Our guest commentator for episode 74 is Catherine Lotrionte, a recognized expert on international cyberlaw and the associate director of the Institute for Law, Science and Global Security at Georgetown University.  We dive deep on the United Nations Group of Government Experts, and the recent agreement of that group on a few basic norms for cyberspace.  Predictably, I break out in hives at the third mention of “norms” and default to jokes about “Cheers.”

In the news roundup, Michael Vatis and I sort through China’s ever-growing list of vague laws expressing determination to control technology for security purposes.  Jason Weinstein explains the FTC’s settlement with the makers of a stealthy digital currency mining app.  He and Michael also note the remarkably belated filing of a class action arising from the Anthem hack – and cast doubt on whether the class can be sustained.

Speaking of class actions, the OPM hack has also led to litigation.  All the Cyberlaw commentators are in the class, and none of us expect the litigation to succeed.  And speaking of the FTC, it has released new security guidance, a kind of Restatement of FTC Security Law, explaining just how wisely the FTC settled its 50-plus security cases.  I provide a quick update on the status of my FOIA lawsuit on behalf of Phil Reitinger, in which we try to find out what security standards the FTC is actually using to decide which companies are in violation of the law.

In NSA news, the Foreign Intelligence Surveillance Court says the Second Circuit’s opinion on NSA’s 215 metadata program was unpersuasive and mischaracterized the program.  In judicial circles, the trash talk doesn’t get much trashier.  Since this all becomes irrelevant when the program ends later this year, the FISC will likely have the last word.  And WikiLeaks is rolling out more alleged NSA docs, this time focusing on Germany and Brazil.  The documents don’t seem to be from Snowden, and WikiLeaks offers no provenance for them.  Hmm.  Maybe we ought to take another look at those stories claiming that WikiLeaks has been infiltrated by Russian intelligence.  

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Our guest for Episode 73 is Rob Knake, currently the Council on Foreign Relations Senior Fellow for Cyber Policy and formerly with DHS, the White House, and the Richard Clarke finishing school for cybersecurity policymakers. Rob and I are quickly embroiled in disagreement; as usual, I mock the cyberspace “norms” that Rob supports and disagree with his surprisingly common view that the US shouldn’t react strongly to Chinese hacking of the OPM database. But we come together to condemn the gobsmackingly limp US response to China’s attack on Github.

In the news roundup, Alan Cohn and Jason Weinstein explain attribution problems in the Cardinals-Astros hacking case. Somehow the Broncos also figure in the discussion.

Want to know why President Obama was foolish to promise he wouldn’t spy on the French President’s communications? The answer is supplied by WikiLeaks, which discloses that the last French President was caught trying to end run the United States on Palestinean issues. WikiLeaks of course thinks that shows American perfidy.

Google, meanwhile, fought the good fight to overcome a gag order and disclose an investigation of WikiLeaks soulmate Jake Applebaum. Most interesting item in the 300 pages of documents released by the Justice Department?

The Department’s hint that those who Twitter-bully tech companies over their transparency records may be engaged in witness intimidation.

And in a recurring feature, This Week in Prurient Cyberlaw, we unpack the surprisingly complex problem of how Google identifies and delinks revenge porn.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

James Baker, General Counsel of the FBI, is our guest on this week’s podcast. He fearlessly tackles the FBI’s aerial surveillance capabilities, stingrays, “Going Dark,” encryption, and the bureau’s sometimes controversial attribution of cyberattacks.  But he prudently punts on the Hack of the Century, refusing to reveal details of the FBI investigation into the Houston Astros network intrusion.  

Privacy advocates are embracing a recent report recommending that the government require bulk data retention by carriers and perhaps web service providers, exercise extraterritorial jurisdiction over data stored abroad, and expand reliance on classified judicial warrants. In what alternative universe is this true, you ask? No need to look far. That’s the state of the debate in our closest ally. The recommendations were given to the United Kingdom by an independent reviewer, David Anderson. He’s our guest for Episode 71 of the Cyberlaw Podcast, and he provides a refreshingly different perspective on surveillance policy, one that makes us realize that it’s U.S. civil libertarians, not the U.S. government, who are out of step with the world.

In the news roundup, I bring Edward Snowden back for one last time – the fifteenth time I’ve done that, Michael Vatis points out. This time it’s a British government leak claiming that both Russia and China have decrypted the entire corpus of Snowden’s stolen files – including the enormous number of files that have nothing to do with surveillance and everything to do with military operations.

The OPM hack has now reached Target status, Jason Weinstein argues. It’s not the first, it’s maybe not even the worst, but it’s a hack that has captured the country’s imagination in a way that earlier warnings did not. 

You might think that the OPM hack would show why information sharing is essential. But privacy advocates continue to hold CISA hostage to yet more protections for privacy. The 14 million government officials and former officials whose privacy has been grossly abused by the OPM hack will, I’m sure, thank Senators Mike Lee and Ron Wyden for their continued obstruction of government cybersecurity efforts. In the House, the likeminded Rep. Massie has again proposed an appropriations amendment that would put new limits on the most important part of NSA’s intelligence mission – overseas collection. His amendment passed the House but shows little prospect of surviving Senate review.

In a new feature, This Week in Self-Dealing, we review Jason’s recent op-ed on the New York bitcoin regulations and Alan Cohn’s op-ed on what’s wrong with government cybersecurity policy. We close with comments on the new, extensive, and probably ill-advised Connecticut breach and security law, plus new obstacles for Twitter’s “warrant canary” first amendment lawsuit.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our guest for Episode 70 of the Cyberlaw Podcast is Dan Kaminsky, a famous cybersecurity researcher who found and helped fix a DNS security flaw.  Dan is now the Chief Scientist at WhiteOps, but I got to know him in an unlikely-bedfellows campaign against SOPA because of its impact on DNS security. Dan and I spend most of the podcast disagreeing, largely about trust, Snowden, and security, but we do explore in detail the fact that, contrary to the Received Canon of Silicon Valley, end-to-end encryption is broken to improve security thousands if not millions of times a day by responsible corporate CISOs.  Dan also describes WhiteOps’s promising new take on identifying hackers and clickfraud on the internet.

In the news roundup, we bring back This Week in NSA for old times’ sake, highlighting the enactment of the USA FREEDOM Act and exploring its likely impact.  We mock Charlie Savage for his overwrought New York Times article claiming that NSA’s cybersecurity monitoring is a privacy issue. (We apologize to Julia Angwin, Jeff Larson, and Henrik Moltke, who shared Charlie’s byline; we’ll mock you next time, I promise.) NSA is apparently inspecting traffic from foreign sources for malware and other signatures and may also be spotting exfiltrated data as it leaves victims’ networks. Charlie and his coauthors call this “warrantless surveillance of Americans’ international Internet traffic.” Note to the New York Times:  a hacker sending me malware and stealing my files is a lot of things, but in the real world no one would call that my “international Internet traffic.”

Jason covers the broken settlement between MasterCard and Target arising from Target’s notorious Christmas 2013 breach.  And the Office of Personnel Management comes in for some well-earned criticism, not least for its lame offer of credit monitoring to the 4 million victims of what may be Chinese hacking. If it is the Chinese government, the one thing we probably don’t have to worry about is credit fraud, and given the flood of Chinese thefts of American personal data, the government needs to be giving victims better guidance about what to watch for.

Speaking of government failings, we talk about the supine US response to Putin’s trolls, even though they’re clearly testing tools to create panic and sow disinformation in the wake of a crisis in the United States. Even when they do it inside the United States, it appears that our only strategy is hope.

Michael talks about the Supreme Court ruling that will make the internet safe for violent revenge fantasies. And Jason explains the difference between the FBI’s encryption “Going Dark” campaign and the FBI’s CALEA “Going Dark” campaign:  They’re both DOA, but buried in different parts of the US Code.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Our guest for Episode 69 is Jason Brown, the Assistant to the Special Agent in Charge of the Cyber Intelligence Section at the U.S. Secret Service. We talk about the Secret Service’s Electronic Crimes Task Forces and their critical role in investigating data breaches affecting financial institutions, retailers and other companies. We also discuss how the Secret Service helps companies prepare for and mitigate their risk of an incident. We talk about issues that impact breach victims’ decisions about whether or how to engage with law enforcement and about how the relationship between law enforcement and Internet providers has changed in the post-Snowden world. Finally, we discuss how the changing jurisprudence relating to electronic searches is impacting the day-to-day conduct of criminal investigations.

In the news roundup, we discuss the dysfunction in the Senate that has led to the (temporary?) lapsing of the 215 program. We mull over the impact of Riley on the Sixth Circuit’s decision in a laptop search case. The DOJ Criminal Division talks about hackback, and Yahoo! faces class certification in an email scanning case. In our “prurient interest” feature, a database of Adult Friend Finder users is for sale online. And we weigh the possible impact of New York’s BitLicense regulations. Once again, Maury Shenk joins us to talk about developments in Europe, including new Dutch breach notification requirements, Skype’s efforts to push back against Belgian intercept law, and discussions about new EU cybersecurity rules that could have a significant impact on US providers.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Our guests for Episode 68 include Julian Sanchez, senior fellow at the CATO Institute where he studies issues at the busy intersection of technology, privacy, and civil liberties, with a particular focus on national security and intelligence surveillance. They also include the entire May meeting of ISSA- NOVA, which kindly invited the Cyberlaw Podcast to go walkabout once again. The audience provides useful feedback on several of the topics covered in this episode.

We begin with This Week in NSA.  And even though we had no idea how the Senate process would end up, neither it turns out did Majority Leader McConnell or anyone else. Our remarks on the Congressional dynamic remain as relevant now as when we made them, despite our intimations of obsolescence. We also cover an early judicial decision on insurance coverage for data breaches (subscription required), the US indictment of (another!) six Chinese economic espionage agents, and the personal data orphaned by Radio Shack’s bankruptcy.

More importantly, we seize on a flimsy pretext to revisit Max Mosley’s five-hour, five hooker sadomasochistic orgy (subscription required) and his self-defeating efforts to wipe it from the internet by threats of lawsuit. It turns out he’s now reached a settlement with Google. I speculate that perhaps we’ve misread Mosley all this time. Maybe he’s doing this because of the Streisand effect, not in spite of it. It’s like he wants the internet to punish him, or something …

Returning to serious coverage, we note that CCIPS and the Justice Department may be suffering from Baker Derangement Syndrome in the face of my defense of private cyber-investigation that goes beyond network boundaries. The Department’s latest effort involves persuading CSIS and a group of CISOs to join a draft paper that looks suspiciously like a DOJ brief in opposition to the Cyberlaw Podcast. And the supposed consensus among CISOs that’s identified in the paper breaks down quickly, rejected ten to one in an informal poll of the ISSA-NOVA audience.

Julian and I mix it up over the new, revived Crypto Wars, as I challenge the claim that building access to encryption systems is always a bad idea. That, I say, will come as news to all the network security administrators who access end-to-end TLS sessions on a routine basis because the security consequences of not “breaking” that crypto are worse than the corporate front door. He recommends that I ask Dan Kaminskyto comment on that statement, and since Dan will be a guest on the podcast soon, we’ll all get to hear his answer.

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Our guest for Episode 67 is Dan Geer, a legendary computer security commentator and current CISO for In-Q-Tel. We review Dan’s recommendations for improving computer security, including mandatory reporting of intrusions, liability for proprietary software, striking back at hackers – at least in some ways – and getting the government to purchase and fix vulnerabilities. We agree on the inherent foolishness of the Internet voting movement, but I disagree with Dan on the right to be forgotten, and I predict that net neutrality will lead to the opposite of what he wants – both more regulation of operators and more limits on what the operators are allowed to carry.

As with Bruce Schneier, I accuse Dan of a kind of digital Romanticism for advocating improbable personal defenses like using Tor for no reason, having multiple online identities, swapping affinity cards, and paying your therapist under an assumed name. But Dan makes me eat my words.

More from Dan can be found here, here, and here.

In the news roundup, we introduce Alan Cohn, yet another recent alumnus of the DHS Policy office now at Steptoe. We also revive This Week in NSA, pooling our collective inability to predict what the week will hold for the 215 metadata program. We muse about border laptop searches, questioning both DOJ’s choice of battleground and the ability of judges to withstand a PR campaign by the privacy lobby. We cover a FOIA case to find out if the FTC actually has security standards – a case filed by Phil Reitinger and Steptoe. The roundup ends with the plane-hacking case, the FBI’s Stingray guidance, and the first anniversary of the EU’s misbegotten Right to Be Forgotten.

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

The Triple Entente Beer Summit was a great success, with an audience that filled the Washington Firehouse loft and a cast that mashed up Lawfare, Rational Security, and the Steptoe Cyberlaw Podcast.  We attribute the podcast’s freewheeling interchange to the engaged audience, our profound respect for each other, and, mostly, the beer. After a discussion of between the combined panels, we throw the event over to the audience, which demonstrates that we could have produced almost as good a program by randomly selecting audience members to appear on the panel with us.

Episode 65 would be ugly if it weren’t so much fun.  Our guest is Bruce Schneier, cryptographer, computer science and privacy guru, and author of the best-selling Data and Goliath – a book I annotated every few pages of with the words, “Bruce, you can’t possibly really believe this.” And that’s pretty much how the interview goes, as Bruce and I mix it up over hackbacks, whether everyone but government should be allowed to use Big Data tools, Edward Snowden, whether “mass surveillance” has value in fighting terrorism, and whether damaging cyberattacks are really infrequent and hard to attribute. We disagree mightily – and with civility.

The news roundup covers Congress’s debate over NSA and section 215. The House is showing a dismaying efficiency in moving bad bills while the Senate is mired in what may turn out to be more productive confusion (see, e.g., S. 1035 and S. 1123). 

We unpack the Supreme Court’s grant of certiorari in Spokeo.

A new and troubling development in cyber insecurity was demonstrated by the malware Cryptowall, which infected readers of the Huffington Post via ads for Hugo Boss, then encrypted the readers’ hard drives and held their data for ransom. We ask whether the ad networks or even the web publishers will eventually be held liable for transmitting the infected ads via HuffPo ads for Hugo Boss. The Senate Homeland Security Committee wrote a report on malvertising risks and liabilities last year that concludes with the view that liability couldn’t be established because none of the participants in the online advertising industry is directly responsible for the harm. I think the Senate Homeland Security committee has never litigated in the Eastern District of Texas.

In quick news, Goldman’s “Flash Boy” has been convicted again. The FCC says it doesn’t regulate Stingrays, except to require FBI approval for purchasers. The US and Japan deepen their cyber defense relationship, and Prime Minister Abe gets standing O for calling out (shh! Chinese) cybertheft of IP. And, DOJ releases cybersecurity guidance that is surprisingly good – but for what I call its fatally flawed view of hacking back (at least that’s what I meant when I called the authors “jackasses”).

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.