The Cyberlaw Podcast

What good is CISA, anyway?

Now that both the House and Senate have passed information sharing bills that are strikingly similar but not identical, the prospects for a change in the law are good. But what are those changes, and how much difference will they make to network defenders?

That’s the topic we explore in episode 87 with our guest, Ari Schwartz. Ari has just finished a tour as senior director for cybersecurity on the United States National Security Council Staff at the White House. He and I and Alan Cohn go deep into the weeds so you won’t have to. Our conclusion? The main value of the bill is that it frees some companies from aging privacy rules that prevented information sharing with groups that include the government. It also enables companies to monitor their networks without fear of liability under even older privacy laws preventing interception of communications without all parties’ consent. The other lesson to be drawn from the bill is that privacy groups are still something of a paper tiger without business support. More than seventy senators voted for CISA over the bleeding bodies of every privacy group in the country.

In other news, Maury Shenk and I unpack the latest claim that the US and EU have agreed in principle on a deal to replace the Safe Harbor struck down by the European Court of Justice. We’re profoundly skeptical that a deal will be reached quickly, or that it will actually give companies much in the way of safety. 

Jason Weinstein provides a blow-by-blow recounting of the fight between Apple and the Justice Department. The real question is whether Magistrate Judge Orenstein will call the fight for Apple before the defendant is sentenced. We think he will.

Also in the category of “Put me in the newspaper, I’m a pro-privacy judge,” the Fourth Circuit panel that insisted on a warrant for historical cell tower location data had better enjoy their fifteen minutes of fame now. Their opinion is going to be reviewed en banc – and Jason and I are betting it won’t survive.

Finally, it looks as though privacy groups didn’t just waste money asking the Second Circuit to block the last month of the section 215 bulk collection program. They actually managed to effectively overrule the only court of appeals decision finding the program unlawful. In rejecting the privacy campaigners’ motion for an injunction, the Second Circuit declared that Congress had knowingly authorized it and therefore that it no longer violated the relevant statute. Pyrrhus salut.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_87.mp3
Category:general -- posted at: 4:58pm EST

Are Russian hacker-spies a bunch of lethargic government drones more interested in smash-and-grabs than stealth? That’s one of the questions we pose to Mikko Hypponen in episode 86 (right after we ask about how to pronounce his name; turns out, that’s harder than you think). Mikko is the Chief Research Officer at F-Secure and a long-time expert in computer security who has spoken and consulted around the world for over 20 years. His company recently published a lengthy paper on Russian government cyberspies, which F-Secure calls “the Dukes.” Mikko describes the Dukes’ targets and tactics, including a remarkably indiscriminate attack on a Tor exit node. I press him on whether attribution is really getting better, and on whether F-Secure’s paper eases or heightens concerns about Kaspersky’s ties to Russian intelligence.

Mikko also joins us for the news roundup, where we do a damage assessment from the ECJ’s Safe Harbor demolition and I critique Brad Smith’s implausible solution to the transatlantic data rift. We explain why Israel has decided to cut off data transfers to the U.S. (hint: it’s not concerns about aggressive counterterror surveillance). 

And I wonder whether the House of Representatives passage of the Judicial Redress Act makes Jim Sensenbrenner the abused spouse of the European Commission (“I was going to give you this nice cause of action for your citizens when you slapped me upside the head with the Safe Harbor ruling. So, uh, here it is anyway. Now do you love me?”).

CISA comes to the floor at last. I scope the pending amendments. Two of them would greatly increase the “privacy tax” on information sharing; the only good thing about Senators Wyden and Heller’s proposals is how much business it will create for lawyers. Senator Franken has an amendment that strips the mask from the privacy lobby. The privacy groups that support the Franken amendment aren’t just pro-privacy, they’re anti-security. The amendment would prevent companies from sharing information that might disclose a security risk and require instead an individualized determination that the signature makes a compromise “reasonably likely.” The fight over the Cotton amendment to allow sharing with the FBI or Secret Service rather than DHS, meanwhile, looks like a turf fight disguised as a privacy issue.

In other news, we absolve CIA director Brennan of accusations of bad security in his email hack. And in the back of the paper, where the dog-bites-man stories go, CrowdStrike finds that Chinese cyberspies haven’t yet stopped stealing commercial secrets.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_86.mp3
Category:general -- posted at: 4:28pm EST

Want to see cyber attribution and deterrence in action? In August, a hacker pulled the names of US military personnel and others out of a corporate network and passed them to ISIL. British jihadist Junaid Hussain exulted when ISIL released the names. “They have us on their ‘hit list,’ and we have them on ours too…,” he tweeted. On the whole, I’d rather be on theirs. Two weeks after his tweet, Hussain was killed in a US airstrike, and two months after that, the hacker was arrested in Malaysia (subscription required) on a US warrant.

We explore that story and more with Gen. Michael Hayden, the only person to serve as both Director of the National Security Agency and of the Central Intelligence Agency. Gen. Hayden explains why he differs with FBI Director Comey on encryption and with the European Court of Justice on whether the US sufficiently respects privacy rights, along with other topics.

Our news roundup dwells again on the ECJ’s decision and the Article 29 Working Party press release on the decision, a release characterized by far more bold font than bold thinking. In other news, magistrates are revolting again, or maybe still, as Magistrate Judge Orenstein hints that Apple’s desire to thwart law enforcement should trump law enforcement’s interest in getting evidence off a locked phone.

Cyber insurance rates are rising, raising questions about who should be covered and whether insurance companies will do the security regulating the government is reluctant to do.

Meanwhile, we’re treated to dueling Wassenaar leaks from government. State says the intrusion software language will be revised not rewritten, while Commerce insists nothing is decided (subscription required). There’s really nothing like the last year of an administration, when every agency has its own policy agenda – and apparently its own spin room. If there were any doubt about whether Commerce is right to want an explanation from the Europeans about how (or, more accurately, whether) they’re enforcing this provision, Citizen Lab provides it with a new report showing that the surreptitious access tool sold by Europe’s FinFisher is present in more than 30 countries, not all of whose civil liberties laws meet a standard set by the United States – or even the lower bar set by the European Union.

Direct download: Podcast_85.mp3
Category:general -- posted at: 11:08am EST

In episode 84 our guest is Jack Goldsmith, Professor at Harvard Law School, a Senior Fellow at the Hoover Institution at Stanford University, and co-founder of the Lawfare blog. Before coming to Harvard, he served as Assistant Attorney General, Office of Legal Counsel and as Special Counsel to the Department of Defense. From cyberespionage to the right to be forgotten and the end of the Safe Harbor, we explore the many ways in which a globalized economy has tied the US government’s hands in cybersecurity matters – and subjected the United States to extensive extraterritorial “soft power” at the hands of Europeans. 

In the news roundup, the headline news is the continuing fallout from the ECJ’s attack on the Safe Harbor. Michael Vatis and Maury Shenk bring us up to date. Jason Weinstein explains why the latest convicted hacker thinks he should be a civil liberties hero/victim – and why weev is every bit the loathsome troll we thought he was when he went to prison.

Michael Vatis explains DOD’s latest cybersecurity rules for contractors. We conclude that DOD is boldly going where no agency has gone before – mandating cybersecurity with traditional command and control regulation. It’s an experiment that many will be watching.

And in another turnabout, banks have discovered the joys of bringing a plaintiffs’ class action – against Target for its credit card breach. We ask whether this means they’ll join the plaintiffs’ bar to oppose further class action reform. Jason also explains the latest ruling in a data breach claim against Coca Cola.

And the White House has made a decision on whether to seek legislation on law enforcement access to encryption. The memo offered three options:

  1. Don’t seek legislation and brag about it.
  2. Don’t seek legislation and keep hoping for help from Silicon Valley.
  3. Continue the current course of not seeking legislation.

To no one’s surprise, the White House has chosen not to seek legislation.

Also to no one’s surprise but almost everyone’s embarrassment, Judge Leon is still stumping relentlessly after his white whale, the NSA section 215 program, crying “You can’t die! I haven’t had a chance to kill you yet!” It looks like the program won’t be the only thing put out of its misery by the end of November.

Speaking of which, our intro music has been put out of its misery after 83 episodes and not a few complaints. Thanks to all who voted to help us choose a new theme song. And thanks especially to Jason Weinstein’s son, who won the contest going away.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_84.mp3
Category:general -- posted at: 3:26pm EST

Bruce Schneier joins Stewart Baker and Alan Cohn for an episode recorded live in front of an audience of security and privacy professionals.  Appearing at the conference Privacy. Security. Risk. 2015., sponsored by the IAPP and the Cloud Security Alliance, Bruce Schneier talks through recent developments in law and technology.

The three of us stare into the pit opened by an overwrought (and overdue and overweening) European Court of Justice advisor. If the European Court of Justice follows his lead (and what seems to be its inclinations), we could face a true crisis in transatlantic relations.

VW’s decision to hack its own emissions control software leads to a deep dive into the internet of things that lie to us, the value (or not) of open source, and whether plausible deniability is the next skill that programmers will have to learn.

We also talk China, the OPM hack, and the unique value and unique vulnerability of biometric authenticators. Bruce and Alan dig into the proposed export control rules for intrusion software; when they’re done, so is the case for the rules. The right to be forgotten leads to an exploration of when we should delegate law-making to private companies. I promise a detailed analysis in the future of Google’s law-making to date, and hint that it will not make us more fond of private and hidden law making.

Finally, I ask a hard question about Edward Snowden that no one has asked since he first burst on the scene: Is he so in the tank for the Digital Millennium Copyright Act that he can’t imagine intelligent life anywhere in the universe without it?

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.  More importantly, we need feedback on whether to replace our theme music, and with what.  Please take a listen to the samples at www.steptoe.com/cybermusic and vote for your favorite.  Voting closes on October 9.

Direct download: Podcast_83.mp3
Category:general -- posted at: 12:38pm EST

Cyberlaw negotiations are the theme of episode 82, as the US and China strike a potentially significant agreement on commercial cyberespionage and Europeans focus on tearing up agreements with the US and intruding on US sovereignty.

Our guest for the episode is Jim Lewis, a senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies.  Most importantly, Jim is one of the most deeply informed and insightful commentators on China and cybersecurity.  He offers new perspectives on the Obama-Xi summit and what it means for cyberespionage.

Meanwhile, the news roundup is full of flamboyant European attacks on US sovereignty and US agreements with Europe.  In a pending case involving Facebook, a highly influential advisor to the European Court of Justice has fired both barrels pointblank at the Safe Harbor privacy agreement with the United States.  First, he concludes that any data protection authority is free to defy the primacy of Brussels and refuse to give effect to the EU’s determination that US practices under the Safe Harbor are “adequate” for data transfer purposes.  Second, he concludes that US practices are not adequate because section 702 of the Foreign Intelligence Surveillance Act and other US law permits intelligence collection of European data on a mass scale.  Maury Shenk and I agree that, if followed by the Court, this will be an enormous problem for the transatlantic relationship.  I wonder why we’re giving Europeans the protection of the Privacy Act when their institutions are actively seeking to thwart one of our most effective counterterrorism intelligence programs.

Not to be outdone, Paris put the boot in as well, telling Google that censoring search results on google.fr was not enough.  The right to be forgotten had to be extended to google.com, so that Americans and the rest of the world could be censored at the command of privacy bureaucrats in France’s data protection authority.  Maury and I identify the biggest unanswered question:  Has Google already started to censor its .com search results?

And India seems intent on playing on both sides of the US debate over encryption and lawful access.  After coming down hard for Jim Comey’s side in a draft regulation, Michael Vatis and I note, the Indian government has had a change of heart, withdrawing the draft while leaving uncertain what will replace it.

Finally, in one piece of domestic news, Jason Weinstein unpacks a ruling that refuses to enforce an SEC demand for the passcodes needed to unlock phones.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.  More importantly, we need feedback on whether to replace our theme music, and with what.  Please take a listen to the samples at www.steptoe.com/cybermusic and vote for your favorite.  Voting closes on October 9.

Direct download: Podcast_82.mp3
Category:general -- posted at: 6:18pm EST

Episode 81 features China in the Bull Shop, as the White House prepares for President Xi’s visit and what could be ugly talks on cyber issues. Our guest commentator, Margie Gilbert, is a network security professional with service at NSA, CIA, ODNI, Congress, and the NSC. Now at Team Cymru, she’s able to offer a career’s worth of perspective on how three Presidents have tried to remedy the country’s unpreparedness for network intrusions.

In the news roundup, there’s a high likelihood that President Obama will be accusing and Xi will be denying China’s role in cyberespionage. You might say it’s a “he said, Xi said” issue. Alan Cohn and I debate whether the US should settle for a “no first use” assurance to protect critical infrastructure in peacetime.  

On encryption, the White House (and Silicon Valley) are certainly raising the issue’s visibility. But they aren’t necessarily persuading anyone who isn’t already persuaded. From MI5 to the NYDFS to the new Indian government, dissing strong encryption is a surprisingly popular pastime.

The never-ending saga of when email content can be obtained with something less than probably cause and a warrant seems to be winding down to a bizarre resolution. Agencies investigating terrorists and white collar fraud that costs consumers hundreds of millions will have to jump through the warrant hoop. Agencies looking to impose regulatory penalties or file civil claims will not. Michael Vatis, Jason Weinstein, and I wonder aloud whether this realpolitik accommodation between politicians who love civil liberties and politicians who hate banks will survive its internal contradictions.

After a decade of stutter-stepping, the EU is bailing on its own data retention law, leaving the issue, and the mess, to member states. Maury Shenk provides a definitive short analysis.

Elsewhere, Judge Leon gets the section 215 plaintiff he sought with everything short of a personal ad in Craigslist,  practically guaranteeing another storm of exclamation points in F.Supp. – followed by a lengthy proceeding to have his opinion vacated as moot.

In good news, a Heartland hacker pleads guilty. Jason Weinstein celebrates – as much as is seemly for someone involved in the case. And in a rare moment of humility, I confess to having learned something from listener criticism, as Robert Horn schools me on some of the lesser-known risks associated with health data breaches.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. More importantly, we need feedback on whether to replace our theme music; please take a listen to the samples at http://www.steptoe.com/cybermusic and vote for your favorite. Voting closes on October 9.

Direct download: Podcast_81.mp3
Category:general -- posted at: 11:28am EST

Still trying to dig out from under our hiatus backlog, we devote episode 80 to our regulars. We’ll bring back a guest next week. This week it’s a double dose of Jason Weinstein, Michael Vatis, Stewart Baker, and Congress-watcher Doug Kantor

Michael offers an analysis of the Second Circuit’s oral argument in the Microsoft lawsuit over producing data stored in Ireland. The good news: it was a hot bench, deeply engaged, that let oral argument go to triple the usual length. The bad news for Microsoft: by far the hottest member of the panel was Judge Lynch, who made no secret of his deep opposition to Microsoft’s arguments. 

I offered a skeptical view of the US-EU umbrella “deal” on exchange of law enforcement data and the “Judicial Redress Act” that Congress seems ready to rush through in support of the agreement. The problem? It looks as though DOJ sold out the rest of government and much of industry. Justice promised to make the one change in US law the EU wants, granting Europeans a right of action under the Privacy Act, in exchange for, well, pretty much nothing except a bit of peace of mind for DOJ. Since the EU is more a receiver than sender of data, it already has a lot of leverage in data exchanges and there haven’t been many attempts to thwart the exchange of strictly criminal evidence. What the US really wants is for the EU to stop threatening the Safe Harbor, to stop penalizing US companies to pressure the US government about its use of data, and to guarantee that it isn’t holding the US to higher privacy standards than it imposes on EU governments. The DOJ-led negotiations got none of those concessions. And I’m willing to bet that the EU didn’t even give up the right to bitch, moan, and cut off data flows in the future if it doesn’t like how the umbrella applies. (On top of everything, the agreement is still under wraps, so the rush to praise and implement it is particularly imprudent.)

Michael and Jason deliberate on why Justice would obtain a text intercept order for Apple and then not react to the utterly predictable claim by Apple that it had no way to implement such an intercept. We note the further irony of Apple simultaneously defying the US government on privacy grounds while rushing to comply with Russia’s anti-privacy localization law.

The administration seems unable to impose sanctions on China’s cyberattackers or to stop talking about imposing sanctions on China’s cyberattackers. Sounds like a job for Stewart Baker! I offer my proposed sanctions for the Github attack, already laid out in detail here and here.

One barrier to sanctions may be the fear of hitting the wrong target, and in that regard, the Justice Department is wearing a full coat of egg after dropping its indictment of a purported Chinese spy amid allegations that it had simply misunderstood the technology in question. 

Doug Kantor offers a detailed and surprisingly upbeat assessment of the information-sharing bills’ chances for passage later this year. We also alert defense contractors to an expanded breach disclosure obligation.

And, finally, we decide to crowdsource the decision whether to keep our current theme music or to adopt one of three challengers. One of the candidates gets a heart-tugging endorsement from Jason that you’ll have to listen to the podcast to hear. Here’s the link to listen and vote for your favorite: www.steptoe.com/cybermusic.

 

The Cyberlaw Podcast is now open to feedback. Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_80.mp3
Category:general -- posted at: 10:51am EST

The cyberlaw podcast is back from hiatus with a bang. Our guest is Peter Singer, author of Ghost Fleet, a Tom Clancy-esque thriller designed to illustrate the author’s policy and military chops. The book features a military conflict with China that uses all the weapons the United States and China are likely to deploy in the next decade. These include China’s devilishly effective sabotage of the US defense supply chain, Silicon Valley’s deployment of a letter of marque, and some spot-on predictions of the likely response of our sometime allies. 

Episode 79 also recaps some of the most significant cyberlaw developments of the past month.

First, to no one’s surprise, the cybersecurity disaster just keeps getting worse, and the climate for victims does too: breach losses are being measured in the tens or even hundreds of millions of dollars, with a networking company losing $30 million and unlawful insider trading profits reaching $100 million.

Meanwhile, the courts are less than sympathetic. The Seventh Circuit cleared the way for a breach suit against Neiman Marcus, while the FTC and the Third Circuit were kicking Wyndham around the courtroom and down the courthouse steps. We wonder what exactly Wyndham did to earn the court’s ire. 

Next, we savor the “long, withdrawing, roar” of 215 metadata litigation, as privacy groups try with ever more desperation to pile a judicial ruling on top of their Congressional win. We ask what the hell the DC circuit’s splintered ruling means, and whether Judge Leon is really determined to jam still more exclamation points into the case despite its imminent mootness. (Answer from Judge Leon: Hell, yes!!!). Privacy groups are agitating for the Second Circuit to issue an injunction against the program. We ask: is that as dumb and violative of ordinary judicial procedures as it sounds? Stay tuned.

Finally, the messy fight over location data and the warrant requirement just won’t die, and may be metastasizing. Judge Koh and the Fourth Circuit say a warrant is needed for location data, revitalizing a circuit conflict that looked as though it was curing itself. Meanwhile, DOJ gets in the act, declaring as a matter of policy that federal use of stingrays needs a warrant. The result is that thousands of Baltimore cases could be at risk as a result? Luckily, Jason Weinstein hints, most of those cases wouldn’t have yielded a conviction.

 

The Cyberlaw Podcast is now open to feedback. Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_79.mp3
Category:general -- posted at: 12:04pm EST

Bonus Episode 78: Dmitri Alperovitch, Harvey Rishikof, Stewart Baker, and Melanie Teplinsky debate whether the United States should start doing commercial espionage. 

I know, I know, we promised that the Cyberlaw Podcast would go on hiatus for the month of August.  But we also hinted that there might be a bonus episode.  And here it is, a stimulating panel discussion sponsored by the Atlantic Council and moderated by Melanie Teplinsky.  The topic is whether the United States should abandon its longstanding policy of refusing to steal the commercial secrets of foreigners to help American companies compete.  The discussion is lively, with plenty of disagreements and an audience vote at the start and finish of the discussion to gauge how persuasive we were.  Enjoy!

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Episode_78.mp3
Category:general -- posted at: 11:13am EST

Our guest for episode 77 is Bruce Andrews, the deputy secretary of the Commerce Department. Alan Cohn and I pepper Bruce with questions about export controls on cybersecurity technology, stopping commercial cyberespionage, the future of the NIST cybersecurity framework, and how we can get on future cybersecurity trade missions, among other things.

In the news roundup, Alan and I puzzle over the administration’s reluctance to blame China for its hacks of US agencies.

The furor over cybersecurity export controls continues unabated, with a couple of hundred hostile comments filed and Congress beginning to stir. Alan Cohn fills us in.

The UK high court ruling on data retention makes history but maybe only the most evanescent of law. Alan and I discuss whether the ruling will resemble Marbury v. Madison in more ways than one.

France finalizes expansion of surveillance. Bush administration figures come out against back doors. Cyberweek begins and, the cyber left hopes, ends without progress on CISA.

This Week in Prurient Cybersecurity: The first Ashley Madison subscriber is outed. And he’s Canadian. Looks like the nights really are longer up there. Ottawa apparently leads the world in percentage of would-be adulterers, followed by Washington, DC. No further comment seems necessary.

And Bloomberg says that the Chinese attempt to build a database on Americans didn’t begin with OPM or Anthem, but with the compromise of travel databases two years ago.

This time, Alan hints, the FTC may throw away the key, as it once again takes action against LifeLock. And the Seventh Circuit wades into the debate over how much harm a data breach plaintiff must suffer to have standing to sue.

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_77.mp3
Category:general -- posted at: 3:37pm EST

Episode 76 of the podcast features the power couple of privacy and cybersecurity, Peter Swire and Annie Antón, both professors at Georgia Institute of Technology. I question them on topics from the USA FREEDOM Act to the enduring gulf between writing law and writing code. 

In the news roundup, as our listeners have come to expect, we do indeed return to our recurring feature, This Week in Prurient Cybersecurity, with a riff on the Ashley Madison hack. But you’ll have to wait until the end, when we’re loosened up. 

We begin more soberly, with Jason Weinstein and Michael Vatis covering the courts’ mopping up after passage of the USA FREEDOM Act. The DC Circuit has received supplemental briefs on Section 215, and the ACLU is leading the hopeless charge against the 215 program in the Second Circuit.

The Hacking Team doxxing draws attention to the risk involved in hiring hackers. When they’re disgruntled, they don’t just slam the door on the way out. Still, Alan Cohn and I can’t help but be fascinated by the Hacking Team proposal to use drones to hover over the target, intercepting his Wi-Fi connection.

In regulatory news, Alan Cohn and Jason Weinstein discuss the FERC’s revisions to the CIP cybersecurity requirements, with a focus on supply chain practices, and a Boston hospital’s settlement of HIPAA charges, prompting me to ask whether HHS’s Office of Civil Rights is the most hypocritically aggressive privacy regulator in government.

Russia’s Right to Be Forgotten law is signed, after further tweaks. And Google announces that it has officially tipped more than one million links into the dustbin of history.

I respond to listener feedback by walking back my mockery of Tony Scott’s “TLS Everywhere” initiative, noting that it might have some modest security benefits after all. Instead of “privacy theater” perhaps I should have called it a “privacy skit.” And as attribution gets better, so does the temptation to fly false flags. It looks as though the Russians will pioneer this particular development, attacking US sites under the nom de guerre of the Cyber Caliphate. And the US government response to the Russian attacks? A predictable silence.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_76.mp3
Category:general -- posted at: 4:29pm EST

Bitcoin and the blockchain – how do they work and what do they mean for financial and government services and for consumers? And who holds massive stores of bitcoin that can’t be spent without solving one of the great financial mysteries of our time? Our guest for episode 75 is Michael Casey, former senior columnist for the Wall Street Journal and – as of last week – senior advisor at the MIT Media Lab’s Digital Currency Initiative. Michael is also the author, along with his former Wall Street Journal colleague Paul Vigna, of The Age of Cryptocurrency:  How Bitcoin and Digital Money Are Challenging the Global Economic Order. Alan Cohn and Jason Weinstein interview him about bitcoin and its underestimated enabling technology, the blockchain.

In the news roundup, Meredith Rathbone, Alan Cohn, and I dive into the Commerce Department’s sweeping proposal for new regulation of the cybersecurity industry under the Wassenaar arrangement. With comments due on July 20, security companies are beginning to identify a host of unintended regulatory consequences.

The FBI and Justice Department had a surprisingly good week complaining about technologists’ deployment of ubiquitous unbreakable encryption. A group of cryptographers offered a contrary view, and I critiqued their position in the roundup and in a blog post.

Hacking Team was itself hacked, with its internal correspondence spread across the internet. One quick lesson: if anyone is expecting export controls to stop sales of hacking tools to repressive regimes, they aren’t paying attention to the Italian government’s licensing policies.

Finally, the right to be forgotten looks like a bad idea whose time has come. Jason doubts that Consumer Watchdog will succeed in smuggling the right to be forgotten into the FTC Act, perhaps because the act is already bulging at the seams. Canadian courts, in contrast, seem happy to impose their speech rules on Americans – whether or not Canadian courts have, you know, jurisdiction over the Americans.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Episode_75.mp3
Category:general -- posted at: 4:30pm EST

Our guest commentator for episode 74 is Catherine Lotrionte, a recognized expert on international cyberlaw and the associate director of the Institute for Law, Science and Global Security at Georgetown University.  We dive deep on the United Nations Group of Government Experts, and the recent agreement of that group on a few basic norms for cyberspace.  Predictably, I break out in hives at the third mention of “norms” and default to jokes about “Cheers.”

In the news roundup, Michael Vatis and I sort through China’s ever-growing list of vague laws expressing determination to control technology for security purposes.  Jason Weinstein explains the FTC’s settlement with the makers of a stealthy digital currency mining app.  He and Michael also note the remarkably belated filing of a class action arising from the Anthem hack – and cast doubt on whether the class can be sustained.

Speaking of class actions, the OPM hack has also led to litigation.  All the Cyberlaw commentators are in the class, and none of us expect the litigation to succeed.  And speaking of the FTC, it has released new security guidance, a kind of Restatement of FTC Security Law, explaining just how wisely the FTC settled its 50-plus security cases.  I provide a quick update on the status of my FOIA lawsuit on behalf of Phil Reitinger, in which we try to find out what security standards the FTC is actually using to decide which companies are in violation of the law.

In NSA news, the Foreign Intelligence Surveillance Court says the Second Circuit’s opinion on NSA’s 215 metadata program was unpersuasive and mischaracterized the program.  In judicial circles, the trash talk doesn’t get much trashier.  Since this all becomes irrelevant when the program ends later this year, the FISC will likely have the last word.  And WikiLeaks is rolling out more alleged NSA docs, this time focusing on Germany and Brazil.  The documents don’t seem to be from Snowden, and WikiLeaks offers no provenance for them.  Hmm.  Maybe we ought to take another look at those stories claiming that WikiLeaks has been infiltrated by Russian intelligence.  

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_74.mp3
Category:general -- posted at: 4:14pm EST

Our guest for Episode 73 is Rob Knake, currently the Council on Foreign Relations Senior Fellow for Cyber Policy and formerly with DHS, the White House, and the Richard Clarke finishing school for cybersecurity policymakers. Rob and I are quickly embroiled in disagreement; as usual, I mock the cyberspace “norms” that Rob supports and disagree with his surprisingly common view that the US shouldn’t react strongly to Chinese hacking of the OPM database. But we come together to condemn the gobsmackingly limp US response to China’s attack on Github.

In the news roundup, Alan Cohn and Jason Weinstein explain attribution problems in the Cardinals-Astros hacking case. Somehow the Broncos also figure in the discussion.

Want to know why President Obama was foolish to promise he wouldn’t spy on the French President’s communications? The answer is supplied by WikiLeaks, which discloses that the last French President was caught trying to end run the United States on Palestinean issues. WikiLeaks of course thinks that shows American perfidy.

Google, meanwhile, fought the good fight to overcome a gag order and disclose an investigation of WikiLeaks soulmate Jake Applebaum. Most interesting item in the 300 pages of documents released by the Justice Department?

The Department’s hint that those who Twitter-bully tech companies over their transparency records may be engaged in witness intimidation.

And in a recurring feature, This Week in Prurient Cyberlaw, we unpack the surprisingly complex problem of how Google identifies and delinks revenge porn.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_73.mp3
Category:general -- posted at: 11:50am EST

James Baker, General Counsel of the FBI, is our guest on this week’s podcast. He fearlessly tackles the FBI’s aerial surveillance capabilities, stingrays, “Going Dark,” encryption, and the bureau’s sometimes controversial attribution of cyberattacks.  But he prudently punts on the Hack of the Century, refusing to reveal details of the FBI investigation into the Houston Astros network intrusion.  

 

Direct download: Podcast_72.mp3
Category:general -- posted at: 11:22am EST

Privacy advocates are embracing a recent report recommending that the government require bulk data retention by carriers and perhaps web service providers, exercise extraterritorial jurisdiction over data stored abroad, and expand reliance on classified judicial warrants. In what alternative universe is this true, you ask? No need to look far. That’s the state of the debate in our closest ally. The recommendations were given to the United Kingdom by an independent reviewer, David Anderson. He’s our guest for Episode 71 of the Cyberlaw Podcast, and he provides a refreshingly different perspective on surveillance policy, one that makes us realize that it’s U.S. civil libertarians, not the U.S. government, who are out of step with the world.

In the news roundup, I bring Edward Snowden back for one last time – the fifteenth time I’ve done that, Michael Vatis points out. This time it’s a British government leak claiming that both Russia and China have decrypted the entire corpus of Snowden’s stolen files – including the enormous number of files that have nothing to do with surveillance and everything to do with military operations.

The OPM hack has now reached Target status, Jason Weinstein argues. It’s not the first, it’s maybe not even the worst, but it’s a hack that has captured the country’s imagination in a way that earlier warnings did not. 

You might think that the OPM hack would show why information sharing is essential. But privacy advocates continue to hold CISA hostage to yet more protections for privacy. The 14 million government officials and former officials whose privacy has been grossly abused by the OPM hack will, I’m sure, thank Senators Mike Lee and Ron Wyden for their continued obstruction of government cybersecurity efforts. In the House, the likeminded Rep. Massie has again proposed an appropriations amendment that would put new limits on the most important part of NSA’s intelligence mission – overseas collection. His amendment passed the House but shows little prospect of surviving Senate review.

In a new feature, This Week in Self-Dealing, we review Jason’s recent op-ed on the New York bitcoin regulations and Alan Cohn’s op-ed on what’s wrong with government cybersecurity policy. We close with comments on the new, extensive, and probably ill-advised Connecticut breach and security law, plus new obstacles for Twitter’s “warrant canary” first amendment lawsuit.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_71.mp3
Category:general -- posted at: 2:37pm EST

Our guest for Episode 70 of the Cyberlaw Podcast is Dan Kaminsky, a famous cybersecurity researcher who found and helped fix a DNS security flaw.  Dan is now the Chief Scientist at WhiteOps, but I got to know him in an unlikely-bedfellows campaign against SOPA because of its impact on DNS security. Dan and I spend most of the podcast disagreeing, largely about trust, Snowden, and security, but we do explore in detail the fact that, contrary to the Received Canon of Silicon Valley, end-to-end encryption is broken to improve security thousands if not millions of times a day by responsible corporate CISOs.  Dan also describes WhiteOps’s promising new take on identifying hackers and clickfraud on the internet.

In the news roundup, we bring back This Week in NSA for old times’ sake, highlighting the enactment of the USA FREEDOM Act and exploring its likely impact.  We mock Charlie Savage for his overwrought New York Times article claiming that NSA’s cybersecurity monitoring is a privacy issue. (We apologize to Julia Angwin, Jeff Larson, and Henrik Moltke, who shared Charlie’s byline; we’ll mock you next time, I promise.) NSA is apparently inspecting traffic from foreign sources for malware and other signatures and may also be spotting exfiltrated data as it leaves victims’ networks. Charlie and his coauthors call this “warrantless surveillance of Americans’ international Internet traffic.” Note to the New York Times:  a hacker sending me malware and stealing my files is a lot of things, but in the real world no one would call that my “international Internet traffic.”

Jason covers the broken settlement between MasterCard and Target arising from Target’s notorious Christmas 2013 breach.  And the Office of Personnel Management comes in for some well-earned criticism, not least for its lame offer of credit monitoring to the 4 million victims of what may be Chinese hacking. If it is the Chinese government, the one thing we probably don’t have to worry about is credit fraud, and given the flood of Chinese thefts of American personal data, the government needs to be giving victims better guidance about what to watch for.

Speaking of government failings, we talk about the supine US response to Putin’s trolls, even though they’re clearly testing tools to create panic and sow disinformation in the wake of a crisis in the United States. Even when they do it inside the United States, it appears that our only strategy is hope.

Michael talks about the Supreme Court ruling that will make the internet safe for violent revenge fantasies. And Jason explains the difference between the FBI’s encryption “Going Dark” campaign and the FBI’s CALEA “Going Dark” campaign:  They’re both DOA, but buried in different parts of the US Code.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_70.mp3
Category:general -- posted at: 10:55am EST

Our guest for Episode 69 is Jason Brown, the Assistant to the Special Agent in Charge of the Cyber Intelligence Section at the U.S. Secret Service. We talk about the Secret Service’s Electronic Crimes Task Forces and their critical role in investigating data breaches affecting financial institutions, retailers and other companies. We also discuss how the Secret Service helps companies prepare for and mitigate their risk of an incident. We talk about issues that impact breach victims’ decisions about whether or how to engage with law enforcement and about how the relationship between law enforcement and Internet providers has changed in the post-Snowden world. Finally, we discuss how the changing jurisprudence relating to electronic searches is impacting the day-to-day conduct of criminal investigations.

In the news roundup, we discuss the dysfunction in the Senate that has led to the (temporary?) lapsing of the 215 program. We mull over the impact of Riley on the Sixth Circuit’s decision in a laptop search case. The DOJ Criminal Division talks about hackback, and Yahoo! faces class certification in an email scanning case. In our “prurient interest” feature, a database of Adult Friend Finder users is for sale online. And we weigh the possible impact of New York’s BitLicense regulations. Once again, Maury Shenk joins us to talk about developments in Europe, including new Dutch breach notification requirements, Skype’s efforts to push back against Belgian intercept law, and discussions about new EU cybersecurity rules that could have a significant impact on US providers.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_69.mp3
Category:general -- posted at: 2:48pm EST

Our guests for Episode 68 include Julian Sanchez, senior fellow at the CATO Institute where he studies issues at the busy intersection of technology, privacy, and civil liberties, with a particular focus on national security and intelligence surveillance. They also include the entire May meeting of ISSA- NOVA, which kindly invited the Cyberlaw Podcast to go walkabout once again. The audience provides useful feedback on several of the topics covered in this episode.

We begin with This Week in NSA.  And even though we had no idea how the Senate process would end up, neither it turns out did Majority Leader McConnell or anyone else. Our remarks on the Congressional dynamic remain as relevant now as when we made them, despite our intimations of obsolescence. We also cover an early judicial decision on insurance coverage for data breaches (subscription required), the US indictment of (another!) six Chinese economic espionage agents, and the personal data orphaned by Radio Shack’s bankruptcy.

More importantly, we seize on a flimsy pretext to revisit Max Mosley’s five-hour, five hooker sadomasochistic orgy (subscription required) and his self-defeating efforts to wipe it from the internet by threats of lawsuit. It turns out he’s now reached a settlement with Google. I speculate that perhaps we’ve misread Mosley all this time. Maybe he’s doing this because of the Streisand effect, not in spite of it. It’s like he wants the internet to punish him, or something …

Returning to serious coverage, we note that CCIPS and the Justice Department may be suffering from Baker Derangement Syndrome in the face of my defense of private cyber-investigation that goes beyond network boundaries. The Department’s latest effort involves persuading CSIS and a group of CISOs to join a draft paper that looks suspiciously like a DOJ brief in opposition to the Cyberlaw Podcast. And the supposed consensus among CISOs that’s identified in the paper breaks down quickly, rejected ten to one in an informal poll of the ISSA-NOVA audience.

Julian and I mix it up over the new, revived Crypto Wars, as I challenge the claim that building access to encryption systems is always a bad idea. That, I say, will come as news to all the network security administrators who access end-to-end TLS sessions on a routine basis because the security consequences of not “breaking” that crypto are worse than the corporate front door. He recommends that I ask Dan Kaminskyto comment on that statement, and since Dan will be a guest on the podcast soon, we’ll all get to hear his answer.

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_68.mp3
Category:general -- posted at: 4:59pm EST

Our guest for Episode 67 is Dan Geer, a legendary computer security commentator and current CISO for In-Q-Tel. We review Dan’s recommendations for improving computer security, including mandatory reporting of intrusions, liability for proprietary software, striking back at hackers – at least in some ways – and getting the government to purchase and fix vulnerabilities. We agree on the inherent foolishness of the Internet voting movement, but I disagree with Dan on the right to be forgotten, and I predict that net neutrality will lead to the opposite of what he wants – both more regulation of operators and more limits on what the operators are allowed to carry.

As with Bruce Schneier, I accuse Dan of a kind of digital Romanticism for advocating improbable personal defenses like using Tor for no reason, having multiple online identities, swapping affinity cards, and paying your therapist under an assumed name. But Dan makes me eat my words.

More from Dan can be found here, here, and here.

In the news roundup, we introduce Alan Cohn, yet another recent alumnus of the DHS Policy office now at Steptoe. We also revive This Week in NSA, pooling our collective inability to predict what the week will hold for the 215 metadata program. We muse about border laptop searches, questioning both DOJ’s choice of battleground and the ability of judges to withstand a PR campaign by the privacy lobby. We cover a FOIA case to find out if the FTC actually has security standards – a case filed by Phil Reitinger and Steptoe. The roundup ends with the plane-hacking case, the FBI’s Stingray guidance, and the first anniversary of the EU’s misbegotten Right to Be Forgotten.

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_67.mp3
Category:general -- posted at: 12:15pm EST

The Triple Entente Beer Summit was a great success, with an audience that filled the Washington Firehouse loft and a cast that mashed up Lawfare, Rational Security, and the Steptoe Cyberlaw Podcast.  We attribute the podcast’s freewheeling interchange to the engaged audience, our profound respect for each other, and, mostly, the beer. After a discussion of between the combined panels, we throw the event over to the audience, which demonstrates that we could have produced almost as good a program by randomly selecting audience members to appear on the panel with us.

 

Direct download: Triple_Entente_Beer_Summit.mp3
Category:general -- posted at: 7:03am EST

Episode 65 would be ugly if it weren’t so much fun.  Our guest is Bruce Schneier, cryptographer, computer science and privacy guru, and author of the best-selling Data and Goliath – a book I annotated every few pages of with the words, “Bruce, you can’t possibly really believe this.” And that’s pretty much how the interview goes, as Bruce and I mix it up over hackbacks, whether everyone but government should be allowed to use Big Data tools, Edward Snowden, whether “mass surveillance” has value in fighting terrorism, and whether damaging cyberattacks are really infrequent and hard to attribute. We disagree mightily – and with civility.

The news roundup covers Congress’s debate over NSA and section 215. The House is showing a dismaying efficiency in moving bad bills while the Senate is mired in what may turn out to be more productive confusion (see, e.g., S. 1035 and S. 1123). 

We unpack the Supreme Court’s grant of certiorari in Spokeo.

A new and troubling development in cyber insecurity was demonstrated by the malware Cryptowall, which infected readers of the Huffington Post via ads for Hugo Boss, then encrypted the readers’ hard drives and held their data for ransom. We ask whether the ad networks or even the web publishers will eventually be held liable for transmitting the infected ads via HuffPo ads for Hugo Boss. The Senate Homeland Security Committee wrote a report on malvertising risks and liabilities last year that concludes with the view that liability couldn’t be established because none of the participants in the online advertising industry is directly responsible for the harm. I think the Senate Homeland Security committee has never litigated in the Eastern District of Texas.

In quick news, Goldman’s “Flash Boy” has been convicted again. The FCC says it doesn’t regulate Stingrays, except to require FBI approval for purchasers. The US and Japan deepen their cyber defense relationship, and Prime Minister Abe gets standing O for calling out (shh! Chinese) cybertheft of IP. And, DOJ releases cybersecurity guidance that is surprisingly good – but for what I call its fatally flawed view of hacking back (at least that’s what I meant when I called the authors “jackasses”).

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_65.mp3
Category:general -- posted at: 4:21pm EST

Our guest for episode 64 of the Cyberlaw Podcast is Mary DeRosa, the chief lawyer for the National Security Council during the early years of the Obama Administration, and now a Distinguished Visitor at Georgetown University Law Center. We ask Mary to walk us through a hypothetical set of NSC meetings on the Sony breach and the US response, flagging the legal issues and offices that come to the table. She helps me unpack the differences between the use of force, countermeasures, and an armed attack – and confirms that I have no future at the State Department – an overdetermined outcome if ever there was one. It’s a great primer on the practical ways in which cyberconflict is lawyered (or, in my view, overlawyered). 

In the news roundup, I have to choose between defending the New York Times and defending Hillary Clinton. I choose Hillary, arguing that despite NYT innuendo the Russians aren’t dumb enough to pay tens of millions for a State Department “yes’ vote in CFIUS. Because as far as anyone knows, the State Department has never voted anything but “yes” in CFIUS. 

The House has passed two cyber information sharing bills ‒ H.R. 1560 and H.R. 1731 ‒ and at every stage of the process, the sponsors made concessions to the privacy lobby, which simply pocketed the concessions and moved the goal posts. Michael Vatis and I note that the bill that came out of the Intelligence Committee contained a “privacy tax” on private sector information sharing that will discourage sharing. And the bill as amended on the floor was worse – potentially stripping encryption of its status as a protected “defensive measure” under the act. If privacy groups hadn’t demanded the change, they’d already be screaming about how the House hates crypto. Now the bill moves to the Senate, where it is wrapped around the axle of NSA’s215 metadata program. Debate over that program must conclude by May 22 and will, I predict, be Hobbesian: nasty, brutish, and short. 

Maury Shenk and I discuss the EU’s gift that keeps on giving:  “Mad Dog” Oettinger, the high European official who finally threw away the mask, admitting a determination to regulate US tech companies until Europeans can climb back into the ring. There are rumors that his office is considering a vast new regulatory program for electronic platforms. Meanwhile, a bunch of senior UK intelligence officials are calling US Internet companies ‘terrorist-friendly’ for enabling encrypted communications. 

We quickly reprise the news from RSA: Jeh JohnsonAsh Carter, John Carlin, Tom Wheeler, and Michael Daniel were all in San Francisco last week.  Carter announced a DOD cyberwar strategy that looked at best like a plan to plan for cyberwar but still managed to be an improvement over past DOD efforts. Jeh Johnson wants DHS to have an office in Silicon Valley. And Michael Daniel admitted that the government is still looking for an escrow-type crypto solution. 

Finally, another FTC privacy case is settled, as the Commission declares that the lack of an instore-tracking opt-out is unfair, or deceptive, or newsworthy, or whatever the FTC’s standard for prosecution is these days. Jason Weinstein introduces me to my new heroes –  Maureen Ohlhausen and Joshua Wright‒ the two FTC commissioners who dissented from this lawless decision. 

Direct download: Podcast_64.mp3
Category:general -- posted at: 1:18pm EST

Our guest for episode 63 of the Cyberlaw Podcast is Alan Cohn, former Assistant Secretary for Strategy, Planning, Analysis & Risk in the DHS Office of Policy and a recent addition at Steptoe. Alan brings to bear nearly a decade of experience at DHS to measure the Department’s growth. He explains how it has undertaken and largely delivered a new civilian cybersecurity infrastructure. And, while Congress dithers, it has begun to build an information sharing network quite independent of the legislative incentives now on offer. Alan also offers his insights into emerging technologies and the risks they may pose, including drones, sensors, and cryptocurrencies.

In the news roundup, the consensus story of the week is the return of Jason Weinstein from a five-week absence, only some of it justified by family vacation and other worthwhile endeavors.  In second place is the concerted European attack on Google and the rest of the US tech sectorMichael Vatis and I mull over a high-ranking European official’s astonishing gaffe in admitting the truth behind the effort – that it’s an attempt to regulate US technology until European industry can compete. Good luck with that.

In the House, Doug Kantor reminds us, it’s cyberweek, so the data breach law has immediately collapsed into such uncertainty that its Democratic sponsor even voted to keep it in committee. The bill has gone back to the shop for repairs to its bipartisan credentials, and the Obama administration, which says it supports a bill, seems to be keeping its distance from the messy business of actually legislating.

Meanwhile, Jason explains why cops are paying ransom to cybercrooks to get their data decrypted; Michael tells us a district court has given life to class action Google Wallet privacy claims under a sweeping theory; and I note that Julian Assange’s Wikileaks has hit a new low in offering a searchable database of stolen Sony email messages. Finally, the SEC’s Mary Jo White is taking heat for standing in the way of ECPA amendments, and the Chinese technological autarky movement seems to be alive and well, with a little help from US companies.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.comor leave a message at +1 202 862 5785.

Download the sixty-third episode (mp3).

 

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Direct download: Podcast_63.mp3
Category:general -- posted at: 10:59am EST

Our guest for Episode 62 is Dmitri Alperovitch, co-founder and CTO of CrowdStrike Inc. and former Vice President of Threat Research at McAfee. Dmitri unveils a new Crowdstrike case study in which his company was able to impose high costs on an elite Chinese hacking team. The hackers steadily escalated the sophistication of their attacks on one of Crowdstrike’s customers until they finally unlimbered a zero-day. When even that failed, and the producer was alerted to the vulnerability, the attackers found themselves still locked out and now down one zero-day. We mull the possibility that there’s a glimmer of hope for defenders.

Dmitri and I also unpack the Great Cannon -- China’s answer to 4Chan’s Low-Orbit Ion Cannon.  Citizen Lab’s report strongly suggests that the Chinese government used its censorship system to deliberately infect about 2% of the Baidu queries coming from outside China.  The government injected a script into the outsiders’ machines.  The script then DDOSed Github, a U.S. entity that had been making the New York Times available to Chinese readers along with numerous open source projects. The attack is novel, shows a creative and dangerous use of China’s Great Firewall, and provoked not the slightest response from the U.S. government. I ask why any company in the United States that uses the Baidu search engine or serves China-based ads should not be required to notify users that their machines may be infected with hostile code before allowing them to receive ads or conduct searches. Finally, finding something good to say about the FTC’s jurisdiction, I ask why it isn’t deceptive and unfair to automatically expose U.S. consumers to such a risk.

In other news:  The courts are raking the Mississippi Attorney General over the coals for an ill-considered attack on Google. The DEA’s bulk collection program is still undercovered.  The FCC is racing the FTC to investigate big telecom and internet companies for privacy violations. The Baker Plan for punishing North Korea in response to its attack on Sony has been implemented. And I break out my suits and ties from the early 1990s to celebrate the return of split-key escrowed encryption and arguments over the meaning of CALEA.   

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the sixty-second episode (mp3).

 

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Direct download: Podcast_62.mp3
Category:general -- posted at: 3:26pm EST

Our guest for episode 61 of the Cyberlaw podcast is Joseph Nye, former dean of the Kennedy School at Harvard and three-time national security official for State, Defense, and the National Intelligence Council.  We get a magisterial overview of the challenge posed by cyberweapons, how they resemble and differ from nuclear weapons, and (in passing) some tips on how to do cross-country skiing in the White Mountains.

In the news roundup, Meredith Rathbone explains details of the new sanctions program for those who carry out cyber attacks on US companies.  I mock the tech press reporters who think this must be about Snowden because, well, everything is about Snowden.  Michael Vatis endorses John Oliver’s very funny interview of Edward Snowden.  Not just funny, it’s an embarrassment to all the so-called journalists who’ve interviewed Snowden for the last year without once asking him a question that made him squirm.  In contrast, Oliver almost effortlessly exposes Snowden’s dissembling and irresponsibility.  He hits NSA below the belt as well.

Ben Cooper explains the Ninth Circuit decision refusing to apply disability accommodation requirements to web-only businesses (he filed an amicus brief in the case), and we speculate on the likelihood of a cert grant.

While we’re speculating on judicial outcomes, Maury Shenk takes us through the arguments over the data protection Safe Harbor before the European Court of Justice.  We both think the arguments suggest considerable hostility toward the Safe Harbor.  An unfavorable ECJ decision could greatly complicate the lives of companies that depend on it to allow extensive data transfers across the Atlantic.  And great complications are exactly what we expect.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.comor leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_61.mp3
Category:general -- posted at: 3:49pm EST

Episode 60 of the Cyberlaw Podcast features Paul Rosenzweig, founder of Red Branch Consulting PLLC and Senior Advisor to The Chertoff Group.  Most importantly he was a superb Deputy Assistant Secretary for Policy in the Department of Homeland Security when I was Assistant Secretary.

Paul discusses the latest developments in ICANN, almost persuading me that I should find them interesting.  He expresses skepticism about the US government’s effort to win WTO scrutiny of China’s indigenous bank technology rules; he also sees the DDOS attack on GitHubas a cheap exercise in Chinese extraterritorial censorship.

Michael Vatis, meanwhile, fills us in on two new cyberlaw cases whose importance is only outweighed by their weirdness. And I dissect the House cybersecurity information sharing bill, concluding that it has gone so far to appease the unappeasable privacy lobby that it may actually discourage information sharing.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.comor leave a message at +1 202 862 5785.

Direct download: Podcast_60.mp3
Category:general -- posted at: 4:17pm EST

Richard Bejtlich is our guest for episode 59 of the Cyberlaw Podcast. Richard is the Chief Security Strategist at FireEye, an adviser to Threat Stack, Sqrrl, and Critical Stack, and a fellow at Brookings. We explore the significance of China’s recently publicized acknowledgment that it has a cyberwar strategy, FireEye’s disclosure of a gang using hacking to support insider trading, and NSA director Rogers’s recent statement that the US may need to use its offensive cyber capabilities in ways that will deter cyberattacks. 

In the news roundup, class action defense litigator Jennifer Quinn-Barabanov explains why major automakers are facing cybersecurity lawsuits now, before car-hacking has caused any identifiable damage.  I explain how to keep your aging car and swap out its twelve-year-old car radio for a cool new Bluetooth enabled sound system.  Michael Vatis disassembles the “$10 million” Target settlement and casts doubt on how much victims will recover.

Michael also covers the approval by a Judicial Conference advisory committee of a rule allowing warrants to extend past judicial district lines, explaining why it may not be such a big deal.  Maury Shenk, former head of Steptoe’s London office and now a lawyer and a private equity investor and adviser, jumps in to discuss the Chinese cyberwar strategy document as well as China’s effort to exclude US technology companies from its market.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_59.mp3
Category:general -- posted at: 3:59pm EST

In episode 58 of the Cyberlaw Podcast, our guest is Andy Ozment, who heads the DHS cybersecurity unit charged with helping improve cybersecurity in the private sector and the civilian agencies of the federal government. We ask how his agency's responsibilities differ from NSA's and FBI's, quote scripture to question his pronunciation of ISAO, dig into the question whether sharing countermeasures is a prelude to cybervigilantism, and address the crucial question of how lawyers should organize cybersecurity information sharing organizations (hint: the fewer lawyers and the more clients the better). In the news roundup, we revisit the cybersecurity implications of net neutrality, and Stephanie Roy finds evidence that leads me to conclude that the FCC has stolen the FTC's playbook (and, for all we know, deflated the FTC's football). This ought to at least help AT&T in its fight with the FTC over throttling, but that's no sure bet.

I explain why Hillary Clinton's email server was a security disaster for the first two months of her tenure – and engage in utterly unsupported speculation that she closed the biggest security gap in March 2009 because someone in the intelligence community caught foreign governments reading her mail.

In news with better grounding, the Wyndham case goes to the Third Circuit and the bench is hot. We explain why this is good for Wyndham. In other litigation news, the feds respond to Microsoft in the Irish warrant case. Michael and I agree that the Justice Department is praying for a cold bench.

Finally, in two updates from earlier podcasts, it looks as though China may have backed down on backdoors, for now, so Silicon Valley can go back to worrying about Jim Comey. And, I explain my claim from last week's show that the FREAK vulnerability is overhyped to support a simplistic civil libertarian morality tale.

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_58.mp3
Category:general -- posted at: 10:54am EST

This episode of the podcast features Rep. Mike Rogers, former chairman of the House intelligence committee, Doug Kantor, our expert on all things cyber in Congress, and Maury Shenk, calling in from London.  Mike Rogers is now a nationally-syndicated radio host on Westwood One, a CNN national security commentator, and an adviser to Trident Capital’s new cybersecurity fund. The former chairman addresses a host of issues -- gaps in CFIUS, the future of the President’s new cyber threat integration center, the risk of rogue state cyberattacks on US infrastructure – as well as the issues we cover in the news roundup. 

These include Maury’s take on China’s toughening policy toward US technology, the prospects for a workable bill renewing section 215 (the ex-chairman is not as sanguine as Doug Kantor and I) and the administration’s new privacy bill.  (Our take: the bill is ideal for the Twitter age, since you still have 137 characters left after typing “DOA”.)   Maury updates us on the latest reason for delay in adoption of a new European data protection regulation. Doug Kantor and Mike Rogers consider the prospects for an information sharing bill and comment on privacy groups’ goalpost-moving style of congressional negotiation. 

And, finally, I respond to Edward Snowden’s claim that he wants to move to Switzerland by reminding him (and the Swiss)  what he said about them the last time he lived there.  (Said Snowden: “You guys can’t say I look gay any more. I’m living in Switzerland. I’m the straightest-looking man in the country.” Geneva is “nightmarishly expensive and horrifically classist,” and “I have never, EVER seen a people more racist than the swiss.”  Apparently a year in Moscow broadened his horizons.)

 

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_57.mp3
Category:general -- posted at: 3:32pm EST

Our guest for Episode 56 of the Cyberlaw Podcast is Siobhan Gorman, who broke many of the top cybersecurity stories for the Wall Street Journal until she left late last year to join the Brunswick Group, which does crisis communications for private companies.  Siobhan comments on the flood of attribution stories in recent days, including the US government’s almost casual attribution of the Sands Las Vegas cyberattack to Iran and the leaked attribution of the Saudi Aramco and US bank attacks to the same nation.  She also compares private sector cyber crisis planning to the US government’s coordination (or lack thereof) in responding to the Sony attack.

In other news, Stephanie Roy and I take a deep and slightly off-center dive into the FCC’s net neutrality ruling.  I predict that within five years the FCC will have used its new Title II authority to impose cybersecurity requirements on US ISPs.  (And in ten years, I suspect, there will be a debate in the FCC over whether to throttle or disfavor communications services that don’t cooperate with the FBI’s effort to deny perfectly encrypted security to criminals.) Stephanie demurs.

Michael Vatis and I chew over China’s “overdetermined” (h/t Mickey Kauspolicy of ousting American tech products in favor of Chinese competitors, the prospects of class action plaintiffs in the Komodia/Superfish/Lenovo flap, and NY financial regulator Benjamin Lawsky’s war on the password.

 

We finally get listener feedback to read on the air, as Michael Samway congratulates Nuala O’Connor for her masterly handling of, well, me.  Those who think they can do a better job of humiliating me will have their work cut out for them, but they’re welcome to try, sending emails to CyberlawPodcast@steptoe.comail and voice mails to +1 202 862 5785.

Direct download: Podcast_56.mp3
Category:general -- posted at: 4:19pm EST

In Episode 55 of the Cyberlaw Podcast, we revive This Week in NSA to explore the claim that GCHQ stole mass quantities of cell phone encryption keys.  Meanwhile, Jason explains the complex political battles over Rule 41, Michael explains why so many companies have rallied to Twitter’s first amendment claim against the Justice Department, and both of them explain how Yahoo! managed to beat the government’s indefinite gag order – and why Yahoo! might even be right.  After which we melt down into the bottomless hot mess of liability and litigation that surrounds the Lenovo/Superfish/Komodia/Lavasoft flap.

Our interview is with the charming and feisty CEO of the Center for Democracy and Technology, Nuala O’Connor.  Nuala and I square off over end-to-end encryption, privacy, and section 215, while managing to find common ground on TLS and even child-rearing.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_55.mp3
Category:general -- posted at: 2:06pm EST

Episode 54 of the Cyberlaw Podcast features a guest appearance by Lawfare’s own Ben Wittes, discussing cybersecurity in the context of his forthcoming book, The Future of Violence, authored by Ben and Gabriella Blum.  (The future of violence, you won’t be surprised to hear, looks bright.)  Ben also floats the idea of taping an episode of all the Lawfare-affiliated podcasts in a bar with some of our listeners.  More on that idea to come.

In the news roundup, I cover the President’s surprisingly news-light cybersecurity summit in Silicon Valley.  Jason comments on state attorneys generals’ predictable sniping at Anthem for delays in identifying all the potential victims of its hack.  I note with satisfaction a serious loss by EFF in the Jewel lawsuit over the US government’s access to AT&T traffic.  And Jason lays out a report  by the New York State Department of Financial Services on insurance company cybersecurity.

We both express concern about two Kaspersky security reports that identify new hacking tactics and new dangers for computer networks.  The patient infiltration of large bank networks and the extraction of hundreds of millions of dollars casts doubt on the safety of banking systems around the world.  Equally troubling is the discovery that what Kaspersky calls the “Equation” group used firmware exploits to achieve enduring access to a wide variety of hard drives.  (Though Kaspersky’s claim that the access depended on having the hard drive makers’ source code looks wrong.)

 

As always, send your questions, suggestions for interview candidates and offers to stand a round at the Beer Summit to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_54.mp3
Category:general -- posted at: 9:58am EST

In this week’s episode of the Cyberlaw Podcast, I take our new mobile recording equipment to Paris to talk about Europe’s cybersecurity directive with Alex Klimburg, of the Hague Institute for Strategic Studies and the Harvard Kennedy School’s Belfer Center.  The directive is in its final stages after a two-year buildup, and the most recent drafts suggest that the EU is finding it hard to muster the will for heavy regulation in this area.

In our news roundup, Jason Weinstein covers the Anthem hackand probable Chinese responsibilityfor it.  I point out that American privacy groups have said more or less nothing about the idea that a massive database about Americans might be assembled by China.

Stephanie Roy explains the FCC’s proposed net neutrality regs. And Doug Kantor lays odds on the five most prominent cybersecurity proposals.  Short version:  information-sharing is looking doable, and a national breach law might be as well.  CFAA changes look less easy, and the ECPA changes are stuck in a fight between people who hate Wall Street and privacy campaigners. The President’s $14 billion appropriation request for cybersecurity will get sliced, diced, and roasted, but he’ll likely end up with a lot of that money.

Cybersecurity scrutiny continues for financial institutions.  Jason reports on two recent regulators’ warning shots.  And I cover a variety of surveillance news, including the irony that a UK tribunal declaredthat an otherwise unlawful GCHQ practice had been saved by none other than Edward Snowden, who provided the transparency the tribunal considered necessary.  Thanks, Eddie!

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_53.mp3
Category:general -- posted at: 11:37am EST

In this week’s episode, our guest is Rebecca Richards, NSA’s director of privacy and civil liberties.  We ask the tough questions:   Is her title an elaborate hoax or is she the busiest woman on the planet?  How long will it be before privacy groups blame the Seattle Seahawks’ loss on NSA’s policy of intercepting everything?  How do you tell an extroverted NSA engineer from an introvert?  And, more seriously, now that acting within the law isn’t apparently enough, how can an intelligence agency assure Americans that it shares their values without exposing all its capabilities? 

In the week’s news, Jason Weinstein, Michael Vatis and I explore the DEA’s license plate collection program and what it means, among other things, for future Supreme Court jurisprudence on location and the fourth amendment.   We take on the WikiLeaks-Google flap and conclude that there’s less there than meets the eye. 

Jason celebrates a festival of FTC news.   The staff report on the Internet of Things provokes a commissioner to dissent from feel-good privacy bromides.  The FTC data security scalp count grows to 53, with more on the way.  We discover that the FTC has aspirations to become the Federal Telecommunications Commission, regulating telecommunications throttling as well as cramming – and apparently forcing the FCC into the business of regulating hotels.  To be fair, we find ourselves rooting for the Commission as it brings the hammer down on a revenge porn site

And Michael finds the key to understanding China’s policies on cybersecurity and encryption.

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_52.mp3
Category:general -- posted at: 4:03pm EST

Episode 51 of the podcast features a debate on attributing cyberattacks.  Our two guests, Thomas Rid and Jeffrey Carr, disagree sharply about how and how well recent cyberattacks can be attributed.  Thomas Rid is a Professor of Security Studies at King’s College London and the author of Cyber War Will Not Take Place as well as a recent paper on how attribution should be done.  Jeffrey Carr, the founder and CEO of Taia Global, remains profoundly skeptical about the accuracy of most attribution efforts in recent years. 

I question both of them, relying heavily on questions supplied by attribution aficionados via Twitter (@langnergroup, @NateBeachW, @janwinter15, @pwnallthethings, and @marcwrogers, among others).

I ask why cyber attribution is so controversial.  Is it a hangover from the Iraq war?  Snowdenista sentiment?  Or the publicity to be gained from challenging official attributions? 

We debate whether using secret attribution evidence is inherently questionable or an essential tool for ensuring successful attribution.  

I also call out the security experts who heaped scorn on the FBI for its initial fingering of North Korea as the source of the Sony attack.  Which of them recanted as the evidence mounted, and which ones doubled down?  Details in the podcast. 

In the news roundup, Jason Weinstein and I are joined by Ed Krauland, a partner in Steptoe’s International Department in DC. Ed outlines the likely impact on technology trade of President Obama’s lifting of Cuba sanctions (short answer:  not much).  I linger over the evidence that Europe has swung from hating US tech firms for being too cozy with government to hating them for not being cozy enough: the EU’s top counterterrorism official wants to prevent firms from selling unbreakable encryption, and the French government wants them to take down more terror-related online speech.  Later, I spike the ball, pointing to a Pew poll showing that NSA is holding its own in American opinion since the first Snowden revelations and that young voters have a far more favorable view of the agency than those over 65.

 

In US privacy litigation, Jason tells us that the class action over CarrierIQ’s storage of phone records has gotten a haircut, as the court throws out wiretap claims against hardware makers, and that LabMD has lost yet another peripheral battle in its campaign to force the FTC to spell out exactly what security measures it expects from private companies.  And we debate the significance of the revelations about DEA's Hemisphere Project.

Direct download: Podcast_51.mp3
Category:general -- posted at: 10:57am EST

Our guest for Episode 50 of the Steptoe Cyberlaw Podcast is David Sanger, the New York Times reporter who broke the detailed story of Stuxnet in his book,  Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power.  David talks about his latest story, recounting how North Korea developed its cyberattack network, and how the National Security Agency managed to compromise the network sufficiently to attribute the Sony attack.  We talk about how understanding the White House helped him break a story that seemed to be about NSA and the FBI, North Korean hackers’ resemblance to East German Olympic swimmers, and the future of cyberwar.

Michael Vatis and I also cover a news-rich week, beginning with capsule summaries of the President’s State of the Union proposals for legislation on cybersecurity information sharing, breach notification, and Computer Fraud and Abuse Act amendments.

We touch on Europe’s new commitment to antiterrorism surveillance, which officially puts a still-Snowden-ridden United States out of step with just about every developed nation.

I try to summarize the new National Academy of Sciences study on why there isn’t an easy software substitute for bulk collection.  (Short answer:  If you want to recreate the past, you have to bulk-collect the present.)

We ask whether the DEA was the inspiration for NSA’s 215 bulk collection program, call out Rep. Sensenbrenner, who evidently skipped the DEA briefings as well as NSA’s, and wonder why Justice didn’t explain to Congress last year that NSA’s program wasn’t that big a leap from the Justice Department’s own bulk collection – instead of quietly trying to bury its program when the heat built up on NSA.  (OK, we didn’t really wonder why Justice did that.)

If you judge by their joint press conference, Prime Minister Cameron seems to have done more to convert President Obama to skepticism about widespread unbreakable encryption than Jim Comey did.  Save your Clipper Chips, key escrow will rise again!

 

Finally, Centcom’s public affairs team, which can’t keep ISIS sympathizers out of its Twitter and YouTube feeds, deserves 24 hours of deep embarrassment, which is surprisingly exactly what it gets.

Direct download: Podcast_50.mp3
Category:general -- posted at: 12:23pm EST

Our guest commentator for episode 49 of the Steptoe Cyberlaw podcast is Juan Zarate, a senior adviser at the Center for Strategic and International Studies (CSIS), the senior national security analyst for CBS News, a visiting lecturer at the Harvard Law School, and Chairman and Co-Founder of the Financial Integrity Network.  Before joining CSIS, Juan was the first ever assistant secretary of the treasury for terrorist financing and financial crimes.

We inaugurate a new headline news feature, “News or Snooze.” Some highlights:

·         EU Data Supervisor Presses for Privacy Overhaul in 2015” – Hit the snooze button and you can hear this again in 2016.  And probably 2017 too.

·          “New Credit Cards May Fall Short on Fraud Control” – This is news for everyone who thought we were moving to chip and pin to get better credit card security.

·         FBI Says Warrants Not Needed for Stingrays, Senators Express Doubts” – No surprises here.

·          “Lyft and Uber answer Sen. Franken” – Will consumers punish Uber for its privacy woes and reward Lyft for playing nice with the Senator?  Stewart bets that they won’t.

·          “Sony Hackers ‘Got Sloppy’ says FBI director” – This is news:  Jim Comey provides new evidence supporting the North Korea attribution.  Skeptics move to a new grassy knoll.

·         French terror attacks:  Big news for surveillance in both Europe and the US.  The ghost of Edward Snowden is starting to fade, as are prospects for dumping the NSA 215 program.

In the interview, Juan Zarate and Steptoe’s own Meredith Rathbone lead us through a bracing discussion of U.S. sanctions on North Korea for the Sony attack.  Bottom line:  the Treasury sanctions announced so far are unlikely to have much impact, but they do open the door to future approaches that could.  Juan endorses tougher OFAC sanctions for the beneficiaries of cyberespionage and international sanctions for attacks on banks.  He even has a kind word for letters of marque that would give the private sector more authority to pursue cyberattackers.  By the end, he’s demonstrated anew why we call him the Lord Byron of cyberpolicy. 

 

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Direct download: Podcast_49.mp3
Category:general -- posted at: 12:35pm EST

Our guest for the first podcast of 2015 is Jim Lewis, a senior fellow and director of the Strategic Technologies Program at CSIS, where he writes on technology, security, and the international economy.

We try a new, slightly shorter format for 2015, with quick takes on a batch of headlines:

We dig a little deeper into other stories. 

  • FBI investigates Banks for Revenge Hacking of Iran: Stewart, Jason, and Jim Lewis debate the wisdom of taking down DDOS command and control servers without waiting for the government. And Israel’s role as a haven for private hacking back.
  • And, of course, all things Sony: We discuss the weird “grassy knoll” determination to blame someone other than North Korea. Turns out many of those challenging the FBI’s attribution have questionable credentials or are outspoken Snowden supporters, calling into question their judgment. We deprecate US financial sanctions on North Korea as a deterrent and the South Korean who is taking seriously Stewart’s suggestion that The Interview be dropped on the North from balloons. 
  • Finally, Jim Lewis offers his insider’s view of China’s approach to cyber conflict – the norms that apply in cyberwar, where cyberweapons fit into China’s warfighting doctrine, and a possible split between China’s leadership and its PLA on when and whether to carry out cyberespionage for Chinese companies.  

Later this year we will be joined by Becky Richards of the NSA Privacy office.   

 

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Direct download: Podcast_48.mp3
Category:general -- posted at: 4:43pm EST

Our guest this week is Joanne McNabb, Director of Privacy Education and Policy for the California Attorney General’s Office.  Joanne discusses the findings and recommendations in the recently released 2014 California Data Breach Report.  She also offers insight into some of the key factors the Attorney General’s Office considers in deciding whether or not to investigate a breach.  Finally, she discusses changes in California privacy law that will go into effect on January 1 – including SB568, the so-called “online eraser” for minors seeking to delete unwanted posts, and AB1710, which extends data security requirements to companies that “maintain” personal information, not just those that own or license it.  Finally, she settles a dispute only privacy lawyers could find interesting regarding the scope of AB1710’s provision requiring identity theft prevention/mitigation services.

We almost got through the week without any NSA news, but the FISA court made the news for doing exactly what you’d expect – renewing the section 215 orders for metadata.  More interesting was the news from Turkey, which effectively rewrites the history of cyberwar, and it no longer begins with Stuxnet.  It looks as though Russia launched a distinctly kinetic and sophisticated cyberattack in 2008 on the Turkish-Azeri pipeline that threatened to break its chokehold on Caspian oil.  Michael Vatis takes the day off to file an amicus brief in support of Microsoft in the fight over overseas warrants.

The Sony breach fallout continues to be severe. Things are bad enough that the Hollywood Reporter is asking me to write op-eds. We question whether Sony is really resorting to “active measures” to block distribution of the stolen files. And Aaron Sorkin calls the media “dishonorable” for publishing all these leaked documents. Funny, but I don’t remember him saying the same thing when it was Manning and Snowden putting stolen docs on the front page.

Chris Conte explains the SEC’s new cybersecurity rules for exchanges and other trading platforms.

And the lame duck allows cybersecurity legislation to pass in a convoy:  Five cybersecurity bills, all modest in impact, were adopted by Congress in the last few days:

            S. 1691 – allowing pay flexibility to attract cybersecurity professionals;

            H.R. 2952 – requiring DHS to adopt a workforce strategy and assessment plan;

            S. 2519 – authorizing  DHS to run an integration center providing threat information to civilian agencies and modifying federal government data breach rules;

            S. 1353 – a very NIST-centered set of authorizations for cybersecurity awareness, research and workforce measures that may or may not be funded

            S. 2521 – confirming DHS’s role in providing FISMA oversight under OMB guidance

And Sony has company. It turns out that an Iranian hack on the Sands Las Vegas may be first cyberattack on US soil. Both Sony and Sands join the DDOS attacks on our banks as cyberattacks on the US that have gone unanswered. Instead of a digital Pearl Harbor, it looks as though we’re getting a lot of digital Sudetenlands.

 

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Direct download: Podcast_47.mp3
Category:general -- posted at: 2:49pm EST

Our interview focuses on Shane Harris and his new book, @War:  The Rise of the Military-Internet Complex.   It’s a good read and a good book, marred by the occasional deployment of easy lefty tropes – government contractors are mercenaries, the military sees war as an opportunity to expand turf, cybersecurity is a threat to privacy, anonymity is all about rights, etc.  But Harris is first and foremost a storyteller, and his zeal for the story is far more important to him than ideology.  When he tells the story of the guys who used cybertactics to break al Qaeda in Iraq during the surge, or of the banks’ cyberbattle with Iran, he lets the reader decide who to root for. 

We talk about some of the more surprising stories that Harris tells, including: 

            The (contested) claim that Chinese hackers caused a large Florida blackout by mistake

            The mismatch between an estimated 300-1000 US government hackers and China’s estimated 20 thousand  (A land war in Asia could be coming to a network near you)

            Harris’s controversial suggestion that the banks may be assembling their own zero-day exploits in preparation for a hackback campaign against Iran

            The possibility that foreign governments systematically compromised the networks of American natural gas pipeline companies in preparation for an attack – and whether we’d even know when cyberweapons had been used

In our news roundup, we start with This Week in NSA, but the latest Intercept story on NSA and cell phone interception is so boring and opaque it’s practically encrypted.   So we switch to This Week in GCHQ.   At the suggestion of a listener, we mine the UK parliamentary report on the killing of a soldier on the streets of London for lessons about the need for MLAT reform in the United States. 

Verizon escapes an FTC investigation without an eternal oversight regime.  Why?  Because of its aggressive effort to cure a security flaw or because the FTC realized it had overreached?  You be the judge.

We unpack the judicial decision refusing to dismiss bank claims against Target for its credit card breach, raise questions about a Boston hospital’s surprisingly cheap settlement of a privacy case arising from a stolen laptop.  And then dive into the biggest breach case of the year, maybe the decade: Sony. We think North Korea did the hack, and the lack of a US response could have bad consequences for the country.  Among other things, the only bad guys we’ll ever see in future movies are Serbs. And US government officials, of course. 

 

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Direct download: Podcast_46.mp3
Category:general -- posted at: 2:58pm EST

Our guest for the week is Troels Oerting, the head of EC3, Europe’s new cybercrime coordination center.  He talks about EC3’s role in the recent take down of over 400 darknet sites, arrests of travelers using fake credit cards and of users of the Blackshades Remote Access Tool. He repeats his view that there are probably only a hundred talented criminal writers of malware, whose work is then used by a host of dimmer bulbs.  So striking at the hundred could make a big difference.  Troels Oerting thinks we’re in a position to hurt a number of them.

The interview compares US and European willingness to name and shame Chinese PLA hackers.  I ask Troels if he’d order the arrest of any of the five indicted PLA hackers if they vacationed in Europe.  And we compare US and EU legal constraints on private sector “direct action” against hackers. 

This week in the NSA:  NSA’s privacy officer speaks; and she has a sense of humor.  Regin schools hackers around the world, and German hypocrisy about NSA spying is on full display.  It turns out that Angela Merkel’s phone was being tapped by the Brits, the Chinese, the Russians and even the North Koreans.  But Merkel has yet to say that Russian, Chinese, or North Korean spying reminds her of the Stasi; only NSA seems to remind her of Communist espionage.  Meanwhile, the BND reveals that it too spies on everyone but Germans, and that it has a remarkably narrow definition of who qualifies as “German.”

Michael Vatis previews a Supreme Court argument about when online abuse passes from colorful imitations of rap lyrics to prosecutable threats.   Jason Weinstein counts the growing library of lawsuits against Home Depot and evaluates the risk.

Doug Kantor, a Steptoe government affairs partner specializing in cybersecurity issues, gives a rundown on the new, Republican-dominated Congress, including the many chair changes in both House and Senate.  Firedoglake makes an appearance.

Meanwhile, US tech companies have become all-purpose European whipping boys.  They don’t volunteer enough information about terrorists to satisfy the Brits. They don’t hide enough “right to be forgotten” information to satisfy the European privacy regulators.  And they make too much money for the European Parliament, which wants to break up Google.

The Justice Department has claimed a scalp in its campaign against spyware.  Jason has the back story. And it’s a good thing the All Writs Act didn’t come with a sunset clause, or it would too would be attracting the wrath of EFF and Silicon Valley.  Michael explains why the act is now part of Apple’s future, and Google’s too.

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_45.mp3
Category:general -- posted at: 10:44am EST

Our guest for episode 44 of the Steptoe Cyberlaw Podcast is Sal Stolfo, Professor at Columbia University’s Computer Science Department and CEO of Allure Software.  Stolfo brings an attacker’s sensibility to network security approaches usually dominated by defensive thinking.  His approach to computer security includes flooding the network with plausible fake documents wired to alarm when touched by a user.  The alarm, in turn, shuts down a user’s access and prompts for a second form of authentication.  Documents that are successfully exfiltrated persistently attempt to beacon back to the home network, betraying the attacker and his customers long after the hack.  He’s already deploying some of these concepts commercially.  It’s the kind of active defense even the Justice Department should love.

In our news roundup, This Week in NSA is dominated by speculation that the 215 program will never die.  Conventional wisdom says that the metadata program will ride into the sunset on June 1, 2015.  But a “transition” note could allow the program to last for years.   Meanwhile, the NSA director, Adm. Mike Rogers, is warning that China and one or two other countries have the ability to bring down the electric grid in the United States.

The FTC has gone to mediation with Wyndham, but no one is betting that the mediation will succeed.  And the FTC’s settlement with TRUSTe puts the privacy certification company under the FTC’s thumb for years.

Telephone companies have long been the most government-friendly of technology firms, but that may be changing.  Now even the heir of Ma Bell’s name, AT&T, has filed an amicus brief demanding clearer standards before the government could get access to location information.

One solution is for the government to cut out the middleman and get the location information directly from the consumer – by offering fake cell towers to connect to. But that tactic, and the secrecy surrounding “stingray” collection, has its costs.  Baltimore has abandoned a criminal case to keep from describing the technology and how it’s used.  And a North Carolina judge has unsealed hundreds of stingray orders.

In the words of the old country song, how can I forget you if you won’t go away?  Much as we wish the right to be forgotten would go away, that’s looking less and less likely. Google's Global Privacy Council, Peter Fleischer, has disclosed new details about how the search giant administers the right.  And Norway has (unsurprisingly) followed the rest of Europe in adopting the doctrine.  But most troubling is the news from France, where Google is facing fines of €1000 a day for refusing to apply a French defamation takedown order to its Google.com domain – or, more accurately, for not letting a French judge censor what Americans can read. 

Finally, in our first item derived from a listener request (h/t Lee Baumgardner), we look at the regulatorily challenged transport company, Uber, and its potential liability for a steady stream of privacy flaps, including its unwisely but appropriately named “God Mode.”  

Tune in next week when our guest will be Troels Oerting the Assistant Director, Head of European Cyercrime Centre (EC3). 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

 

 

Direct download: Podcast_44.mp3
Category:general -- posted at: 3:35pm EST

Our guest this week is Amb. Daniel Sepulveda, the man charged with managing the U.S. relationship with the International Telecommunications Union.  The ambassador helps us make sense of the recent ITU meeting in Busan, South Korea, where efforts to validate a greater government role in internet affairs seem to have been turned back for another four years.  Markham Erickson, a Steptoe partner specializing in internet law, also joins regulars Jason Weinstein, Michael Vatis, and me.

This week in NSA:  The USA Freedom Act is showing signs of life, as Sen. Reid promises Sen. Leahy floor time in the lame duck session.  But with Sen. Feinstein opposed to the Judiciary-written bill, and the House having passed a different one, it’s still a long haul to get a bill to the President before the lame duck limps into history.  After a year-and-a-half-long Snowden-induced cringe, the U.S. is again raising Chinese espionage more aggressively.  But that’s the only thing that has changed in the U.S.-China dialogue on cyberespionage.  Just ask the Postal Service and the NOAA weather network.

We try out a new feature:  The Law Behind the Headlines, where we provide the legal background behind tech stories in the news: 

•           Remember that Insecam website that streams video from thousands of video surveillance cameras that are still using the manufacturers’ default login credentials?  To Jason, it looks like the world’s most public confession to thousands of criminal violations. 

•           And according to the press, law enforcement uses flying DRT Boxes (not to mention ground-based stingrays) to imitate cell towers and thus locate particular phones very accurately.  But to do so, the machines have to accept and then drop thousands of connections from the phones of ordinary Americans who aren’t suspects.  Is that legal?  How is it different from the NSA’s program of collecting data but not looking at it?  And can we get the U.S. Marshal’s service to actually connect some of the calls they get from dead spots out in Great Falls? Answers to all these questions in the podcast!

This week in bad law:  the Ninth Circuit will be revisiting the too-creative Kozinski opinion that based a takedown order on the dubious copyright claim of an actress who appeared in in “The Innocence of Muslims.” 

This week in data breaches:  Anthem Blue Cross puts a bunch of medical advice and data in the subject line of its emails to patients.  That doesn’t inspire confidence in its data security, but is HIPAA violated?  Maybe not, Jason explains.

Argentina’s Supreme Court joins the great debate over search engine liability, spurring Michael and Markham to a debate of their own.  A Justice Department advocate admits to a mistake in oral argument on how forthcoming companies can be in NSL disclosures.  We debunk left/lib claims that the mistake is a government “misrepresentation.”

Google has weighed in on another privacy issue, essentially taking Europe’s side in a long-running debate over whether and how non-Americans should be covered by the Privacy Act.  I argue that changing the Act would simply enable European unilateralism in the long privacy debate with the United States.  Amb. Sepulveda and I tangle over whether the demand is a legitimate part of negotiations over the data protection U.S.-EU Safe Harbor Agreement.

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_43.mp3
Category:general -- posted at: 10:16am EST

We share the program this week with Orin Kerr, a regular guest who knows at least as much as we do about most of these topics and who jumps in on many of them.  Orin, of course, is a professor of law at George Washington University and well-known scholar in computer crime law and Internet surveillance.

This week in NSA:  With NSA Director playing good cop in Silicon Valley, new GCHQ director Robert Hannigan seemed happy to play bad cop, releasing an op-ed saying that US tech companies were providing the “command-and-control networks of choice for terrorists and criminals” and would need to do a better job of cooperating with governments to combat terror and crime.  If nothing else, the speech is a hint to Silicon Valley that its clout in the Obama administration does not foretell success in fighting other governments’ surveillance goals. 

And, with the election over, and it looks more likely than not that the GOP will end up with a 54-46 majority next year.  We surmise that this means no action on the USA Freedom Act (or Sen. Grassley’s substitute) until Spring 2015.

Finally, the DC Circuit heard argument in the appeal of Judge Leon’s famously exclamatory invalidation of NSA’s 215 metadata program.  As expected, Larry Klayman did nothing to help his case, and the panel was considerably more skeptical about the challenge than the Second Circuit panel that heard many of the same issues.  Our best guess from the arguments:  The Second Circuit decides that the program is inconsistent with section 215, the DC Circuit finds that the program is constitutional and that statutory issue has been waived, so there’s no split in the circuits until the Ninth Circuit rules, at which point the whole issue is cert-proof anyway because the statute has expired or been revised.

Talk about opening a can of worms.  The Supreme Court’s decision in Riley that cell phones can’t be searched without a warrant has now spawned fights about what the warrant should say, and how many limits it should set on what the police can look at.  The Nebraska Supreme Court has weighed in – but leaves the police more or less in limbo.

Whether the contents of a webmail account are protected from government search depends on the webmail provider’s terms of use.  Or so says the Southern District of New York, in a decision none of us can understand or really get behind.  

Speaking of the Southern District of New York, prosecutors there may singlehandedly make more tech surveillance law than the rest of the country.  They’re fighting with a phone manufacturer to get help unlocking a suspect’s phone. 

And a Virginia court has ruled – to our utter lack of surprise -- that suspects may be forced to apply their fingers to cellphones protected by fingerprint readers.  More interesting is whether they can be forced to enter “patterns” or tell the police which finger unlocks their phone (our view: no and no).

Google has finished its “right to be forgotten” road trip, and Americans’ freedom to read accurate information is on the block in Europe.  An official of the European Commission made clear that the Commission would not rest until it had imposed its link censorship regime on google.com and Google’s American users.  The administration’s response?  Crickets.

Data retention is making a comeback in Europe, as Sweden joins the UK in demanding continued retention despite a European Court of Justice ruling against the directive that originally led to retention requirements.

Is the financial industry worried enough about cybersecurity that it’s actually calling for more activist government action?  SIFMA’s latest call comes close.

We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Direct download: Podcast_42.mp3
Category:general -- posted at: 2:09pm EST

Our guest is one of the most highly regarded cybercrime prosecutors in the country - John Lynch, the Chief of the Computer Crime and Intellectual Property Section (CCIPS) in DOJ's Criminal Division.  Among other things, John talks about how DOJ is organized to investigate and prosecute cybercrime and about its efforts to strengthen partnerships with and build capacity among foreign law enforcement partners in what is increasingly a global fight.  John also reflects on the impact of the Snowden leaks on domestic law enforcement and on the challenges the courts and prosecutors are facing dealing with electronic evidence issues in a time of rapidly changing technology.  And we talk about the role of the private sector in cyber defense. 

This Week in NSA: “Second leaker” identified by the FBI – does Snowden have a spare bedroom? GCHQ says it can access data provided by the NSA without a warrant.  That bothers privacy groups, who apparently are unfazed by the fact that GCHQ can also access data on its own citizens without a warrant, and can get a warrant without seeing a judge.  On a related front, former FBI Director Bob Mueller calls the Snowden leaks “devastating” to efforts to investigate and disrupt national security threats, in the process noting that the US is unique in terms of the level of judicial review required for electronic surveillance.  

The ITU continues to try to take control of the Internet. Law firms become a focus of hacking concern, as NYDFS letter puts spotlight on vendor management. A Private sector coalition engages in what you might call active defense against “Axiom” group of Chinese hackers.  The FCC becomes America’s latest de facto data protection authority.

Move over China, as FireEye identifies a Russian cyberweapon.  Meanwhile, a DARPA official basically says that since we use the same popular software, we’re making it too easy for hackers.

And we bring you another candidate for Dumbest Privacy Case of the Year, involving both privacy and cleavage.

 

We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail ( +1 202 862 5785).

Direct download: Podcast_41.mp3
Category:general -- posted at: 1:10pm EST

Our guest this week is Bob Litt, the General Counsel of the Office of the Director of National Intelligence.  Bob has had a distinguished career in government, from his clerkship with Justice Stewart, his time as a prosecutor in the Southern District of New York and at Main Justice, and more than five years in the ODNI job. 

This week in NSA:  The latest fad in news coverage of the agency is a hunt for possible conflicts of interest in its leadership.  And it’s having an effect.  Two high-ranking NSA seniors, the CTO and the head of signals intelligence have recently left positions that drew scrutiny for getting too close to private industry.  I ask Bob whether we should be pleased or worried about the trend toward individual converts to Islam carrying out random attacks with whatever weapon comes to hand.  Prudently, he refuses to be drawn into my comparison of Islamists to the Manson Family.  We debate whether the USA Freedom Act has a chance of passage in the lame duck Congress – and whether it should, focusing among other things on how the act’s FISA civil liberties advocates would function and what ethical rules would govern their day jobs.  

And we explore another ODNI project – implementing the President’s directive on protecting the privacy of foreign nationals while gathering intelligence.  Are the nation’s spies really required to wait until a foreign target’s speech goes beyond what the first amendment protects before they collect and analyze the remarks?  Will the requirement for advance justification for collection projects institutionalize risk aversion at NSA?  And can government officials look forward to intelligence reports that read like this: “[SYRIAN NATIONAL 1] asked [IRAQI NATIONAL 1] to kill [US PERSON 1]”?

Our news roundup begins with the sudden press interest in possible conflicts of interest in NSA’s leadership.  The Supreme Court takes another privacy case – one with no obvious federal connection.  Lots of city ordinances require hotels to keep guest registries – and to let the police inspect those registries on demand.  But the 9th circuit recently held en banc that these laws touch the privacy interests of the hotel owner, not just the guests, and that the laws are unconstitutional if they offer no opportunity for prior judicial review of the police demand.  Just what we need:  another opportunity for the Roberts Court to pad a narrow ruling with a lot of ill-considered dicta about Smith v. Maryland.

Harking back to last week’s interview with Tom Finan about insurance coverage for cyber incidents, we discover that where there’s insurance coverage there are also insurance coverage disputes. The head of Steptoe’s insurance coverage practice explains the P.F. Chang dispute with Travelers Insurance and hints that it’s in the first wave of what could be thirty years of litigation. Not that there’s anything wrong with that.

FBI Director Comey isn’t alone in complaining about Silicon Valley’s reluctance to help law enforcement.  Leslie Caldwell, the new head of the Justice Department’s criminal division, has joined the chorus

According to the Stored Communications Act, companies like Google may not provide the contents of emails in response to subpoenas.  So what do civil litigants do when they need access to Gmail accounts in, say, divorce cases?  The usual solution is for the court with jurisdiction over the civil suit to order the litigants to “consent” to the disclosure of their email messages.  But is court-ordered consent really consent?  According to a California appeals court, it is. Michael explains.

Whoa!  The FCC really is taking cybersecurity seriously.  It’s proposing $10 million in fines for two carriers who stored hundreds of thousands of “Obamaphone” beneficiaries’ personal data on a server accessible by anyone on the internet.

Confusion over when you need a warrant to get third party information continues to roil the courts.  The Florida Supreme Court raises the bar for cell-site location data.  And the NJ AG plots a counter-attack on a billing record warrant requirement in the Garden State.  Michael suggests a new feature to keep all the litigation straight:  This Week in Smith v. Maryland.

Lawyers with banks for clients have a new reason to upgrade their cybersecurity.  As the banks struggle with increasingly sophisticated intrusions, they’re sharing the pain, demanding that their contractors and suppliers adopt stronger cybersecurity.  Law firms are expressly included, since they’ve been targeted frequently for what inevitably will be called “bank shot” intrusions.

 

We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail ( +1 202 862 5785).

Direct download: Podcast_40.mp3
Category:general -- posted at: 3:40pm EST

Our guest today is Tom Finan, Senior Cybersecurity Strategist and Counsel at DHS’s National Protection and Programs Directorate (NPPD), where he is currently working on policy issues related to cybersecurity insurance and cybersecurity legislation. Marc Frey asks him why DHS, specifically NPPD, is interested in cybersecurity insurance, what trends they are seeing in this space for carriers and other stakeholders, and what is next for their role in this space. He is incredibly forthcoming in his responses and even asks listeners to email him with their feedback.      

This week in NSA: The House and Senate Judiciary chairs call for action on USA Freedom Act.  And nobody cares. We conclude that the likelihood of action before the election is zero, and the likelihood of action in a lame duck is close to zero. But next week we’ll be interviewing Bob Litt, one of the prime negotiators for the intelligence community on this issue, and he may have a different view.

The Great Cable Unbundling seems finally upon us, as several content providers announce that they’re willing to sell content direct to consumers over the Internet. Does that mean more support for net neutrality? Not necessarily. Stephanie Roy explains.

Are parents responsible for what their adolescent kids do and say on Facebook? That makes sense, if you’ve never had adolescent kids. Maybe that explains why Michael Vatis sees merit in the Georgia appellate court decision finding potential liability. It reversed the trial court, which had granted summary judgment in favor of the parents of a kid who set up a fake and defamatory Facebook page in the name of a classmate he hated. The facts are a little odd. The kid who set up the page never took it down, even after he’d been caught and punished by school and parents. The appeals court thought that the parents had a “supervisory” obligation to make their child delete the fake account, and that they could be held liable for negligently failing to do so. It’s quite possible, though, that everyone in this case is a Privacy Victim; the issue could have been hashed out with a phone call from the parents of the victim to the parents of the perpetrator, but according to the press, “the child’s parents didn’t immediately confront the boy’s parents because their school refused to identify the culprit.” Because privacy.

FBI Director Comey comes out swinging for CALEA reform, saying in a speech at Brookings that the law needs to be updated to require cooperation from makers of new communications systems when the FBI has a court order granting access to those systems. 

When it comes to regulating on other topics, though, the Justice Department is a little less restrained; it has opened the door to a round of new disability claims against websites, offering a roadmap to what it thinks the law requires.

The right to be forgotten is attracting more flak in Europe, as the BBC announces a competing “right to remember” website devoted to publicizing stories that Google has delinked. It’s Auntie BBC v. Nanny Europe. Cue popcorn. Unhappily, a “progressive” group most famous for relentlessly sliming Google on privacy issues has urged the search engine to bring the right to be forgotten  to the United States. Sigh.

In breach news, TD Bank pays $850,000 to the state AGs over a “breach” that may never have happened. TD lost a backup tape in transit, and the data wasn’t encrypted. Was anyone’s data actually compromised by the loss of the tape? The AGs don’t say. They just want their money. And they get it. 

The Russians are getting sloppy, or maybe they’re taking a leaf from China’s book – figuring it doesn’t matter if they get caught. And caught they have been, by iSight Partners, which reports that Russian hackers used a Microsoft zero-day to target Western governments and Ukraine.  Meanwhile, the FBI is warning about another and even more sophisticated set of Chinese government hackers. And hackers are now adding a new form of targeted attack to their arsenal - a tactic that combines spearphishing with watering hole attacks. They’re targeting ads at users that take them to a compromised website that serves malware.

And, in good news for privacy skeptics, the Video Privacy Protection Act gets a narrow reading.

 

We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail ( +1 202 862 5785). 

Direct download: Podcast_39.mp3
Category:general -- posted at: 11:44am EST

Our guest for the podcast is Shaun Waterman, editor of POLITICO Pro Cybersecurity. Shaun is an award-winning journalist who has worked for the BBC and United Press International; and an expert on counterterrorism and cybersecurity.

We begin as usual with the week’s NSA news. NSA has released its second privacy transparency report. We’ve invited Becky Richards, NSA’s privacy and civil liberties watchdog, on the program to talk about it, so I’m using this post to lobby her to become a guest soon: Come on in, Becky, it’s a new day at the NSA!

Laura Poitras’s new film about Snowden gets a quick review. We question the hyped claim that there’s a “second leaker” at NSA; most of the leaked information described in the film was already pretty widely known. 

Two more post-Snowden pieces of litigation are also in the news. As promised, we dig deeper into the Justice Department’s botched handling of the notice that must be given to parties on the receiving end of FISA taps and section 702 of FISA. As often turns out to be the case, the Justice Department develops a limp, and all the other agencies have to put stones in their shoes: It looks as though OFAC is going to be dragged into this comedy of errors. 

The second piece of litigation began as a humdrum piece of FOIA litigation (though with a bit of Glomar for spice). It has now has produced a much more interesting result: Judge Pauley, ordinarily a good friend to the government, declares that he has lost confidence in the Justice Department’s representations about the risks of releasing FISA opinions; he insists on reviewing the FIS court’s opinions himself in camera to decide what can be released.

In other national security litigation, we all know that a canary can emit a twitter, but can Twitter emit a canary? The social media giant is going to court to get approval for its “warrant canary,” claiming a first amendment right to list the orders it has not (yet) received under national security surveillance laws.  Meanwhile, on the opposite coast, the government’s authority to issue gag orders in national security letters is argued before the Ninth Circuit, which seems to find the issue at least a little troubling.

Maybe it’s a coincidence, but just as Europol is raising the possibility that the internet might be used to kill people, the FDA is trying to do something about it, issuing cybersecurity guidelines for manufacturers. We damn them with faint praise, note that our refrigerators have been trying to kill us slowly for years, and wonder when the National Highway Safety Administration will issue security guidelines for self-driving cars.

The pendulum may be swinging toward privacy in the US but it swings hard the other way in the Southern Hemisphere. First New Zealand gives Snowden a swift kick and now the Australian government is enacting surveillance reforms that increase government authority to conduct national security intercepts.

There’s a bit of good news in our update on the right to be forgotten. The European Commission has poured cold water on the European Court of Justice, hinting strongly that the court’s enthusiasm for sacrificing free expression is a bad idea. Sad to say, though, the notion seems as communicable as Ebola; even Japan is getting in the act, as a Tokyo court orders Google to take down search links at the request of an individual. 

The prize for Dumbest Judicial Opinion of the Month goes (where else?) to the Ninth Circuit, which expressed shock and dismay over the idea that a Navy investigator conducted “surveillance of all the civilian computers in an entire state” in the course of looking for military personnel trading child porn. Turns out that the investigator in question simply looked at images being shared publicly online using a common file-sharing program, Gnutella. And when he had the IP address of someone sharing child porn images he checked to see if the suspect worked for the military. When that turned out not to be the case, he turned the information over to civilian law enforcement, giving the Ninth Circuit a severe case of the vapors and ultimately leading to exclusion of the evidence. Because posse comitatus. You won’t want to miss my translation from the Latin.

 

We unpack the controversy over Ross Ulbricht and how the FBI managed to captcha him. And we congratulate the FCC for a regulatory action near and dear to anyone who’s ever paid too much for bad Wi-Fi in a good hotel.

Finally, we remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email (CyberlawPodcast[at]steptoe.com) or voicemail (+1 202 862 5785). And to prove it, I read a message from Dick Mills, a libertarian blogger who started out tagging me as the Great Satan of statism but ended by admitting that the podcast occasionally changed his mind. We can’t ask for more than that.

Direct download: Podcast_38.mp3
Category:general -- posted at: 3:59pm EST

Our guest today is Rob Corbet, a partner and head of the Technology & Innovation group in Arthur Cox, a large Irish law firm.   Ireland is a uniquely important jurisdiction for US companies dealing with data protection issue.  I ask whether Ireland’s role is going to become more or less powerful under the proposed revision, and we talk about the replacement of its longstanding data protection commissioner.   

This week in NSA:   NSA is getting ever thinner, but there is still a knock-on effect from the Snowden revelations, which is now complicating the way Treasury designates people and institutions for sanctions.  This is a complex tale, and we will dig deeper into it next week.  

Web publishers are taking it on the chin everywhere.   Russia has told Google, Twitter, and Facebook to register under Russian law and submit to Russian regulation, including local storage of Russian data.  And the EU Article 29 Working Party is working on how to implement the right to be forgotten, combining its usual ineffectual bureaucratics with politically correct misrepresentations. Bet you didn’t know that the right to be forgotten isn’t censorship, apparently because you’re being censored first by companies, then by “independent” data protection agencies, and finally by the courts. That’s not censorship, say European regulators, it’s “balancing.” I’m reminded of Mary McCarthy, who famously said of Lillian Hellman, “Every word she writes is a lie, including “and” and ‘the’.” (Meanwhile the New York Times announces that it’s been hit by the right to be forgotten, with several of its stories going down the memory hole.) 

 In the US, the attack on web publishers is taking a different form, but it’s no less effective.  When Apple screws up and allows the disclosure of celebrity nude photos, it’s Google that gets hit with the threat of a $100 million lawsuit, on grounds that are half copyright, and half a kind of right to be forgotten.  Google immediately surrenders, claiming that it’s taken down links to the photos.   

 Finally, in the most troubling cybersecurity news of the month, maybe the year, JP Morgan acknowledges a deep penetration of its computer networks by sophisticated hackers – quite possibly aided by the Russian government.  Exactly what the hackers took and what they intended is still not clear, something that makes the intrusion more ominous not less, raising as it does the possibility that Russia intends to impose its own style of financial sanctions on the United States.   

All of which raises the question whether JP Morgan should protect itself by adding a “Herod clause” to its terms of service:  anyone accessing the site without authority automatically surrenders custody of his firstborn.  If it worked for F-Secure’s free wi-fi service, maybe it will work for cybersecurity.

The Cyberlaw Podcast is now open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.   If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the thirty-seventh episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

 

Direct download: Podcast_37.mp3
Category:general -- posted at: 2:36pm EST

Our guest today is Admiral David Simpson, Chief of the FCC’s Public Safety and Homeland Security Bureau.  Admiral Simpson has more than 20 years of Information and Communications Technology experience supporting the Department of Defense.  Adm. Simpson is joined by Clete Johnson, his Chief Counsel for Cybersecurity.  The interview digs deep into Chairman Wheeler’s cybersecurity initiative, asking among other things exactly how voluntary it will be, what telecom companies can do to stop DDOS attacks, and what CSRIC really stands for. 

It’s getting harder and harder to find new NSA stories, which must be a relief to the agency.  Last week, the only news was NSA’s decision to name Anne Neuberger its Chief Risk Officer.  Anne is an able woman who knows the outside world better than practically anyone at the agency, but I can’t shake the feeling that what the agency wants is a Chief Risk-Aversion Officer. 

In other news, how to handle location data after Riley continues to bedevil the circuit courts, but the Fifth Circuit seems to have come to a surprisingly reasonable result, holding that users don’t have a reasonable expectation of privacy in the cell-site data that they give the phone company so it can connect calls to them. 

Adm. Simpson and I dig into three stories that are more technical than legal but which will all have legal fallout soon:   It turns out that Apple may have known about the iCloud security flaw that enabled disclosure of nude celebrity photos for as long as six months before the hack.  The Shellshock bug debunks the notion that open-source is inherently more secure than proprietary code, and it means that anyone who has built their business on Linux should be scrambling (that means you, Apple and Google). And the financial industry launches a real-time information-sharing program that will finally test-drive the vision underlying the bills that Congress has been trying to pass for years.

In retaliation for Western sanctions, Russia is advancing the date for mandatory social media data localization.  Meanwhile, Google’s staggering potential liability for “wiretapping” publicly broadcast Wi-Fi signals has led to an interesting discovery fight, with the self-proclaimed victims of the wiretapping challenged to show that Google actually intercepted any of their data when the Street View car drove past their homes.  If the plaintiffs fail, their whole case (and their lawyers’ payday) are at risk, since non-victims are not proper class representatives.

Finally, a brief cybersecurity obituary:   Apple’s warrant canary is pining for the fjords.

 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_36.mp3
Category:general -- posted at: 2:15pm EST

For those who think the podcast is best when we have a guest from the opposite end of the political spectrum, episode 35 should be a treat.  (We’re late this week, but it will be well worth the wait.) Our guest is Julian Sanchez, a senior fellow at the Cato Institute who studies surveillance and other issues at the intersection of technology and civil liberties.  He is a founding editor of the policy blog Just Security, and recently debated another of our guests, Orin Kerr, on Apple’s recent announcement that it would no longer be able to decrypt iPhones for law enforcement.    We dig into that issue in detail, asking such questions as how often encryption has actually stymied an investigation, whether “hacking” the phone is a substitute for help from the company, what this means for corporate users of iPhones, the implications for Apple (and Google) in other countries, and whether Google/Apple run a risk under current US law of lawsuits by prosecutors or by crime victims.

Our news roundup begins with some of the first good news NSA has received in months.  It looks as though Snowden fatigue may finally be setting in abroad as well as here.  Last week, Glenn Greenwald, Edward Snowden, and Internet multimillionaire Kim Dotcom teamed up to “close one of the Five Eyes” by driving New Zealand’s government out of office in national elections.  They combined strategic leaks, a Snowden attack on the prime minister as a liar, and Dotcom’s multimillion dollar campaign war chest.  Well, the elections are over, and the Anti-NSA Dream Team was trounced.  In less good news, NSA Director Mike Rogers admits to having missed more than he’d like about ISIS’s rise.  We debate how much the political furor over the agency contributes to these problems.

In other news, we discover that auto-forwarding someone else’s email is a wiretap – and why suing for a privacy violation is much better than seeking alimony.   Meanwhile, the Home Depot case sets a new record, and the Neiman Marcus data breach case gives comfort to class action defense lawyers all across the country.  The Texas Court of Criminal Appeals tells us that the constitution may protect upskirt photos.

And, finally, we speculate whether the whole privacy law thing will finally melt down over health data, especially now that concerns about HIPAA are stifling innovation by app companies, spurring a turf war between the FTC and HHS, and, most of all, getting in the way of rapid response by government agencies accused of wrongdoing.

 

Finally, we announce a new feature of the Steptoe Cyberlaw Podcast:   feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.comIf you’d like to leave a message by phone here’s the number: 202.862.5785. We may play your message on the podcast if it’s particularly insightful or entertainingly abusive.

Direct download: Podcast_35.mp3
Category:general -- posted at: 2:49pm EST

Our guest this week is Dr. Phyllis Schneck, the Deputy Undersecretary for Cybersecurity for the Department of Homeland Security’s National Protection and Programs Directorate (NPPD).    She and Marc Frey, Senior Director in Steptoe’s DC office and former Chief of Staff at DHS’s Office of Policy Development, discuss the status of cybersecurity legislation and DHS’s highest cybersecurity priorities.

We begin the podcast with This Week in NSA, as newly released documents indicate that back in 2008, the US government threatened to fine Yahoo $250,000 a day if it failed to comply with an order for data under the PRISM program. 

We dive into the Alien Tort Statute suit that was dismissed against Cisco.  And, even though Stewart isn’t here this week, we give an update on his favorite topic – the right to be forgotten.   We also have a new competitor for the title of “strangest ruling against Google in a European court this year” – as a German court has ordered Google to provide more responsive customer support.  

Last week, we told you about how Yelp had prevailed in an extreme case claiming that the company suppresses bad reviews for its advertisers.   This week, California adopted a law that further protects customers’ ability to post negative reviews to Yelp and other sites.   

This week in data breaches: Home Depot confirms its breach, and the congressional reaction is predictable.  On a related front – in the newly minted “This Week in Judge Koh,” she finds that the Adobe breach victims have standing based on risk of future harm – we explain how this can be reconciled with Clapper and what its implications might be for future class actions.

 

Finally, tech companies again try to ramp up the pressure for ECPA reform, and in the Microsoft search warrant litigation in New York, Microsoft agreed to be held in contempt – we explain why. 

Direct download: Podcast_34.mp3
Category:general -- posted at: 2:32pm EST

Our guest this week is Orin Kerr, professor of law at George Washington University and well-known scholar in computer crime law and internet surveillance.  Orin is our second return guest, and he demonstrates why, opining authoritatively on the future of NSA’s 215 program and the “mosaic” theory of fourth amendment privacy as well as joining in our news roundup.   

We begin the podcast with This Week in NSA, which again consists of news stories not written by Glenn Greenwald and the Snowdenistas. Most prominent are the stories claiming that Snowden’s leaks contributed to US intelligence failures against ISIS, the decision by Justice and DNI officials to support Sen. Leahy’s USA Freedom bill, and the release of a less-redacted version of Jack Goldsmith’s OLC opinion holding that the 215 program’s predecessor is not only legal but requires no FIS court approval, at least in time of war.  We find even more evidence that Snowden leaks harmed our ability to monitor ISIS, doubt that Sen. Leahy’s bill will pass before the elections, and speculate about whether OLC has a macro that inserts its plenary Article II article into every opinion it produces.

Meanwhile, Yelp prevails in an extreme case claiming that the company suppresses bad reviews – but only for advertisers.  To which the Ninth Circuit says, “So what? It’s Yelp’s site.”  If only the aggrieved shopowner had sued under EU privacy law, which might require Yelp to forget those bad reviews.

Speaking of the right to be forgotten, I explain what I’ve learned by actually filing censorship demands of my own.  The headline?  Google will suppress European search results for anyone anywhere.  You don’t have to be a European to have your peccadilloes forgotten.  The full post is here.

And, speaking of foreign censorship of US information, LinkedIn is being accused of applying Chinese censorship to Chinese customers, even on LinkedIn’s U.S. site.  Three cases make a trend, and censoring the news that Americans read by threatening to hold their news suppliers liable abroad is definitely a trend.

This week in data breaches:  Home Depot is accused, and Sen. Rockefeller calls on the company to respond.  Will “tokenization” solve the problem, at least for stores – or is that a solution only a lawyer could love?  We also look at the healthcare.gov hack and conclude that it’s been hyped.

In other regulatory action, Google takes a big hit for kids’ in-app purchases and Verizon agrees to pay $7.4 million for sending inadequate notices to customers.  But the class action bar isn’t likely to get rich off either case.

 

And Jason lays out the details of a Hasidic child abuse trial that has already produced not one but two noteworthy privacy rulings in New York. 

Direct download: Steptoe_Podcast_33.mp3
Category:general -- posted at: 4:40pm EST

We’re back!  After a much needed hiatus, during which we shared wilderness paths with bison, woke up to wolf cries, and celebrated the value of ibuprofen, the Steptoe Cyberlaw Podcast is back on the net.

The hiatus allows us to cover this month in NSA, which is a good thing, because the Snowden News Machine is sputtering.  The most significant news was probably made by NSA itself, which released a redacted opinion of the FISC, shedding a lot of light on why the government abandoned its internet 215 program.  Judge Bates’s heavily redacted program criticizes the agency relentlessly for making promises about its technology and procedures that it just couldn’t keep.  My guess is that the agency heads and DOJ got so tired explaining and apologizing to the court that they finally just killed the program.

In other NSA news, Snowdenista journalists try to make an issue of the fact that NSA has developed a search engine for metadata called ICREACH.  Public reaction: Well, duh.

More egregiously, Laura Poitras and Der Spiegel provided detailed information about US intelligence collection on Turkey in a scarcely veiled effort to sabotage the US-Turkey relationship – and to relieve the German government of the embarrassment of a leak showing that despite Angela Merkel’s claim that friends shouldn't spy on friends, Germany spies enthusiastically on Turkey.

Mustn't embarrass the German government, after all.  Its insistence on moral purity in intelligence collection is the main political/diplomatic support for what’s left of the Snowden campaign.  But that purity is looking a little sullied after revelations that German intelligence intercepted both Hillary Clinton and John Kerry as they carried out diplomatic efforts.

In other August news, the Microsoft case questioning the government’s authority to issue warrants for overseas data continued to evolve over the month, with the government greatly raising the stakes:  If Microsoft wants to appeal, the government says, its only option is to refuse compliance with the warrant and let the court hold it in contempt.  And it looks like the district court agrees.

Elsewhere, Linkedin settles its data breach case for a relatively modest $1.25 million.  NIST seeks comment on how its Cybersecurity Framework is working out.  And a federal court in Massachusetts offers novel (and probably bad) advice to those hoping to avoid liability under federal computer abuse law:  Just make sure the computer’s been disconnected from the Internet before you attack it.  Finally in what looks like an increasingly American exceptionalist view, US courts continue to hold that search engines aren’t liable for the links they publish or their autocomplete suggestions.

Our guest for the week is David Hoffman, Intel’s Chief Privacy Officer, and one of the most thoughtful privacy officials going.  Apart from his unaccountable fondness for the European Court of Justice’s decision on the right to be forgotten.  We debate the decision again, and I discover that David and I are famous by Google’s standards, while Michael is not.  I propose new ways to throw a legal spanner in the European data protection agencies’ works.

 

 

Direct download: Podcast_32.mp3
Category:general -- posted at: 3:32pm EST

The Steptoe Cyberlaw Podcast is on hiatus in August, but we’ve brought it back for a special appearance – a debate over Senator Patrick Leahy’s version of the USA Freedom Act sponsored by the Federalist Society. Moderated by Christian Corrigan, the debate pitted me against Harley Geiger, Senior Counsel and Deputy Director for the Freedom, Security and Surveillance Project at the Center for Democracy and Technology. Surprisingly, Harley and I manage to find some significant points of agreement, not only on the superiority of the Senate’s definition of ‘special selection term’ over the House’s, but also on the need to deal with what ethical and conflicts standards should apply to special advocates appearing before the Foreign Intelligence Surveillance Court – a topic that neither the House nor the Senate bill presently addresses.

Direct download: Steptow_Podcast_31.mp3
Category:general -- posted at: 10:51am EST

Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: The Senate Judiciary Committee has come up with a new version of the section 215 reform bill passed by the House; Glen Greeenwald discloses that the NSA has a limited intelligence sharing arrangement with Saudi Arabia; four senators express concern about NSA's overseas intelligence collection program; Sony settles its service-suspending hack for $15 million worth of free stuff for users; the 9/11 Commission issues a soft endorsement of "direct action" by private parties who are hacked; Vladimir Putin signs legislation to keep Russian data in Russia; The Washington Post explains that the FBI "Going Dark" is real; the President's plan to talk about drone privacy; and Congress votes to end DMCA protection for locked cell phones. In our second half we interview, Richard Danzig, former Navy Secretary, board member of the national security think-tank, The Center for a New American Security, and author of the paper Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America's Cyber Dependencies. The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Steptoe_Podcast_30.mp3
Category:general -- posted at: 3:22pm EST

 
Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: Snowden claims that NSA employees are circulating inappropriate pictures and Glen Greenwald reports that the Government Communications Headquarters has developed the ability to send spam and tamper with web polls; last week's UK data retention legislation has been passed into law; advocates of the right to be forgotten push for censorship of the forgotten; the Chinese government demands that Internet companies self-censor; the FBI is concerned Google's driverless cars could be used as ‘lethal weapons'; to prevent whistleblowers, the Veterans Administration claims that talking about patient mistreatment is a violation of patient privacy; FBI affidavit by Agent Noel Neeman on Chinese cyberespionage tactics and motivations; class action privacy issues move from West Virginia to Illinois; and Massachusetts Supreme Judicial Court declares that you can be forced to decrypt your files. In our second half we interview, Orin Kerr, computer crime law guru and professor of law at George Washington University. The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.
Direct download: Steptoe_Podcast_29.mp3
Category:general -- posted at: 12:37pm EST

Stewart Baker and Maury Shenk discuss false claims that NSA has flagged the Linux Journal as an "extremist forum"; the UK has introduced new stopgap legislation to make sure it doesn't lose its data retention authority in the wake of an unfavorable ECJ decision, and to allow UK law enforcement to require foreign entities to turn over data under a warrant; the UK government has also proposed creating their own PCLOB; the Senate Intelligence Committee produces a cybersecurity information sharing bill as a bookend to the House's bill; and Russia has proposed their own data protection rule. In our second half we have our first repeat interviewee, David Medine, Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB). We discuss the 702 report and have a roundup of this week in NSA, including a discussion of Glenn Greenwald's disclosure of the Americans targeted by NSA and Bart Gellman's defense of his Washington Post article. The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_28_Final.mp3
Category:general -- posted at: 10:04pm EST

Stewart Baker and Michael Vatis discuss this week in NSA: Glenn Greenwald decides not to expose individuals who are targeted for surveillance; The Washington Post reveals that "9 out of 10" targets in the NSA's datasets are non-targets; NSA Director Mike Rogers says that Snowden's thefts can be managed; the Seventh Circuit ruled that FISA intercepts cannot be routinely shown to defense counsel; Ellen Nakashima and Bart Gellman reveal that the NSA thinks it may have to gather foreign intelligence from every country in the world; government reports triggered by Snowden continue to multiply; Microsoft's fight with the US government over warrants for overseas data gets more support; Google continues to reveal how it is applying the right to be forgotten; New York's cyberbullying law is struck down; and the SEC has begun investigating network intrusions, starting with Target. In our second half we have an interview with David Heyman, former DHS Assistant Secretary for Policy. The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: pc27_WM_CU.mp3
Category:general -- posted at: 11:34pm EST

Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: The Lofgren amendment, which prohibits NSA and CIA from asking a company to "alter its product or service to permit electronic surveillance;" NSA's bulk collection program is extended again; the Supreme Court's 9-0 decision in Riley, refusing to allow police to routinely search the cell phones carried by people they arrest; Facebook challenges 300+ search warrants on behalf of the targets; Wyndham files an appeal on the FTC's jurisdiction over Internet privacy and security; and Steptoe launches the Data Breach Toolkit. In our second half we have an interview with Dmitri Alperovich, CEO of Crowdstrike, a well-known incident response cybersecurity startup whose recent report introduced the world to another unit of the PLA hacking force - one that is quite distinct from unit 61398, which was exposed by Mandiant last year, six of whose members were indicted recently by the Justice Department.

Direct download: Episode_26.mp3
Category:general -- posted at: 11:55am EST

Stewart Baker, Maury Shenk, and Michael Vatis discuss this week in NSA: The House passes an NDAA amendment to regulate "secondary" searches of 702 data; the GCHQ defends its view that sending email thru Yahoo and Hotmail is an "external" communication; Darryl Issa raises questions about the FTC's investigation into LabMD and asks for an IG investigation; an Irish court backs the Irish data protection authority's decision not to investigate Facebook for cooperating with NSA; the Eighth Circuit decision on bank liability for weak security; the Senate Intelligence Committee's information sharing bill; and privacy class actions. In our second half we have an interview with Ralph Langner, decoder of Stuxnet and founder of the Langner Group, which specializes in industrial control system security.

Direct download: Episode_25.mp3
Category:general -- posted at: 9:17pm EST

Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: A federal judge in San Francisco announced that she was not willing to take the Justice Department's word that several FOIA'd FISA court opinions cannot be partially declassified and demanded that they be produced for in camera inspection; Crowdstrike outs another PLA hacker by name; the Chinese claim that the US government needs to provide more information about alleged Chinese hacking; and the DoD authorization bill is due to add a few more provisions tightening restrictions on China's IT sector; Microsoft's legal objections to getting a warrant for other people's data stored in Ireland; fourth amendment news: Wi-Fi moochers have no expectation of privacy, but how to treat location data stored by cell phone companies continues to drive the federal courts to distraction; a study that Stewart and Jim Lewis of CSIS unveiled last week on the cost of cybercrime; the West Virginia data breach doctrine; and the FCC catches up to the FTC and SEC in cybersecurity "nudge" regulation. In our second half we have an interview with Paul Rosenzweig, consultant at Red Branch Consulting, blogger for Lawfare, writer for the Homeland Security Institute, and lecturer for the Great Courses on Audible.

Direct download: Episode_24.mp3
Category:general -- posted at: 7:31am EST

Stewart Baker, Stephanie Roy, and Michael Vatis discuss Google's effort to implement the European Court of Justice's "right to be forgotten" decision; New York Court of Appeal's case on cyberbullying; Google's decision to promote more encryption; how stingray cell phone location systems work, and why the US marshals might seize stingray records from the Florida police; the regulatory issues that might be involved with using satellites to provide internet service to developing countries; this week in NSA: German prosecutors have opened a criminal investigation into the tapping of Angela Merkel's phone but not the hacking of her computer; and the EFF still wants NSA to hang on to more Americans' records than NSA wants to keep. In our second half we have an interview with Congressman Mike Pompeo (R-KS), a member of the House Intelligence Committee who joined the House in 2010.

Direct download: Episode_23.mp3
Category:general -- posted at: 7:50am EST

Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: Edward Snowden's NBC interview and his claim to have raised concerns about the agency's intelligence programs before he launched his campaign of leaks; the New York Times' article on face recognition by the NSA; China responds to the indictment of its hackers by pointing to old Snowden documents; the FTC issues a report on data brokers; the LabMD litigation continues; Google starts to spell out how it will implement the right to be forgotten; NSL transparency is back in court; Iranian cyberattacks; and what happened with TrueCrypt. In our second half we have an interview with Ron Deibert, director of the Canada Centre for Global Security Studies and the Citizen Lab at the Munk School at the University of Toronto.

Direct download: Episode_22.mp3
Category:general -- posted at: 6:52am EST

 

In our twenty-first episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Maury Schenk, Michael Vatis, and Jason Weinstein discuss this week in NSA: The House passage of the USA Freedom bill; LabMD goes to trial; China lashes back over the Justice Department's indictment of PLA members; Apple loses a preliminary fight over its liability for the privacy practices of third party apps; the Blackshades indictments; the mild treatment given to the Anonymous hacker, Sabu; and California's Attorney General's guidance on how to comply with California's latest privacy law. In our second half, we have an interview with Peter Schaar, a proponent of the right to be forgotten and an eminent former data protection chief. From 2003 to 2013, Peter was the Federal Commissioner for Data Protection and Freedom of Information. He is currently Chairman of the European Academy for Freedom of Information and Data Protection (EAID) and a guest lecturer at the University of Hamburg.
Direct download: Podcast_21.mp3
Category:general -- posted at: 10:13am EST

In our twentieth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Stephanie Roy, and Michael Vatis discuss Breaking News: American counterattack on Chinese cyberspying - the indictment of several PLA members for breaking into US computers to steal commercial information; this week in NSA: It turns out that telcos did challenge the 215 program; Glenn Greenwald's book claims that NSA considers Israel the most effective at spying on the US after China and Russia; Greenwald also says that NSA modifies equipment after it's been sold to make hacking easier; and Greenwald's book has now been leaked to Bittorrent; it looks as though LabMD is down to one lawsuit; the Justice Department released a statement that some kinds of information sharing don't violate the antitrust laws. Now it's put out a white paper saying that ISPs can release aggregate information about cybersecurity without violating the Stored Communications Act's prohibition on releasing customer information; net neutrality and the difference between Title II and section 706 as a basis for net neutrality; and the European Court of Justice's embrace of the "right to be forgotten" In our second half, we have an interview with Shane Harris, senior writer at Foreign Policy magazine, where he covers national security, intelligence, and cyber security. Shane's book, The Watchers, offered thoughtful insights into the rise of surveillance in America.

Direct download: podcast20.mp3
Category:general -- posted at: 4:30pm EST

Stewart Baker and Michael Vatis discuss this week in NSA: Al-Jazeera gets an exclusive on e-mails where google execs turn down NSA invitations and talk briefly about online security threats; the State Department's Coordinator for Cyber Issues; Oracle wins a Federal Circuit victory over Google, establishing that APIs can be copyrighted; New York State issues a short report on bank cybersecurity practices and promises to start asking banks about these practices in inspections; in other litigation, LabMD claims a victory over the FTC, and we interview LabMD's CEO, Michael Daugherty; the ACLU argues that criminal defendants who are acquitted should have no more privacy rights than those who are convicted; Zynga and Facebook get a reprieve from the Court of Appeals, but can face lawsuits under state law for breach of contract; and Snapchat finds itself exposed at the FTC. In our second half, we have an interview with Chris Painter, the State Department's Coordinator for Cyber Issues. Chris discusses norms in cyberconflict, MLAT reform, Brazil's recent Net Mundial conference, and much more.

Direct download: Podcast19.mp3
Category:general -- posted at: 8:20am EST

In our eighteenth episode of the Steptoe Cyberlaw Podcast, Stewart Baker and Michael Vatis discuss this week in NSA: The internal NSA briefing memo surmising that GCHQ probably hoped to expand its access to PRISM data; Microsoft loses a big case before a magistrate in SDNY, who rules that the government can enforce warrants requiring Microsoft to produce data stored abroad; The Supreme Court hears oral argument over cell phone searches incident to arrest; The White House has released a couple of reports on Big Data—one from the PCAST and one from John Podesta's group—along with several recommendations; The White House also released guidance on when NSA will exploit cybersecurity flaws and when it will try to fix them; GCHQ's own independent monitor has released a long and favorable report; and data breaches claim their first CEO, as Target makes room at the top. In our second half, we have an interview with Brian Krebs, the noted security researcher behind Krebs on Security. Brian comments on the week's news before giving us an interview on the latest in Russian cybercrime.

Direct download: Episode18.mp3
Category:general -- posted at: 6:16pm EST

In our seventeenth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Stephen Heifetz, Stephanie Roy, Michael Vatis, and Jason Weinstein discuss this week in NSA: No new scandal stories but the principal new release came from the US government and consisted of a FISA court ruling that took apart the only decision declaring NSA's section 215 metadata program illegal - Judge Leon's opinion in Klayman; the top story this week is the claim that the FCC is gutting net neutrality; the New York Times' story suggesting that the FBI may have used Anonymous to help compromise foreign nations' networks; the cell phone warrant case; the Aereo case; Magistrate Facciola's approach to warrants, and DOJ's method to appeal his latest ruling; and DHS' announcement that it has notified all critical infrastructure companies that they are considered critical. In our second half, we have an interview with two government CFIUS experts, Elana Broitman, a deputy assistant secretary at DOD and Shawn Cooley, who manages DHS's participation in CFIUS as well as Team Telecom.

Direct download: Episode17.mp3
Category:general -- posted at: 4:14pm EST

In our sixteenth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Chris Conte, Michael Vatis, and Jason Weinstein discuss this week in NSA: Edward Snowden questions Putin; and the Bloomberg story that NSA exploited the Heartbleed vulnerability steadily loses altitude and believers; the SEC releases thoughtful and detailed set of cybersecurity questions for its examiners to use in dealing with the private sector; US magistrate Facciola calls for an amicus brief on cell-site data; Kentucky adopts a state breach notice law; the conviction of Andew "Weev" Auernheimer for the AT&T hack was overturned on appeal; the implications of giving first amendment protection to censored search results; and in bitcoin news, a more plausible candidate for Satoshi Nakamoto has emerged. In our second half, we have an interview with Alex Joel, the Civil Liberties Protection Officer of the Office of the Director of National Intelligence.

Direct download: Episode16.mp3
Category:general -- posted at: 1:39pm EST

Stewart Baker, Maury Shenk, and Jason Weinstein discuss this week in NSA: The FBI and ACLU tangle over FOIA; Larry Klayman loses an appeal over Section 215 metadata collection; according to a Bloomberg article the NSA exploited the Heartbleed security flaw for years - the NSA conclusively denied the story immediately; this week in FTC: the District Court ruling in the Wyndham case was largely unsurprising; Whatsapp and Facebook are being locked into their current privacy policies; the commission fairly charges jerk.com with deceptive practices and orders them to delete data; the European Court of Justice makes news, striking down parts of the data retention directive that have long distinguished Europe as a far less privacy-protective jurisdiction than the United States; continuing the tutorial in class action tactics, the Target litigation is consolidated in Minnesota; the Justice Department and the FTC issue antitrust guidance designed to ease the fears of companies that sharing cybersecurity information will create antitrust liability; and international cyberdiplomacy is slowly recovering from the Snowden leaks. The US makes a creative response to Iran's DOS attacks on banks, and it tries candor on China. In our second half, we have an interview with Dan Sutherland, Associate General Counsel, National Protection and Programs Directorate at the US Department of Homeland Security.

Direct download: CyberBlogPodcast_15.mp3
Category:general -- posted at: 12:23pm EST

Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: A Reuters story claims that researchers showed something bad about the way NSA influenced the Dual EC encryption standard; a civil libertarian academic who was part of the President's expert's group NSA published a candid assessment of the agency - almost all of it positive; and Yahoo! has finally been able to encrypt its back-office communications; this week in Reruns: LabMD's latest filing; the banks that sued Target's security assessor have had second thoughts; Microsoft's search of Hotmail to protect its property yields a guilty plea; and Google's struggle with the most famous ten-second video performance in history ends abruptly; The Onion Router doesn't really turn your messages into spoofed news stories (cool as that would be); Federal magistrates impose limits on computer search warrants as a condition of signing them. In our second half, we have an interview with Benjamin Wittes, senior fellow in Governance Studies at The Brookings Institution and co-founder and editor-in-chief of the Lawfare blog.

Direct download: Episode_14.mp3
Category: -- posted at: 3:08pm EST

Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: Proposal to replace NSA's 215 metadata program with one where the data remains with the telephone companies; the new chief judge at the FISA court; and China has promised to bolster its cybersecurity while protesting news that Huawei was hacked by NSA, this week in Target: Banks suing not just Target but also its security assessor, Microsoft admits to opening a subscriber's Hotmail account to track an employee who was leaking its business secrets, Bitcoin assets to be subject to capital gains calculations. In our second half, we have an interview with Michael Allen, former Majority Staff Director of the House Intelligence Committee and Founder & Managing Director of Beacon Global Strategies.

Direct download: Episode_13.mp3
Category:general -- posted at: 12:50pm EST

In our twelfth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: The President meets tech execs again on privacy and NSA; a decision/announcement on 215 changes seems imminent; Silliest Press Angle of the week: the press is shocked to hear government lawyers say that tech companies knew of PRISM intercepts; NSA "reaches into the past"; IBM denies helping NSA; NSA hacks Huawei; Brazil drops localization requirement, IL two-party consent law struck down, Gmail intercept class denied, settlement for victims who didn't suffer harm, Android user privacy/battery case advances, and additional stories: Ninth Circuit "Innocence of Muslims" ruling undermined by Copyright Office but enbanc denied; SSCI-CIA forensic review ordered. In our second half, we have an interview with Jim Lewis of the Center for Strategic and International Studies.

Direct download: Episode_12.mp3
Category:general -- posted at: 6:18am EST

In our eleventh episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Markham Erickson, Daniella Terruso, and Michael Vatis discuss this week in NSA: The EFF overrides one of the privacy protections in NSA's metadata program by killing the 5-year retention limit; what is the New York Times story on "raw take" about?; will the NSA and the telcos will end up going "Dutch," as in Ruppersberger; and Stewart brags about the results in his latest debate over Edward Snowden, who is starting to wear out his welcome with Americans; other fallout from the NSA leaks: Commerce announced its willingness to give up an oversight role for ICANN; members of the European Parliament start work on a data protection that they can't finish before elections; the legal claims in the SSCI-CIA brouhaha; the Silverpop case and how it may be harder to win a hacker-breach negligence case than some of us thought; this week in the Target breach case: Did Target miss a chance to stop the exploit?; privacy groups want to block the Whatsapp deal on privacy grounds; additional stories: the public's first good look at Russia's cyberespionage tools; Google starts encrypting search in China; Leon Panetta invokes "cyber Pearl Harbor;" and it turns out we could lose power for 18 months if a handful of substations are successfully attacked. In our second half we have an interview with Dan Novack, a former big-firm litigator now serving as legal analyst at First Look, the Greenwald/Omidyar news service.

Direct download: podcast_11.mp3
Category:general -- posted at: 5:22pm EST

In our tenth episode of the Steptoe Cyberlaw Podcast, Stewart Baker and Jason Weinstein discuss NSA/Snowden: Keith Alexander hints about a possible end to the broad collection of metadata---and the FISA court's refusal to extend the 5-year retention deadline for NSA's store of metadata. Was that ruling a defeat for NSA or the result of a clever litigation strategy? Roundup of Bitcoin news: What is going on here? Taking a second look at the copyright fight over "Innocence of Muslims", in wiretap news, the $21 million Justice Department claim against Sprint for overcharging on wiretaps, this week in cybersecurity policy: the Obama administration's approach is getting the most sincere form of flattery from other nations; China and Europe are once again living out the fantasies of American officials; except for the FTC, which as far as we can tell is already living in its own fantasy, riding a 50-plus streak of wins to a couple more victories, though one was closer than expected. In our second half we have an interview with Mark Weatherford, a Principal at the Chertoff Group.

Direct download: podcast_10.mp3
Category:general -- posted at: 10:32am EST

In our ninth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Michael Vatis, and Jason Weinstein discuss NSA/Snowden: NSA weighs options for 215 data and the Office of the Director of National Intelligence will not disclose the study of storage options; GCHQ's webcam captures; Canadian extradition flap; ABA President sends letter to NSA, LabMD falters, Cellphone unlocking - the long withdrawing roar of copyright maximalism begins, Holder calls for a national breach notice law - so why don't we have one?, Julie Brill's Princeton speech - big data and consumer privacy, Report from NSA: Trustycon and the boycott; What's hot - bot catchers and intelligence driven security, and this week in weird copyright law - what the Google/Islam/takedown decision means. In our second half we have an interview with Adam Sedgewick, Senior Information Technology Policy Advisor at the National Institute of Standards and Technology.

Direct download: SteptoeCyberlawPodcast-009.mp3
Category:general -- posted at: 7:16am EST