Our guest today is Rob Corbet, a partner and head of the Technology & Innovation group in Arthur Cox, a large Irish law firm.   Ireland is a uniquely important jurisdiction for US companies dealing with data protection issue.  I ask whether Ireland’s role is going to become more or less powerful under the proposed revision, and we talk about the replacement of its longstanding data protection commissioner.   

This week in NSA:   NSA is getting ever thinner, but there is still a knock-on effect from the Snowden revelations, which is now complicating the way Treasury designates people and institutions for sanctions.  This is a complex tale, and we will dig deeper into it next week.  

Web publishers are taking it on the chin everywhere.   Russia has told Google, Twitter, and Facebook to register under Russian law and submit to Russian regulation, including local storage of Russian data.  And the EU Article 29 Working Party is working on how to implement the right to be forgotten, combining its usual ineffectual bureaucratics with politically correct misrepresentations. Bet you didn’t know that the right to be forgotten isn’t censorship, apparently because you’re being censored first by companies, then by “independent” data protection agencies, and finally by the courts. That’s not censorship, say European regulators, it’s “balancing.” I’m reminded of Mary McCarthy, who famously said of Lillian Hellman, “Every word she writes is a lie, including “and” and ‘the’.” (Meanwhile the New York Times announces that it’s been hit by the right to be forgotten, with several of its stories going down the memory hole.) 

 In the US, the attack on web publishers is taking a different form, but it’s no less effective.  When Apple screws up and allows the disclosure of celebrity nude photos, it’s Google that gets hit with the threat of a $100 million lawsuit, on grounds that are half copyright, and half a kind of right to be forgotten.  Google immediately surrenders, claiming that it’s taken down links to the photos.   

 Finally, in the most troubling cybersecurity news of the month, maybe the year, JP Morgan acknowledges a deep penetration of its computer networks by sophisticated hackers – quite possibly aided by the Russian government.  Exactly what the hackers took and what they intended is still not clear, something that makes the intrusion more ominous not less, raising as it does the possibility that Russia intends to impose its own style of financial sanctions on the United States.   

All of which raises the question whether JP Morgan should protect itself by adding a “Herod clause” to its terms of service:  anyone accessing the site without authority automatically surrenders custody of his firstborn.  If it worked for F-Secure’s free wi-fi service, maybe it will work for cybersecurity.

The Cyberlaw Podcast is now open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.   If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the thirty-seventh episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our guest today is Admiral David Simpson, Chief of the FCC’s Public Safety and Homeland Security Bureau.  Admiral Simpson has more than 20 years of Information and Communications Technology experience supporting the Department of Defense.  Adm. Simpson is joined by Clete Johnson, his Chief Counsel for Cybersecurity.  The interview digs deep into Chairman Wheeler’s cybersecurity initiative, asking among other things exactly how voluntary it will be, what telecom companies can do to stop DDOS attacks, and what CSRIC really stands for. 

It’s getting harder and harder to find new NSA stories, which must be a relief to the agency.  Last week, the only news was NSA’s decision to name Anne Neuberger its Chief Risk Officer.  Anne is an able woman who knows the outside world better than practically anyone at the agency, but I can’t shake the feeling that what the agency wants is a Chief Risk-Aversion Officer. 

In other news, how to handle location data after Riley continues to bedevil the circuit courts, but the Fifth Circuit seems to have come to a surprisingly reasonable result, holding that users don’t have a reasonable expectation of privacy in the cell-site data that they give the phone company so it can connect calls to them. 

Adm. Simpson and I dig into three stories that are more technical than legal but which will all have legal fallout soon:   It turns out that Apple may have known about the iCloud security flaw that enabled disclosure of nude celebrity photos for as long as six months before the hack.  The Shellshock bug debunks the notion that open-source is inherently more secure than proprietary code, and it means that anyone who has built their business on Linux should be scrambling (that means you, Apple and Google). And the financial industry launches a real-time information-sharing program that will finally test-drive the vision underlying the bills that Congress has been trying to pass for years.

In retaliation for Western sanctions, Russia is advancing the date for mandatory social media data localization.  Meanwhile, Google’s staggering potential liability for “wiretapping” publicly broadcast Wi-Fi signals has led to an interesting discovery fight, with the self-proclaimed victims of the wiretapping challenged to show that Google actually intercepted any of their data when the Street View car drove past their homes.  If the plaintiffs fail, their whole case (and their lawyers’ payday) are at risk, since non-victims are not proper class representatives.

Finally, a brief cybersecurity obituary:   Apple’s warrant canary is pining for the fjords.

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

For those who think the podcast is best when we have a guest from the opposite end of the political spectrum, episode 35 should be a treat.  (We’re late this week, but it will be well worth the wait.) Our guest is Julian Sanchez, a senior fellow at the Cato Institute who studies surveillance and other issues at the intersection of technology and civil liberties.  He is a founding editor of the policy blog Just Security, and recently debated another of our guests, Orin Kerr, on Apple’s recent announcement that it would no longer be able to decrypt iPhones for law enforcement.    We dig into that issue in detail, asking such questions as how often encryption has actually stymied an investigation, whether “hacking” the phone is a substitute for help from the company, what this means for corporate users of iPhones, the implications for Apple (and Google) in other countries, and whether Google/Apple run a risk under current US law of lawsuits by prosecutors or by crime victims.

Our news roundup begins with some of the first good news NSA has received in months.  It looks as though Snowden fatigue may finally be setting in abroad as well as here.  Last week, Glenn Greenwald, Edward Snowden, and Internet multimillionaire Kim Dotcom teamed up to “close one of the Five Eyes” by driving New Zealand’s government out of office in national elections.  They combined strategic leaks, a Snowden attack on the prime minister as a liar, and Dotcom’s multimillion dollar campaign war chest.  Well, the elections are over, and the Anti-NSA Dream Team was trounced.  In less good news, NSA Director Mike Rogers admits to having missed more than he’d like about ISIS’s rise.  We debate how much the political furor over the agency contributes to these problems.

In other news, we discover that auto-forwarding someone else’s email is a wiretap – and why suing for a privacy violation is much better than seeking alimony.   Meanwhile, the Home Depot case sets a new record, and the Neiman Marcus data breach case gives comfort to class action defense lawyers all across the country.  The Texas Court of Criminal Appeals tells us that the constitution may protect upskirt photos.

And, finally, we speculate whether the whole privacy law thing will finally melt down over health data, especially now that concerns about HIPAA are stifling innovation by app companies, spurring a turf war between the FTC and HHS, and, most of all, getting in the way of rapid response by government agencies accused of wrongdoing.

Finally, we announce a new feature of the Steptoe Cyberlaw Podcast:   feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone here’s the number: 202.862.5785. We may play your message on the podcast if it’s particularly insightful or entertainingly abusive.

Our guest this week is Dr. Phyllis Schneck, the Deputy Undersecretary for Cybersecurity for the Department of Homeland Security’s National Protection and Programs Directorate (NPPD).    She and Marc Frey, Senior Director in Steptoe’s DC office and former Chief of Staff at DHS’s Office of Policy Development, discuss the status of cybersecurity legislation and DHS’s highest cybersecurity priorities.

We begin the podcast with This Week in NSA, as newly released documents indicate that back in 2008, the US government threatened to fine Yahoo $250,000 a day if it failed to comply with an order for data under the PRISM program. 

We dive into the Alien Tort Statute suit that was dismissed against Cisco.  And, even though Stewart isn’t here this week, we give an update on his favorite topic – the right to be forgotten.   We also have a new competitor for the title of “strangest ruling against Google in a European court this year” – as a German court has ordered Google to provide more responsive customer support.  

Last week, we told you about how Yelp had prevailed in an extreme case claiming that the company suppresses bad reviews for its advertisers.   This week, California adopted a law that further protects customers’ ability to post negative reviews to Yelp and other sites.   

This week in data breaches: Home Depot confirms its breach, and the congressional reaction is predictable.  On a related front – in the newly minted “This Week in Judge Koh,” she finds that the Adobe breach victims have standing based on risk of future harm – we explain how this can be reconciled with Clapper and what its implications might be for future class actions.

Finally, tech companies again try to ramp up the pressure for ECPA reform, and in the Microsoft search warrant litigation in New York, Microsoft agreed to be held in contempt – we explain why. 

Our guest this week is Orin Kerr, professor of law at George Washington University and well-known scholar in computer crime law and internet surveillance.  Orin is our second return guest, and he demonstrates why, opining authoritatively on the future of NSA’s 215 program and the “mosaic” theory of fourth amendment privacy as well as joining in our news roundup.   

We begin the podcast with This Week in NSA, which again consists of news stories not written by Glenn Greenwald and the Snowdenistas. Most prominent are the stories claiming that Snowden’s leaks contributed to US intelligence failures against ISIS, the decision by Justice and DNI officials to support Sen. Leahy’s USA Freedom bill, and the release of a less-redacted version of Jack Goldsmith’s OLC opinion holding that the 215 program’s predecessor is not only legal but requires no FIS court approval, at least in time of war.  We find even more evidence that Snowden leaks harmed our ability to monitor ISIS, doubt that Sen. Leahy’s bill will pass before the elections, and speculate about whether OLC has a macro that inserts its plenary Article II article into every opinion it produces.

Meanwhile, Yelp prevails in an extreme case claiming that the company suppresses bad reviews – but only for advertisers.  To which the Ninth Circuit says, “So what? It’s Yelp’s site.”  If only the aggrieved shopowner had sued under EU privacy law, which might require Yelp to forget those bad reviews.

Speaking of the right to be forgotten, I explain what I’ve learned by actually filing censorship demands of my own.  The headline?  Google will suppress European search results for anyone anywhere.  You don’t have to be a European to have your peccadilloes forgotten.  The full post is here.

And, speaking of foreign censorship of US information, LinkedIn is being accused of applying Chinese censorship to Chinese customers, even on LinkedIn’s U.S. site.  Three cases make a trend, and censoring the news that Americans read by threatening to hold their news suppliers liable abroad is definitely a trend.

This week in data breaches:  Home Depot is accused, and Sen. Rockefeller calls on the company to respond.  Will “tokenization” solve the problem, at least for stores – or is that a solution only a lawyer could love?  We also look at the healthcare.gov hack and conclude that it’s been hyped.

In other regulatory action, Google takes a big hit for kids’ in-app purchases and Verizon agrees to pay $7.4 million for sending inadequate notices to customers.  But the class action bar isn’t likely to get rich off either case.

And Jason lays out the details of a Hasidic child abuse trial that has already produced not one but two noteworthy privacy rulings in New York. 

We’re back!  After a much needed hiatus, during which we shared wilderness paths with bison, woke up to wolf cries, and celebrated the value of ibuprofen, the Steptoe Cyberlaw Podcast is back on the net.

The hiatus allows us to cover this month in NSA, which is a good thing, because the Snowden News Machine is sputtering.  The most significant news was probably made by NSA itself, which released a redacted opinion of the FISC, shedding a lot of light on why the government abandoned its internet 215 program.  Judge Bates’s heavily redacted program criticizes the agency relentlessly for making promises about its technology and procedures that it just couldn’t keep.  My guess is that the agency heads and DOJ got so tired explaining and apologizing to the court that they finally just killed the program.

In other NSA news, Snowdenista journalists try to make an issue of the fact that NSA has developed a search engine for metadata called ICREACH.  Public reaction: Well, duh.

More egregiously, Laura Poitras and Der Spiegel provided detailed information about US intelligence collection on Turkey in a scarcely veiled effort to sabotage the US-Turkey relationship – and to relieve the German government of the embarrassment of a leak showing that despite Angela Merkel’s claim that friends shouldn't spy on friends, Germany spies enthusiastically on Turkey.

Mustn't embarrass the German government, after all.  Its insistence on moral purity in intelligence collection is the main political/diplomatic support for what’s left of the Snowden campaign.  But that purity is looking a little sullied after revelations that German intelligence intercepted both Hillary Clinton and John Kerry as they carried out diplomatic efforts.

In other August news, the Microsoft case questioning the government’s authority to issue warrants for overseas data continued to evolve over the month, with the government greatly raising the stakes:  If Microsoft wants to appeal, the government says, its only option is to refuse compliance with the warrant and let the court hold it in contempt.  And it looks like the district court agrees.

Elsewhere, Linkedin settles its data breach case for a relatively modest $1.25 million.  NIST seeks comment on how its Cybersecurity Framework is working out.  And a federal court in Massachusetts offers novel (and probably bad) advice to those hoping to avoid liability under federal computer abuse law:  Just make sure the computer’s been disconnected from the Internet before you attack it.  Finally in what looks like an increasingly American exceptionalist view, US courts continue to hold that search engines aren’t liable for the links they publish or their autocomplete suggestions.

Our guest for the week is David Hoffman, Intel’s Chief Privacy Officer, and one of the most thoughtful privacy officials going.  Apart from his unaccountable fondness for the European Court of Justice’s decision on the right to be forgotten.  We debate the decision again, and I discover that David and I are famous by Google’s standards, while Michael is not.  I propose new ways to throw a legal spanner in the European data protection agencies’ works.

The Steptoe Cyberlaw Podcast is on hiatus in August, but we’ve brought it back for a special appearance – a debate over Senator Patrick Leahy’s version of the USA Freedom Act sponsored by the Federalist Society. Moderated by Christian Corrigan, the debate pitted me against Harley Geiger, Senior Counsel and Deputy Director for the Freedom, Security and Surveillance Project at the Center for Democracy and Technology. Surprisingly, Harley and I manage to find some significant points of agreement, not only on the superiority of the Senate’s definition of ‘special selection term’ over the House’s, but also on the need to deal with what ethical and conflicts standards should apply to special advocates appearing before the Foreign Intelligence Surveillance Court – a topic that neither the House nor the Senate bill presently addresses.

Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: The Senate Judiciary Committee has come up with a new version of the section 215 reform bill passed by the House; Glen Greeenwald discloses that the NSA has a limited intelligence sharing arrangement with Saudi Arabia; four senators express concern about NSA's overseas intelligence collection program; Sony settles its service-suspending hack for $15 million worth of free stuff for users; the 9/11 Commission issues a soft endorsement of "direct action" by private parties who are hacked; Vladimir Putin signs legislation to keep Russian data in Russia; The Washington Post explains that the FBI "Going Dark" is real; the President's plan to talk about drone privacy; and Congress votes to end DMCA protection for locked cell phones. In our second half we interview, Richard Danzig, former Navy Secretary, board member of the national security think-tank, The Center for a New American Security, and author of the paper Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America's Cyber Dependencies. The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Stewart Baker and Maury Shenk discuss false claims that NSA has flagged the Linux Journal as an "extremist forum"; the UK has introduced new stopgap legislation to make sure it doesn't lose its data retention authority in the wake of an unfavorable ECJ decision, and to allow UK law enforcement to require foreign entities to turn over data under a warrant; the UK government has also proposed creating their own PCLOB; the Senate Intelligence Committee produces a cybersecurity information sharing bill as a bookend to the House's bill; and Russia has proposed their own data protection rule. In our second half we have our first repeat interviewee, David Medine, Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB). We discuss the 702 report and have a roundup of this week in NSA, including a discussion of Glenn Greenwald's disclosure of the Americans targeted by NSA and Bart Gellman's defense of his Washington Post article. The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.