overview of the U.K.-U.S. CLOUD Act, but I wonder if mutual “no targeting of the other country’s nationals” assurances are a scalable solution.

Finally, Matthew reviews the second volume of the Senate Intelligence Committee’s investigation into Russian election interference. The TL;DR? The Russians did what you think they did. Mildly surprising: After starting out just trying to hurt Hillary, by the end the Russians seem to have been trying to help Trump too.

In this episode I cross swords with John Samples of the Cato Institute on Silicon Valley’s efforts to disadvantage conservative speech and what to do about it. I accuse him of Panglossian libertarianism; he challenges me to identify any way in which bringing government into the dispute will make things better. I say government is already in it, citing TikTok’s People’s Republic of China-friendly “community standards” and Silicon Valley’s obeisance to European standards on hate speech and terror incitement. Disagreeing on how deep the Valley’s bias runs, we agree to put our money where our mouths are: I bet John $50 that Donald J. Trump will be suspended or banned from Twitter by the end of the year in which he leaves office.

There’s a lot of news in the Roundup. David Kris explains the background of the first CLOUD Act agreement that may be signed this year with the UK.

Nate Jones and I ask, “What is the president’s beef with CrowdStrike, anyway?” And find a certain amount of common ground on the answer.

This Week in Counterattacks in the War on Terror: David and I recount the origins and ironies of Congress’s willingness to end the NSA 215 phone surveillance program. We also take time to critique the New York Times’s wide-eyed hook-line-and-sinker ingestion of an EFF attack on the FBI’s use of National Security Letters.

Edward Snowden’s got a new book out, and the Justice Department wants to make sure he never collects his royalties. Nate explains. I’m just relieved that I will be able to read it without having to shoplift it. And it seems to be an episode for challenges, as I offer Snowden a chance to be interviewed on the podcast—anytime, anywhere, Ed!

Matthew Heiman explains the latest NotPeya travail for FedEx: A shareholder suit alleging that the company failed to disclose how much damage the malware caused to its ongoing business. 

Evan Abrams gives a hint about the contents of Treasury’s 300-page opus incorporating Congress’s overhaul of CFIUS into the CFR.

I credit David for inspiring my piece questioning how long end-to-end commercial encryption is going to last, and we note that even the New York Times seems to be questioning whether Silicon Valley’s latest enthusiasm is actually good for the world.

Matthew tells us that China may have a new tool in the trade war—or at least to keep companies toeing the party line: The government is assigning social credit scores to businesses. 

Finally, Matthew outlines France’s OG take on international law and cyber conflict. France opens up some distance between its views and those of the United States, but everyone will get a chance to talk at even greater length on the topic, as the U.N. gears up two different bodies to engage in yet another round of cyber-norm-building.

Joel Trachtman thinks it’s a near certainty that the World Trade Organization agreements will complicate U.S. efforts to head off an Internet of Things cybersecurity meltdown, and there’s a real possibility that a U.S. cybersecurity regime could be held to violate our international trade obligations. Claire Schachter and I dig into the details of the looming disaster and how to avoid it.

In the news, Paul Rosenzweig analyzes the Ninth Circuit holding that scraping publicly available information doesn’t violate the CFAA.

The California legislature has adjourned, leaving behind a smoking ruin where Silicon Valley’s business models used to be. Mark MacCarthy elaborates: One new law would force companies like Uber and Lyft (and a boatload more) to treat workers as employees, not contractors. Another set of votes has left the California Consumer Privacy Act more or less unscathed as its 2020 effective date looms. Really, it’s beginning to look as though even California hates Silicon Valley. 

Klon Kitchen and I discuss the latest round of U.S. sanctions on North Korean hacking groups. The sanctions won’t hit anyone in North Korea, but they might affect a few of their enablers on the Internet. The real question, though, is this: Since sanctions violations are punishable even when they aren’t intentional, will U.S. companies whose money is stolen by the Lazarus Group be penalized for having engaged in a prohibited transaction with a sanctioned party? Maybe the Lazarus Group should steal a license too, just to be sure. 

Klon also lays out in chilling detail what the Russians were really trying to do to Ukraine’s grid—and the growing risk that someone is going to launch a destructive cyberattack that leads to a cycle of serious real-world violence. The drone attack on Saudi oil facilities shows how big that risk can be. 

Paul examines reports that Israel planted spy devices near the White House. He thinks it says more about the White House than about Israel.

Paul also reports on one of the unlikelier escapades of students from his alma mater: Trading 15 minutes at the keyboard for a lifetime of trouble on their permanent records. The lesson? If you try to access the president’s tax data online, you’re going to jail, prank or not.

I walk back the deepfake voice scam story, but Klon points out that it reflects a future that is coming for U.S. soon, if not today.

Proving the old adage about a fool for a lawyer, the Mar-a-Lago trespasser has been found guilty after an ineffective pro se defense.

Klon digs into the long and thoughtful op-ed by NSA’s Glenn Gerstell about the effects of the “digital revolution” on national security.

I note the recent Carnegie report trying to move the encryption debate forward. I also plug my upcoming speech in Israel on the topic. 

Camille Stewart talks about a little-known national security risk: China’s propensity to acquire U.S. technology through the bankruptcy courts and the many ways in which the bankruptcy system isn’t set up to combat improper tech transfers. Published by the Journal of National Security Law & Policy, Camille’s paper is available here. Camille has enjoyed great success in her young career working with the Transformative Cyber Innovation Lab at the Foundation for Defense of Democracies, as a Cybersecurity Policy Fellow at New America, and as a 2019 Cyber Security Woman of the Year, among other achievements. We talk at the end of the session about life and advancement as an African American woman in cybersecurity.

Want to hear more from Camille on this topic? She’ll be speaking Friday, Sept. 13, at a lunch event hosted by the Foundation for Defense of Democracies (FDD). She’ll be joined by fellow panelists Giovanna Cinelli, Jamil Jaffer and Harvey Rishikof, along with moderator Dr. Samantha Ravich. The event will be livestreamed at www.fdd.org/events. If you would like to learn more about the event, please contact Abigail Barnes at FDD. If you are a member of the press, please direct your inquiries to press@fdd.org.

In the News Roundup, Maury Shenk tells us that UK courts have so far resisted a sustained media narrative that all facial recognition tech is inherently evil. Americans seem to agree, Matthew Heiman notes, since a majority trust law enforcement to use it responsibly. Which is more than you can say for Silicon Valley, which only 36 percent of Americans trust with the technology.

Mieke Eoyang and I talk about the Department of Homeland Security’s plan to use fake identities to view publicly available social media postings and the conflict with social media sites’ terms of service. I am unsympathetic, given the need for operational security in conducting such reviews, but we agree that DHS is biting off more than it can chew, especially in languages other than English. But really, DHS, how clueless can you be when your list of social media to be scrutinized includes three-years-dead Vine but not TikTok, which Mieke notes ironically is “what all the kids are using these days.”

Maury brings us up to speed on EU plans for the tech sector, which will be familiar to Brits contemplating the EU’s plan for them. And speaking of EU hypocrisy and incoherence (we were, weren’t we?), Erin Egan of Facebook has written a paper on data portability that deserves more attention, since it’s impossible to square the EU’s snit over Cambridge Analytica with its sanctifying of the principle of “data portability.” The paper also calls out the Federal Trade Commission for slamming Facebook for Cambridge Analytica while Commissioner Noah Phillips is warning that restrictions on data transfers can be anticompetitive. I promise to invite the commissioner on the podcast again to explore that issue.

Well, that was quick: Fraudsters used AI to mimic a CEO’s voice—accent, “melody” and all—in an unusual cybercrime case. Anyone can do this now, Maury explains. I tell listeners how to tell whether my voice has been AI-napped in future episodes.

In short hits, Mieke and I mock Denmark’s appointment of an “ambassador” to Silicon Valley. Way to cut the Valley down to size, Denmark! Maury notes that FinFisher is under investigation for violating EU export control law by selling spyware. Mieke does her best to rebut my suggestion that Silicon Valley’s bias is showing in the latest actuarial stat: It turns out that 10 percent of the accounts that President Trump has retweeted have been deplatformed. Matthew and I note that China has been caught hacking several Asian telecomm companies to spy on Uighurs. Of course, if the U.S. had 5,000 citizens fighting for the Islamic State and al-Qaeda, as China claims to have, we’d probably be hacking all the same companies. State attorneys general will launch sweeping and apparently bipartisan antitrust probes into Facebook and Google this week. Good to see Silicon Valley bringing Rs and Ds together at last; who says its business model is social division? Finally, Mieke leaves us uneasy about the online security of our pensions, as hackers steal $4.2 million from one fund via compromised email.

In this bonus episode of the Cyberlaw Podcast, Alex Stamos of Stanford’s Freeman Spogli Institute talks about the Institute’s recent paper on the risk of Chinese social media interference with Taiwan’s upcoming presidential election. It’s a wide-ranging discussion of everything from a century of Chinese history to the reasons why WeChat lost a social media competition in Taiwan to a Japanese company. Along the way, Alex notes that efforts to identify foreign government election interference have been seriously degraded by (what else?) privacy law, mixed with fear of commercial consequences when China is the attacker. If companies make data about foreign government and “inauthentic” users public, the risk of liability under GDPR as well as Chinese retaliation is real, and the benefits go more to the nation as a whole rather than to the companies taking the risk.

During the interview, Alex references a paper co-authored by his colleague, Jennifer Pan, regarding the “50c party.” You can find that paper here. He also mentions his recent op-ed in Lawfare, which you can find here.

Our guests this week are Paul Scharre from the Center for a New American Security and Greg Allen from the Defense Department’s newly formed Joint Artificial Intelligence Center. Paul and Greg have a lot to say about AI policy, especially with an eye toward national security and strategic competition. Greg sheds some light on the Defense Department’s activity, and Paul helps us understand how the military and policymakers are grappling with this emerging technology. But at the end of the day, I want to know: Are we at risk of losing the AI race with China? Paul and Greg tell me not all hope’s lost—and how we can retain technological leadership.

In what initially seemed like a dog-bites-man story, Attorney General Barr revived the “warrant-proof” encryption debate. He brings some thoughtful arguments to the table, including references to proposals by GCHQ, Ray Ozzie and Matt Tait. Nick Weaver is skeptical toward GCHQ’s proposal. But what really flew under the radar this week was Facebook’s apparent plan to drastically undermine end-to-end encryption by introducing content moderation to its messaging services. I argue that Silicon Valley is so intent on censoring its users that it is willing to sacrifice confidentiality and security (at least for anyone to the right of George W. Bush). News Roundup newcomer Dave Aitel thinks I’m wrong, at least in my attribution of Facebook’s motivations.

Mieke Eoyang, another News Roundup newcomer, brings us up to date on all the happenings in election security. Bob Mueller’s testimony brought Russian election meddling to the fore. His mistake, I argue, was testifying first to the hopelessly ideological House Judiciary Committee. Speaking of Congress, Mieke notes that the Senate Intel Committee released a redacted report finding that every state was targeted by Russian hackers in the 2016 election—and argues that we’re still not prepared to handle their ongoing efforts.

Congress is attempting to create a federal election security mandate through several different election security bills, but they likely will continue to languish in the Senate, despite what Mieke sees as a bipartisan consensus. Not all hope is lost, though. Director of National Intelligence Dan Coats, now on his way out, has established a new office to oversee and coordinate election security intelligence. Nick adds an extra reason to double down on election security: How else will we be able to convince the loser that he is indeed the loser?

In other news, NSA is going back to the future by establishing a new Cybersecurity Directorate. Dave tries to shed some light on the NSA’s history of reorganizations and what this new effort means for the Agency. Dave and I think there’s hope that this move will help NSA better reach the private sector—and even give the Department of Homeland Security a run for its money.

I also offer Dave the opportunity to respond to critics who argued that his firm, Immunity Inc., was wrong to include a version of the BlueKeep exploit in its commercial pentesting software. The long and the short of it: If a vulnerability has been patched, then that patch gives an adversary everything they need to know to exploit that vulnerability. It only makes sense, then, to make sure your clients are able to protect themselves by testing exploits against that vulnerability.

Mieke brings us up to speed on the cybercrime blotter. Marcus Hutchins, one of Dave’s critics, pleaded guilty to distributing the Kronos malware but was sentenced to time served thanks in part to his work to stop the spread of the WannaCry ransomware. Mieke says that Hutchins’s case is a good example that not all black hat hackers are irredeemable. I note that it was good for him that he made his transition before he was arrested. Dave and Nick support the verdict while lamenting how badly hackers are treated by U.S. law. 

We round out the News Roundup with quick hits: Facebook had a very bad week, not least because of the multibillion dollar fine imposed by the FTC; the Department of Justice is going to launch a sweeping antitrust investigation into Big Tech; there was a wild hacking conspiracy in Brazil involving cell phones and carwashes; Equifax reached a settlement with the FTC regarding its epic data breach. Speaking of which, we make a special offer to loyal listeners who can learn whether they are eligible to claim a $125 check (or free credit monitoring, if you really prefer). Just go here, and be sure to tell them the Cyberlaw Podcast sent you. Oh, and an anti-robocall bill finally made it through both houses of Congress.

Today, I interview Frank Blake, who as CEO brought Home Depot through a massive data breach. Frank is a former co-clerk of mine; a former deputy secretary of energy; and the current host of Crazy Good Turns, a podcast about people who have found remarkable, even crazy, ways to help others. In addition to his insights on what it takes to lead an organization, Frank offers his views on how technology can transform nonprofit charitable initiatives. Along the way, he displays his characteristic sense of humor, especially about himself.

In the News Roundup, I ask Matthew Heiman if Google could have had a worse week in Washington. First Peter Thiel raised the question of whether it’s treasonous for the company to work on AI with Chinese scientists, not the U.S. Defense Department, and then Richard Clarke, hardly a conservative, says he agrees with the criticism. Inevitably, President Trump weighed in with a Thiel-supporting tweet. Meanwhile, on the Hill, Google’s VP says the company has “terminated” Project Dragonfly, an effort to build a search engine that the Chinese government would approve. But that doesn’t prevent conservatives from lambasting the company for bias against conservatives and an unfair subsidy in the form of Section 230 of the Communications Decency Act. The only good news for Google is that, despite all the thunder, no lightning has yet struck. Or so we thought for about five minutes, at which time Gus Hurwitz noted that Google is likely to face multimillion-dollar fines in a Federal Trade Commission investigation of child Internet privacy violations, not to mention a rule-making designed to increase the probability of future fines.

Speaking of which, European lightning struck Amazon this week in the form of new competition law scrutiny. Gus offers skepticism about the EU’s theory, over my counter-skepticism.

Nick Weaver is astonished at the way Julian Assange managed to turn the Ecuadorian embassy into a fist-fighting, feces-smearing, election-meddling command post.

Nick also predicts that Kazakhstan will lose its war with Silicon Valley browser makers over a man-in-the-middle certificate the Kazakh government is forcing on its citizens in order to monitor their Internet browsing. 

And in short hits, Gus questions whether $650 million is a harsh settlement of Equifax’s data breach liability; Nick closes the books on NSA hoarder Hal Martin’s 9-year prison sentence; and Nick explains the latest doxing of an intelligence agency—this time a contractor for the Russian FSB.