Steptoe Cyberlaw Podcast

European hypocrisy on data protection is a lot like the weather. Everyone complains about it but no one does anything about it. Until today.

In episode 120, we announce the launch of the Europocrisy Prize. With the support of TechFreedom, we’re seeking tax deductible donations for a prize designed encourage the proliferation of Schrems-style litigation, but with a twist. We’ll award the prize to anyone who brings complaints that force Europe to apply the same human rights and data export standards to Russia, China, and Saudi Arabia as it applies to the US. More on the prize here.

We’re inspired to this announcement, because as Katie Cassel tells us in the news roundup, the data protection commissioner in Hamburg is hot-dogging on the privacy issue, and with relish. He has imposed fines on US companies for the offense of being caught by surprise when the Safe Harbor went down. Naturally, as far as we can tell, no similar cases have been launched against Russia, China, or any of the other countries that never even bothered to negotiate over privacy with the EU. The Europocrisy Prize, though, should go a long way to even the score.

We’re joined for the news roundup by Paul Rosenzweig of Red Branch Consulting, and he clues us in on the fight over ICANN’s future now being waged in Congress. Meanwhile, Alan Cohn explains why standing is such a high threshold for data breach plaintiffs, leading us to muse on exactly how much harm we can show from the disclosure of our naked pictures on the internet (in contrast to viewers, for whom injury may be presumed).

I highlight a workmanlike opinion from Judge Doumar on the FBI’s remote hacking of child porn aficionados. I also thank Sen. Cornyn and others on the Judiciary Committee for exposing just how little privacy groups care about ECPA reform. Sen. Cornyn has offered an amendment that would give back to the FBI the NSL access they had in 2008 to electronic communications transactions records. In order to keep Sen. Cornyn’s amendment off their reform bill, they’ve apparently ditched the whole bill.

In other privacy misrepresentation news, the UK press is full of headlines claiming that the “controversial” Investigatory Powers Act is moving forward “despite hacking and snooping fears.” Clue for the press: When the House of Commons vote to send a bill to the House of Lords is 444 to 69, calling it “controversial” just makes you look stupid and ideological. Most significantly, the bill goes out of its way to make clear that, if Apple makes the same arguments in the UK that it made against the FBI, it will lose. Tim Cook’s publicity campaign is really paying dividends, eh?

Katie explains the US Justice Department’s proposal to modify US law and streamline the production of electronic evidence to foreign governments. If they do that without extracting an end to EU data export restraints, the DOJ’s license to practice diplomacy should be revoked.

In other news, the French government has convicted Uber and two of its executives of failing to show sufficient respect to French officialdom. And the right to be forgotten turns out to be unworkable (who could have foreseen that!?).

Finally, we poll DHS alumni on whether the department’s cybersecurity organization, NPPD, should be raised to the status of a full-blown DHS component. Suzanne Spaulding will be pleased with the answer.

Note: Our interview with Rep. Will Hurd was delayed at the last moment, so we’re releasing it separately from the episode 120 news roundup.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: E_120.mp3
Category:general -- posted at: 11:32am EDT

Our guest for episode 119 is Kevin Kelly, founding executive editor of Wired Magazine and author of The Inevitable: Understanding the 12 Technological Forces that will Shape our Future. Kevin and I share many views – from skepticism about the recording industry’s effort to control their digital files to a similar skepticism about EFF’s effort to control private data – but he is California sunny and I am East Coast dark about where emerging technology trends are taking us. The conversation ranges from Orwell and the Wayback Machine to the disconcerting fluidity and eternal noobie-ness of today’s technological experience. In closing Kevin sketches a quick but valuable glimpse of where technology could take us if it comes from Shenzhen rather than Mountain View, as it likely will.

The news roundup leavens deep thoughts about the future with loose talk about sex and politics. I ask whether the FOIA classification review of Hillary Clinton’s email is compounding the damage done by her use of a homebrew server. I discover the weird connection between leak defenders like Julian Assange and Jacob Appelbaum and sexual extortion – and even offer a theory to explain it (caution: involves threesomes). And we award the Dumbest Journalism of 2016 prize to Jason Leopold, Marcy Wheeler, and Ky Henderson for a VICE article that spends thousands of words trying in vain to justify its headline – and also manages to bury the only interesting news the reporters turned up. (They have pole-dancing competitions in China? And the organizer invited Edward Snowden’s girlfriend to compete, just as Snowden was getting ready to release NSA’s files? Sounds like a great story, but the authors dropped it in favor of tendentious NSA bashing.) And to cap the week off, North Korea cloned Facebook for its nomenklatura, only to have a Scottish teen take it over because the logon credentials were left at “admin” and “password.”

More seriously, I report that USTR will in the future try to negotiate limits on data localization even for financial institutions. Maury Shenk reports on the successful EU jawboning of big American tech companies to crack down on “hate speech” on line.

Organizations whose hate speech has mainly been aimed at Smith v. Maryland and the third party rule had a bad week, I note, as the only circuit to require warrants for cell-site location recedes in an en banc opinion that drastically cuts the Supreme Court’s incentive to grant cert on the issue.

Maury reports on delays to the EU’s Paris-related changes in anti-money-laundering regulation. And I puzzle over the newfound enthusiasm in Republican and cable industry circles for FTC-style privacy regulation.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 119th episode (mp3).

Direct download: Podcast_119.mp3
Category:general -- posted at: 4:19pm EDT

Episode 118 digs deep into DARPA’s cybersecurity research program with our guest, Angelos Keromytis, associate professor at Columbia and Program Manager for the Information Innovation Office at DARPA. Angelos paints a rich picture of a future in which we automate attribution across networks and international boundaries and then fuse bits of attribution data as though they were globules of the Terminator reassembling into human form. 

Direct download: Podcast_118.mp3
Category:general -- posted at: 8:20am EDT

Our guest, Patrick Gray, is the host of the excellent Risky Business security podcast. He introduces us to the cybersecurity equivalent of decapitation by paper cut and offers a technologist’s take on multiple policy and legal issues. In the news roundup, Michael explains the many plaintiff-friendly rulings obtained by the banks suing Home Depot over its data breach. We wonder whether the rulings are so plaintiff-friendly that the banks will eventually regret their successes. Michael also explains just how deliberately meaningless is the Supreme Court decision in Spokeo, Inc. v. Robins.

Alan Cohn lays out the new DOD rule requiring government contractors to adopt basic cybersecurity measures. Michael explains why the court rejected Mozilla's bid to intervene in the big FBI-child porn case. I cheer Google on in its appeal of the egregious CNIL ruling extending French “right to be forgotten” censorship to the world – and mock the handful of Senators who have gone on record as favoring legislation to overturn the Rule 41 changes and make the internet safe for child exploitation. Finally, Alan explains why the SEC thinks cybersecurity is the top threat to financial systems 

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail toCyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_117.mp3
Category:general -- posted at: 12:56pm EDT

Ransomware is the new black. In fact, it’s the new China. So says our guest for episode 116, Dmitri Alperovitch, the CTO and co-founder of CrowdStrike. Dmitri explains why ransomware is so attractive financially – and therefore likely to get much worse very fast. He and I also explore the implications and attribution of the big bank hacks in Vietnam and Bangladesh.

 

In the news roundup, Michael Vatis reports on the new federal trade secrets law. In addition, inspired by the Edelson firm’s sealed complaint against a Chicago-based law firm for cybersecurity failings, Steptoe’s chair emeritus, Roger Warin, charts the legal and strategic terrain of suing law firms for bad security. The hazards of class action litigation in this field are illuminated by the district court’s recent ruling on the Zappos breach, which Michael unpacks for us.

 

Unable as always to resist a sitting duck, I quote the FTC’s condescending Congressional testimony promising to give the FCC the benefit of its 40 years of security expertise. It plans to offer comments on the FCC’s proposed privacy regulations. But the FTC fails to note that in all those 40 years, it has never had occasion to ask anyone for comment on its own privacy or security standards – which are scattered haphazardly across a series of brochures and weblinks and consent decrees. As I point out, that makes it hard not just for companies that want to comply, but also for the FTC, which has no way to amend its outdated security guidance, most notably the bad advice it gave several years ago about requiring employees to change passwords frequently. Maybe it’s time for the FCC to return the favor, and give the FTC the benefit of its own years of experience in actually issuing and taking comment on proposed regulations.

 

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_116.mp3
Category:general -- posted at: 4:46pm EDT

Does the FISA court perform a recognizably judicial function when it reviews 702 minimization procedures for compliance with the Fourth amendment? Our guest for episode 115 is Orin Kerr, GWU professor and all-round computer crime guru. Orin and I spend a good part of the interview puzzling over Congress’s mandate that the FISA court review what amounts to a regulation for compliance with an amendment that is usually invoked only in individual cases. Maybe, I suggest, the recent court ruling on 702 minimization and the Fourth amendment doesn’t make sense from an Article III point of view because the FISA judges long ago graduated from deciding cases and controversies to acting as special masters to oversee the intelligence community. We also explore an upcoming Orin Kerr law review piece on how judicial construction of the Fourth amendment should be influenced by statutes that play in the same sandbox. 

In the news roundup, Maury Shenk provides an overview of the data protection logjam now building up in Brussels, including EU Parliament approval of the new US-EU law enforcement agreement. In FTC news, Katilin Cassel explains why Amazon is liable for kids’ in-app purchases; I seize on recent UK government advice not to change passwords too often to mock the FTC for its outmoded advice on the topic and its inability to shed its old guidance gracefully; and Maury and I examine how and why the FTC is enforcing quasi-voluntary privacy regimes like the Privacy Shield/Safe Harbor.

Katie explains HHS’s remarkable new enforcement policy – imposing large fines on health providers who voluntarily disclose a paperwork omission that caused no actual privacy harm. I flag the First Circuit’s decision to create a circuit conflict on the meaning of the Video Privacy Protection Act.

I express astonishment that the tech press continues to think there’s a constitutional problem with forcing someone to use his fingerprint to unlock a phone. The Onion and Operation Vowel Lift also make an appearance.

Direct download: Podcast_115.mp3
Category:general -- posted at: 1:44pm EDT

Our guest for episode 114 is General Michael Hayden, former director of the NSA and CIA; he also confirms that he personally wrote every word of his fine book, Playing to the Edge: American Intelligence in the Age of Terror. In a sweeping interview, we cover everything from Jim Comey’s performance at the AG’s hospital bedside (and in the Clinton email investigation) to whether the missed San Diego 9/11 calls were discovered before or after the 215 program was put in place. Along the way, we settle the future of Cyber Command, advise the next president on intelligence, and lay out the price the intelligence community is paying for becoming so darned good at hunting terrorists.

Michael Vatis and I do the news roundup. It’s bad news this week for the same child porn defendants who got good news last week, when a court overturned the search warrant used to search their computers after they visited an FBI-run Tor node. Now, though, the Supreme Court has approved a change to Rule 41 authorizing geographically unbound search warrants in computer cases. Unless Congress comes to their rescue by rejecting the proposed rule change, an unlikely prospect indeed, the new rule will take effect at the end of the year.

Well, that was fast, at least by the standards of Washington lawyers. We’ve gone from attribution to proposed retribution in less than two years. Indictments in 2014 charged that the Chinese government had broken into US Steel’s computer network. Now US Steel is claiming that the hackers stole advanced steel technology and gave it to a Chinese competitor, and it’s asking the International Trade Commission to exclude the competitor’s products from the United States, on the ground that stealing secrets is an unfair trade practice. With the government eager to send a message on commercial cyberespionage, look for plenty fireworks over the next year as the case is brought to judgment.

The big FISA news revolves around notices given to litigants when section 702 played a role in their cases. A rare notice of that kind has been given to an Iraqi refugee accused of traveling to Syria. He has promised a constitutional challenge. Meanwhile, if you’re wondering whether OFAC uses 702 intelligence to issue sanctions, and whether the targets get notice when that happens, the New York Times is fighting to get those answers, using FOIA. It’s losing. Congress is also taking a harder look at 702, with fourteen of the usual suspects asking DNI Clapper to estimate how many Americans’ communications are swept up in the program.

In other news, Michael notes that Nebraska has expanded its breach law to cover more data – and to make sure that the encryption exception only applies to encryption that’s not fatally compromised.

Direct download: Podcast_114.mp3
Category:general -- posted at: 2:34pm EDT

No holds are barred as a freewheeling panel of cryptographers and security pros duke it out with me and the Justice Department over going dark, exceptional access, and the Apple-FBI conflict. Among the combatants: Patrick Henry, a notable cryptographer with experience at GCHQ, NSA, and the private sector; Dan Kaminsky, the Chief Scientist at White Ops; Kiran Raj, who is Senior Counsel to the Deputy Attorney General; and Dr. Zulfikar Ramzan the CTO of RSA Security. Our thanks to Catherine Lotrionte who generously agreed to let me record this one-hour panel at her remarkable Annual International Conference on Cyber Engagement.

In the news roundup Maury Shenk discusses the real and mythical import of the UK’s pending surveillance bill, and I mock the journalists who claimed to find scandal in GCHQ’s elaborate compliance regime for access to bulk personal data. Alan Cohn and I return to the Apple-FBI fight, and I can’t help pointing out that Apple, the self-proclaimed champion of security, didn’t bother to tell its customers that it was no longer providing security patches to QuickTime on Windows. Alan manages to explain Apple’s thinking with two words: “on Windows.”

The FBI’s decision to manage a child porn distribution node for a few weeks and prosecute its customers has come a cropper, but not for the reason you might think. Instead, Alan reports, at least one court is now willing to enforce the limits of Rule 41 and declare that a Virginia magistrate cannot issue a search warrant for a computer located in Massachusetts. That ups the stakes for the ongoing effort to amend this problem out of the Federal Rules.

I read an 80-page FISA opinion so you don’t have to. One of the technolibertarians’ favorite proposals – requiring warrants for searches of already-collected 702 data – has now been briefed to the court by one of the first FISA amici. And rejected. The argument was slapped down in an opinion by Judge Hogan. In the old days, government critics would have been able to press such an argument for years; now, thanks to the vigilant FISA amici and the transparency in FISA opinions that they cried for, that argument has suffered a body blow before it has even built up a head of steam.

And, just to show that we yield to no one in condemning abusive government data collection, I brief our listeners on where all the data created by their cheap Chinese drones is ending up – and which government has access to it. Suddenly, European-style data export bans are acquiring a strange new appeal.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_113.mp3
Category:general -- posted at: 11:40am EDT

European news and sensibilities dominate episode 112. I indulge in some unseemly gloating about Europe’s newfound enthusiasm for the PNR data it wasted years of my life trying to negotiate out of the US counterterrorism toolbox. I pester our guest, Eric Jensen, about his work on the Tallinn 2.0 manual covering the law of cyberwar; the manual seems to offer an ever-more-European take on cyberweapons and the law of armed conflict. And if you think that’s a compliment, you haven’t been listening.

In other European news, Michael Vatis notes that the European Parliament has formally approved the EU’s sweeping new data protection regulation. And Maury Shenk tells us the Privacy Shield is acquiring a few dents, particularly from the Article 29 Working Party of data protection regulators, who are raising hard questions about US intelligence policy.

The fad for ruling that phone location records can only be obtained with a warrant may be receding. Michael says that another circuit has rejected the claim, while the last circuit to credit the notion has now gone en banc.

There’s better news for privacy campaigners in the House, where the Judiciary Committee has reported out a bill requiring warrants for even very old email content. It will face more scrutiny in the Senate, I predict, and with luck will attract a few balancing amendments that favor law enforcement and intelligence.

In Apple news, the FBI files the world’s shortest brief, saying “Yes we still want the data on that New York iPhone.” Leakers say the FBI hasn't learned much from the unlocked San Bernardino iPhone, a phone which it appears the FBI paid professional hackers a one-time fee to crack.

Alan Cohn and I have fun unpacking a report that the US government has worse cybersecurity than any other industry segment. Among agencies the FTC fares far better than NASA, and I manfully admit that the Commission must be doing something right.

Michael notes that the Seventh Circuit has again found plaintiffs to have standing in a data breach case, this time on grounds that will make future breach notices a lot less user-friendly.

Alan and I offer at least faint praise for the White House Commission on Enhancing National Cybersecurity. And Uber issues a transparency report that (surprise!) does more to serve the company’s interests than to educate the public.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_112.mp3
Category:general -- posted at: 11:51am EDT

Just how sophisticated are the nations planning and carrying out cyberattacks on electric grids? Very, is the short answer. Our guest for episode 111, Suzanne Spaulding, DHS’s Under Secretary for the National Protection and Programs Directorate, lays out just how much planning and resources went into the attack on Ukraine’s grid, what it means for US industry, the information sharing that can mitigate the consequences, and why the incident reinforces the need to stand up the Cyber and Infrastructure Protection Agency at DHS.

Our news roundup concentrates on the draft Senate bill on encryption from Senators Burr and Feinstein. Not surprisingly, I find the critics to be mostly off point and occasionally unhinged in inimitable tech-sector fashion. Sen. Wyden condemns the bill, and no one is surprised. The White House ducks a fight over the legislation, and mostly no one cares any more. I offer the view that as more Silicon Valley firms adopt easy, universal, unbreakable crypto, the tide will slowly turn against them, as the list of crypto victims keeps getting longer.

Kaitlin Cassel and Alan Cohn unpack the consequences for law firms of the Mossack Fonseca leak, and Suzanne Spaulding weighs in with advice for the legal profession.

The US adds China’s Internet controls to its list of trade barriers. Kaitlin and I muse on the significance of that step (short term: none; long term: we could see a WTO case against China).

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_111.mp3
Category:general -- posted at: 10:51am EDT