Steptoe Cyberlaw Podcast

Steptoe recently held a client briefing in its Palo Alto office on developments in the Chinese legal and regulatory environment that are impacting US technology companies operating in China. I took advantage of the event to sneak in a quick discussion with Susan Munro and Ying Huang of Steptoe's China practice, on how China is regulating the Internet, with special emphasis on data protection, data localization, and more.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_110.mp3
Category:general -- posted at: 10:45am EDT

In episode 109, we interview Perianne Boring of the Chamber of Digital Commerce on the regulatory challenges of bitcoin and the blockchain. In the news roundup, we bring back Apple v. FBI for what we hope will be one last round, as the San Bernardino magistrate voids her All Writs Act motion for mootness and attention shifts to other investigators hoping to crack iPhone security, both in the US and in Europe. 

In a change of pace, I dip into the Hillary Clinton email scandal, wondering whether US intelligence agencies caught foreign spies exploiting Clinton’s unsecured emails on her first trip to Asia. Alan Cohn reminds me that using government networks wouldn’t have exactly guaranteed their security.

Kaitlin Cassel makes her first appearance on the podcast, explaining the FCC’s new ISP privacy rules. We all try, unsuccessfully, to figure out why the FTC is so sure it knows more about privacy and security regulation than the FCC.

Alan and I explore the flap over insider-trading attacks on BigLaw, and I wonder out loud whether the whole story is hype. What’s not hype, however, is a breaking story on the biggest data spill in history, which outs the hidden assets of everyone from Putin cronies to Icelandic pols.

The FBI’s reluctance to expose its investigative techniques to the world did not begin with the iPhone, I remind listeners; the Bureaus is fighting a court order demanding that it turn over its Tor exploit source code to a defendant in a child porn case.

And speaking of “privacy” tools that turn out to be mostly boons for criminals, the US government-funded Tor Project is sinking ever deeper into swamps of human depravity. According to Cloudflare, 94 percent of Tor traffic is per se malicious. And according to other sources, most of the remaining 6% is to child porn and other criminal sites. I’m not sure how many more privacy victories like that the tech world can afford. And if you were wondering whether that’s just a one-off, check out the remarkable story of everyone’s favorite encryption program – which it turns out was mostly created by a Deep Nerd who evolved into a no-kidding, murder-for-hire monster. But don’t worry. I’m sure there’s no connection between a burning desire for privacy and a burning desire to do things abhorred by the overwhelming mass of humankind. It’s probably just a coincidence.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_109.mp3
Category:general -- posted at: 2:27pm EDT

It’s an extended news roundup with plenty of debate between me and Nuala O’Connor, the President and CEO of the Center for Democracy and Technology (CDT). We debate whether and how CDT should pay more attention to Chinese technology abuses and examine the EU ministers’ long list of privacy measures to be rolled back and security measures to be beefed up in the wake of the Brussels and Paris Daesh attacks.

Meredith Rathbone reports on the sanctions case of the decade, as ZTE gets hit with a bag full of bricks – or is it marshmallows? – for its role in flouting US export controls. We speculate about why the US danced an enforcement two-step in this case – and who its next dance partner might be.

The Justice Department has launched a second set of indictments against foreign cyber hackers, this time aimed at Iranians who DDOS’s US banks and tried to flood the basements of Rye, NY, suburbanites. Michael Vatis and I speculate on whether other finance ministers might agree that sanctions should be imposed on those who hack banks – and on whether the Southern District will overreach in its forfeiture tactics.

I fume over the French bureaucracy’s claim that it can regulate what Americans are allowed to read on line. Nuala weighs in, and we find ourselves – mirabile dictu – in broad agreement about the dangers of the “right to be forgotten.”

I confess to uncharacteristically muted views about whether NSA should share raw traffic with other agencies. Nuala almost does the same.

And as a palate cleanser, who can resist a bitter, pointless turf fight, complete with public disparagement of one regulator by another? Hatfield v. McCoy? Stalin v. Trotsky? Hamilton v. Burr? They got nothin’ on FTC v. FCC, as FCC Commissioner Ohlhausen makes the imprudent decision to hold up FTC’s inscrutable security regulation as a gold standard – just when LabMD is making it look more like a protection racket.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_108.mp3
Category:general -- posted at: 12:23pm EDT

What kind of internet world order does China want, and will it succeed? That’s the question we ask Adam Segal, Maurice R. Greenberg Senior Fellow at the Council on Foreign Relation and author of The Hacked World Order. We review China’s surprising success at getting tech companies to help it build an authoritarian Internet – the technological equivalent of persuading Jello to nail itself to the wall. Meanwhile, every nation, it seems, is busy reasserting sovereignty over cyberspace. Except the United States. Which raises the question whether other countries will decide to assert sovereignty over our cyberspace. We’re the Syria of cyberspace!

In the news roundup, I note that an apparent FBI raid on Tiversa is making the FTC look more and more like the dumb muscle called in to enforce someone else’s shakedown scheme. Imagine Edith Ramirez as The Hulk: “LabMD bad! FTC smash!”

Maury Shenk examines the latest Spanish decision on Google and the Right to Be Forgotten and I conclude that it’s classic TL;DR material.

Turning next to the FBI-Apple fight, I thank the President for opening SXSW for me and muse on his surprisingly strong endorsement of the FBI’s position. I also dissect the “lawyerly” affidavit submitted by Apple to deflect (though not answer) the questions I asked in an earlier blog post.

Maury and I consider whether WhatsApp is likely to be hit with an Apple-style wiretap order due to its strong end-to-end encryption, and I am surprised to hear that WhatsApp may have its own intercept backdoor, which makes an Apple order more likely.

Alan Cohn explains how a lost laptop can cost you $3.9 million. And I claim vindication when the Home Depot breach lawsuits settle at or below the Baker Range of $.50 to $2.00 per victim. Home Depot gets its bill down to $.10 to $.50 per victim – though that’s before the banks take their cut.

If you’re left feeling sorry for the plaintiffs’ bar, though, I have one word for you: malvertising. Alan notes that I’ve waited a lifetime to be able to sue the BBC and New York Times, but that time has come, as both have apparently infected their readers with ransomware.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_107.mp3
Category:general -- posted at: 4:06pm EDT

In bonus episode 106, Stewart and Alan interview Phil Reitinger, former DHS Deputy Undersecretary for Cybersecurity and Sony Corporation CISO and current Director of the new Global Cyber Alliance, making up for the famous “lost episode” that Stewart and Alan recorded with Phil on the sidelines of the RSA Conference (“The best interview I ever conducted,” according to Phil).

Stewart first asks Phil about his old organization, DHS’s National Protection and Programs Directorate (NPPD).  Phil waxes eloquent about the triumphs and travails of NPPD, and also wonders what the impact on NPPD will be from President Obama’s recent creation of a Federal Chief Information Security Officer in the Executive Office of the President (Alan wonders—less eloquently—about that too).  Phil also notes that “we are all medieval barbers” when it comes to knowing how to treat today’s cybersecurity ills (“We know where to put the leeches, but that’s about it,” says Phil).

We then get to the meat of the interview.  Alan asks Phil all about the new Global Cyber Alliance, launched in partnership with the Center for Internet Security, the New York County District Attorney’s Office (and its asset forfeiture funds), and the City of London Police Department.  Phil explains that the Alliance will not follow the example of other organizations that are long on talk and short on action, and instead will gather subject matter experts to focus specific things, using the mantra of “Do Something.  Measure It.”  The Alliance will look in particular for issues where the global cyber community has an answer to a problem, but is struggling with implementation; the Alliance will provide the project management backbone to allow ad hoc groups of subject matter experts to drive towards implementation of the solution.  Ultimately, the Alliance wants to move from addressing specific risks to measuring and mitigating systemic cybersecurity risk—for example, the global risk of DDOS attacks— but the Alliance has no intention of leaving discrete problems unsolved while it searches for ways to address systemic problems.  Phil also explains that despite its founding partners, the Alliance will not be solely focused on cybercrime or prosecution issues, but rather will be focused on prevention.

Finally, Stewart and Phil talk about the FTC and FOIA, noting that Steptoe represented Phil in a FOIA action against the FTC to get it to disclose exactly what standards it is holding business to regarding cybersecurity and data privacy.  Phil colorfully explains the different ways in which the FTC told him to “pound sand,” and also throws around fancy legal terms like the “non-delegation doctrine."

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail toCyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_106.mp3
Category:general -- posted at: 10:52am EDT

Doing our best to avoid turning this into the Applelaw podcast, episode 105 begins with Maury Shenk unpacking the new US-EU Privacy Shield details.  His take: more hassles for companies accused of noncompliance, more detailed privacy disclosures and compliance obligations for most members, and a modicum of pain for the intelligence community, but it’s still basically the same framework as the Safe Harbor.

Plenty of news from the FTC, as we ask how embarrassed the Commission should be now that one of its “common sense” security requirements has been discredited by its own chief technologist; we also ponder one Commissioner’s decision to weigh in on encryption regulation, and the Commission’s foray into security for the Internet of Things. 

Michael Vatis tells us the significance of the CFPB’s first data security enforcement order and the FCC’s new privacy rules for Internet providers.  Maury brings us mixed news on data protection skirmishes in Germany.  Hamburg’s biggest privacy hot dog looks more like chopped liver after a court ruling undercuts its jurisdictional claims, but Facebook’s “like” button may require its own “I consent” button. 

Finally, we return to the Apple-FBI case, submerge under a flood of amicus briefs, gauge the level of anger in the US government’s brief, and brace for the hearing on March 22.  In other news, I explain what Doris Day can teach us about Tim Cook, and Apple lawyers respond to concerns that China induced Apple to install probably-backdoored encryption algorithms in Chinese iPhones.  Relax, Apple’s lawyers have told journalists, the decision to install secret Chinese government crypto “was a trade issue, not a security issue.”  Well, whew!  No worries then.

In the interview, Alan Cohn and Jason Weinstein talk to Robin Weisman and Peter Van Valkenburgh from Coin Center.  Robin and Peter explain Coin Center’s ongoing work to educate policy makers about digital currencies and blockchain technology, and they correct two of the most common misconceptions about bitcoin – that it’s anonymous and that it’s unregulated.  They also discuss other possible applications for blockchain technology and help us make sense of the debate about private blockchains vs. the bitcoin blockchain. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 
 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm. 

Direct download: Podcast_105.mp3
Category:general -- posted at: 1:33pm EDT

Live from RSA, it’s episode 104, with special guest Jim Lewis, CSIS’s renowned cybersecurity expert and Steptoe’s own Alan Cohn.  We do an extended news roundup before an RSA audience that yields several good questions for the panel.  We had invited Bruce Sewell, Apple’s General Counsel, to participate, but he didn’t show.  So we felt no constraint as we alternately criticized and mocked Apple’s legal arguments for not providing assistance to the FBI in gaining access to the San Bernardino terrorist’s phone.  We review the bidding on encryption on Capitol Hill and observe that the anti-regulatory forces have lost ground as a result of the fight Apple has picked. That leads into a discussion of China’s backdoors into the iPhone and Baidu’s role in compromising users of its products.   

We pivot to the latest details on the unfortunately named Privacy Shield,  which apparently is what you call a warmed-over Safe Harbor with a few dispute resolution tweaks.  Jim Lewis speculates on whether Europe is likely to launch an effective attack on the US 702 program.  I advance the theory that Europe is happy to hate US tech companies both for cooperating with law enforcement and for not cooperating with law enforcement.  And as Brazil’s jailing of a Facebook executive shows, that sentiment is not confined to Europe. 

In other news, North Korea’s hacking team has been pantsed in a recent Novetta report that strengthens the FBI’s attribution of the Sony attack – but raises questions about how effectively the administration has deterred continuing North Korean intrusions. 

In response to a question about whether Apple could solve its legal problems by building a phone that Apple itself can’t update, I point out that no one wants an unpatchable phone that can’t accept security updates.   Jim Lewis gives a quick update on his project to give advice to the next administration on cybersecurity.  Jim, Alan, and I offer bets on how long it will take for Internet companies to be regulated for security. 

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 
 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_104.mp3
Category:general -- posted at: 3:02pm EDT

Due to technical difficulties, the interview for the 103rd episode will be released as a separate post next week.  In the news roundup, we explore Apple’s brief against providing additional assistance to the FBI in its investigation of the San Bernardino killings. Michael Vatis finds good and bad in the brief – some entirely plausible arguments about burden mixed with implausible ones aimed more at the public than at the magistrate judge. I suggest that the burden argument may be weaker than it seems, both because the costs can be spread over many requests for assistance and because the accounting of work to be done feels “as padded as a no-bid government contract offer.” Which, now that the FBI has offered to pay Apple’s costs, is pretty much exactly what it is.

In other news, Michael and Jason Weinstein look at the California AG’s breach report, and its unlikely suggestion that the states adopt a unified approach to breach reporting. And I offer highlights and lowlights from the DHS guidelines for information sharing, shining particular light on a troubling proposal that some shared fields will have to be scrubbed by human beings before the information is passed on to at-risk sysadmins. In the words of Silicon Valley, human review doesn’t scale.

As always, the Cyberlaw Podcast welcomes feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_103.mp3
Category:general -- posted at: 11:59am EDT

What is the most surprising discovery a law firm partner makes when he jumps to the National Security Agency? I direct that and other questions at Glenn Gerstell, who has just finished six months in the job as General Counsel at the National Security Agency.

In the news roundup, we begin, of course, with the fight between Apple and the Justice Department. I open the discussion by reminding the audience that the war on terror cannot be a war on one of the world’s great religions and insisting that Apple remains a religion of peace. Michael Vatis describes the Justice Department’s latest filing, and we trade for deep discovery, not only at the FBI but also at Apple.

CFIUS has released its annual report – only eighteen months late – and the report shows continuing tough review standards from the Committee, Stephen Heifetz reports. There is no sign yet that Chinese acquisitions will experience a smoother ride in future.

Michael and I report on Google’s new effort to accommodate European data censors by geolocating users of google.com.

Finally, the judiciary is allowing defense lawyers to take a close look at the code used by the FBI to capture data about users of a child porn site seized by the Bureau.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_102.mp3
Category:general -- posted at: 6:18pm EDT

The Second Annual Triple Entente Beer Summit again filled the Washington Firehouse loft with an audience at least as knowledgeable as the panel, which consisted of Ben WittesShane Harris,Stewart BakerTamara Cofman Wittes, and Alan Cohn. The Triple Entente Beer Summit brings together members of the LawfareRational Security, and the Steptoe Cyberlaw podcasts.

The topic of the day was the confrontation between Apple and the Justice Department over gaining access to the iPhone used by one of the terrorists responsible for the mass killing in San Bernardino, California. Suffice it to say that the podcast was not sponsored by Apple, nor will it be any time prior to the heat death of the universe.

We also dig into the Nitro Zeus story, claiming that in 2009 the United States prepared a massive cyberattack on Iran as an alternative to kinetic action in the event that nuclear talks failed and Iran began a nuclear breakout.

Finally, the panel explores the administration’s rekindled enthusiasm for CVE – countering violent extremism. We provide a definitive answer to the question, “Do we need more GS-14s tweeting on terrorism?” And Tamara Wittes challenges us to find the difference between late Obama and late Bush in the messaging department.

Then the audience takes over, greatly raising the tone of the podcast with a series of thoughtful questions for the panel.

It was a fine evening, and we look forward to another reunion soon.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

 

Direct download: Podcast_101.mp3
Category:general -- posted at: 12:06pm EDT