The Cyberlaw Podcast

Was Iran’s cyberattack that bricked vast numbers of Saudi Aramco computers justified by a similar attack on the National Iranian Oil Company a few months’ earlier? Does NSA have the ability to “replay” and attribute North Korean attacks on companies like Sony? And how do the last six NSA directors stack up against each other? Those and other questions are answered by our guest for episode 122, Fred Kaplan, author of Dark Territory: The Secret History of Cyber War.

In the news roundup, we explore British corollary of the Pottery Barn Rule: “You Brexit, you owns it.” As the UK and the EU struggle to deal with fallout from the historic UK vote, all the incentives seem to be in place for the EU to do what it does best: vindicate the worst instincts of the European elite. In the name of deterring other departures, the EU is unlikely to offer the UK much in the way of concessions. On data protection, for example, Maury Shenk points out that the UK will likely have to keep its current law -- and adapt to the new regulation -- just to avoid a claim that British privacy law is inadequate.

In other news, DHS has released final guidelines for protecting privacy while sharing cyber threat information; I think they’re pretty good.

Michael Vatis and I also puzzle over the dicta adopted in a recent EDVA opinion that the utter insecurity of personal computers leaves users without a reasonable expectation of privacy and allows the FBI to use hackers’ tools without a warrant. I love it when a district court stakes out territory that makes even me feel like a civil libertarian.

The FTC drops a heavy fine on inMobi. Michael points out the much heavier weaponry that COPPA allows the Commission to deploy in privacy cases that involve children. But we have trouble mustering much sympathy for inMobi. 

Finally, we’re still trolling for listener feedback on whether we should go to the trouble of trying to arrange CLE credit for listening to the podcast. Based on reaction so far, we won’t. So if you’d like to get CLE credit for the podcast, it’s time to send your vote to CyberlawPodcast@Steptoe.com.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-122.mp3
Category:general -- posted at: 4:35pm EDT

With Stewart on vacation, the blockchain takes over the podcast! In episode 121, Jason Weinstein and Alan Cohn talk all things bitcoin, blockchain, and distributed ledger technology, and interview Jamie Smith, Global Chief Communications Officer for the BitFury Group, one of the largest full-service blockchain technology companies.

In the news roundup, Alan led off with a discussion about Etherium and the DAO, which of course begins by answering the question, “What is Etherium and what is the DAO?” As Alan explains, Etherium is a public blockchain similar to the Bitcoin blockchain, with code written in such a way as to optimize programming of “smart contracts,” self-executing contracts that transmit funds or take other actions based on the occurrence of defined events. Etherium is run by a non-profit organization, the Etherium Foundation, and has its own native currency called Ether. The DAO is an acronym for a “distributed autonomous organization,” which is essentially an organization that can operate in a decentralized manner (for example, on a blockchain) based on its programmed code rather than the actions of any governing individuals. In this instance, “The DAO” is the first of these types of organizations, which was created to fund projects that would work on Etherium. For most of May, people could purchase DAO tokens using Ether, and the DAO tokens gave their holders the ability to vote “Yes” or “No” on funding proposals made to the DAO by companies or individuals wanting to build things. The submission of proposals, the voting, and the funding of projects were all programmed to take place essentially without human intervention, all based on the DAO’s programmed code. (Whew!)

Now for the news—the first major splash made by the DAO was not the funding of its first project, but rather an attacker’s “recursive call” attack which allowed him/her/them to withdraw approximately 3.6 million Ether—worth about $55M at the time of the attack—by exploiting an element of the code meant to allow people to withdraw from the DAO and convert their DAO tokens back to Ether. As Alan explained (and probably needed a glass of water and maybe a snack by this point), the DAO’s creators and the Etherium Foundation were left with only a few responses, none of them ideal—void the attacker’s transactions but by doing so, demonstrate that transactions on a public blockchain can be voided; lock up the funds and figure out the next steps, which probably leads to a voiding of the transaction; roll back the entire Etherium ecosystem to just before the attack (kind of like reverting your iPhone to a backup) but effectively constituting a “bailout” of the DAO; or concluding that “the code is its own documentation” and anything done under the code is permissible, which preserves the integrity of the DAO (and Etherium) but leaves the attacker holding a lot of other peoples’ money.

For listeners who made it through all of that, Jason explained how the New York State Department of Financial Services issued its second BitLicense, this time to Ripple (the global settlement network, not the fortified wine), and at this pace, would get to double digits in terms of BitLicenses issued by 2022. Jason noted that this comes at the same time as industry efforts to focus attention on the dangers inherent in state-by-state licensing systems, although a single federal approach seems far off at this time.

Alan described the European Parliament’s recent resolution concerning virtual currencies, which was hailed as an anti-money laundering and counter terrorism financing action but in fact covers many aspects of virtual currencies and distributed ledger technology. The main headline was Parliament’s call on the European Commission to create a Task Force on virtual currencies. Alan channels Stewart for a moment, noting that the resolution actually says that Parliament “recalls that the internet, despite attempts to promote a multi-stakeholder approach, is still governed by the National Telecommunication and Information Administration, an agency of the United States Department of Commerce.” That must still sting.

Jason notes that the blockchain has also come to DC in a big way, with one day of a three-day symposium run by the Federal Reserve, the World Bank, and the International Monetary Fund dedicated to blockchain. The White House also got into the game, holding a FinTech summit with various White House and Administration officials. The President’s Council of Advisors on Science and Technology heard from industry leaders on blockchain, and the White House Commission on Enhancing National Cybersecurity heard testimony on blockchain technology in one of its first meetings.

Finally, Alan reports on the Central Bank of Canada’s experiment with developing a digital version of the Canadian dollar based on blockchain technology. Dubbed “CAD-coin” and running on the “Jasper” Distributed Ledger Settlement Platform (rather than something more inspired and Canadian, like “Molson”), the Central Bank’s experiment with a private blockchain is meant to “better understand the technology first-hand,” and we applaud them for that.

In the interview, Jamie Smith first debunks rumors that she is, in fact, Satoshi Nakamoto, the original creator of Bitcoin (“We are all Satoshi,” Jamie graciously explains.) Jamie describes how she first got involved in the blockchain space, her experience leaving a comfortable post-Administration job at a global PR firm to join the BitFury Group, and her process of realizing that Bitcoin is not “criminal money” and that blockchain technology can change the world for the better. Jamie describes recent initiatives backed by the BitFury Group, including the Blockchain Trust Accelerator launched in conjunction with the think tank New America and the National Democratic Institute, and the Global Blockchain Business Council. Jamie also describes events at the second Blockchain Summit on Sir Richard Branson’s Necker Island (Jason attended the first Blockchain Summit last year, and Alan attended this year’s Summit). Jamie gives a shout-out to the Blockchain Alliance, the organization co-founded by the Chamber of Digital Commerce and Coin Center to create a forum for the blockchain industry to engage with law enforcement (full disclosure: Steptoe serves as counsel to the Blockchain Alliance and Jason serves as its Director).

Next week, Stewart will be back and the podcast will turn back to cybersecurity issues. As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 (202) 862-5785.

Direct download: PC122w_music.mp3
Category:general -- posted at: 11:09am EDT

European hypocrisy on data protection is a lot like the weather. Everyone complains about it but no one does anything about it. Until today.

In episode 120, we announce the launch of the Europocrisy Prize. With the support of TechFreedom, we’re seeking tax deductible donations for a prize designed encourage the proliferation of Schrems-style litigation, but with a twist. We’ll award the prize to anyone who brings complaints that force Europe to apply the same human rights and data export standards to Russia, China, and Saudi Arabia as it applies to the US. More on the prize here.

We’re inspired to this announcement, because as Katie Cassel tells us in the news roundup, the data protection commissioner in Hamburg is hot-dogging on the privacy issue, and with relish. He has imposed fines on US companies for the offense of being caught by surprise when the Safe Harbor went down. Naturally, as far as we can tell, no similar cases have been launched against Russia, China, or any of the other countries that never even bothered to negotiate over privacy with the EU. The Europocrisy Prize, though, should go a long way to even the score.

We’re joined for the news roundup by Paul Rosenzweig of Red Branch Consulting, and he clues us in on the fight over ICANN’s future now being waged in Congress. Meanwhile, Alan Cohn explains why standing is such a high threshold for data breach plaintiffs, leading us to muse on exactly how much harm we can show from the disclosure of our naked pictures on the internet (in contrast to viewers, for whom injury may be presumed).

I highlight a workmanlike opinion from Judge Doumar on the FBI’s remote hacking of child porn aficionados. I also thank Sen. Cornyn and others on the Judiciary Committee for exposing just how little privacy groups care about ECPA reform. Sen. Cornyn has offered an amendment that would give back to the FBI the NSL access they had in 2008 to electronic communications transactions records. In order to keep Sen. Cornyn’s amendment off their reform bill, they’ve apparently ditched the whole bill.

In other privacy misrepresentation news, the UK press is full of headlines claiming that the “controversial” Investigatory Powers Act is moving forward “despite hacking and snooping fears.” Clue for the press: When the House of Commons vote to send a bill to the House of Lords is 444 to 69, calling it “controversial” just makes you look stupid and ideological. Most significantly, the bill goes out of its way to make clear that, if Apple makes the same arguments in the UK that it made against the FBI, it will lose. Tim Cook’s publicity campaign is really paying dividends, eh?

Katie explains the US Justice Department’s proposal to modify US law and streamline the production of electronic evidence to foreign governments. If they do that without extracting an end to EU data export restraints, the DOJ’s license to practice diplomacy should be revoked.

In other news, the French government has convicted Uber and two of its executives of failing to show sufficient respect to French officialdom. And the right to be forgotten turns out to be unworkable (who could have foreseen that!?).

Finally, we poll DHS alumni on whether the department’s cybersecurity organization, NPPD, should be raised to the status of a full-blown DHS component. Suzanne Spaulding will be pleased with the answer.

Note: Our interview with Rep. Will Hurd was delayed at the last moment, so we’re releasing it separately from the episode 120 news roundup.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: E_120.mp3
Category:general -- posted at: 11:32am EDT

Our guest for episode 119 is Kevin Kelly, founding executive editor of Wired Magazine and author of The Inevitable: Understanding the 12 Technological Forces that will Shape our Future. Kevin and I share many views – from skepticism about the recording industry’s effort to control their digital files to a similar skepticism about EFF’s effort to control private data – but he is California sunny and I am East Coast dark about where emerging technology trends are taking us. The conversation ranges from Orwell and the Wayback Machine to the disconcerting fluidity and eternal noobie-ness of today’s technological experience. In closing Kevin sketches a quick but valuable glimpse of where technology could take us if it comes from Shenzhen rather than Mountain View, as it likely will.

The news roundup leavens deep thoughts about the future with loose talk about sex and politics. I ask whether the FOIA classification review of Hillary Clinton’s email is compounding the damage done by her use of a homebrew server. I discover the weird connection between leak defenders like Julian Assange and Jacob Appelbaum and sexual extortion – and even offer a theory to explain it (caution: involves threesomes). And we award the Dumbest Journalism of 2016 prize to Jason Leopold, Marcy Wheeler, and Ky Henderson for a VICE article that spends thousands of words trying in vain to justify its headline – and also manages to bury the only interesting news the reporters turned up. (They have pole-dancing competitions in China? And the organizer invited Edward Snowden’s girlfriend to compete, just as Snowden was getting ready to release NSA’s files? Sounds like a great story, but the authors dropped it in favor of tendentious NSA bashing.) And to cap the week off, North Korea cloned Facebook for its nomenklatura, only to have a Scottish teen take it over because the logon credentials were left at “admin” and “password.”

More seriously, I report that USTR will in the future try to negotiate limits on data localization even for financial institutions. Maury Shenk reports on the successful EU jawboning of big American tech companies to crack down on “hate speech” on line.

Organizations whose hate speech has mainly been aimed at Smith v. Maryland and the third party rule had a bad week, I note, as the only circuit to require warrants for cell-site location recedes in an en banc opinion that drastically cuts the Supreme Court’s incentive to grant cert on the issue.

Maury reports on delays to the EU’s Paris-related changes in anti-money-laundering regulation. And I puzzle over the newfound enthusiasm in Republican and cable industry circles for FTC-style privacy regulation.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 119th episode (mp3).

Direct download: Podcast_119.mp3
Category:general -- posted at: 4:19pm EDT

Episode 118 digs deep into DARPA’s cybersecurity research program with our guest, Angelos Keromytis, associate professor at Columbia and Program Manager for the Information Innovation Office at DARPA. Angelos paints a rich picture of a future in which we automate attribution across networks and international boundaries and then fuse bits of attribution data as though they were globules of the Terminator reassembling into human form. 

Direct download: Podcast_118.mp3
Category:general -- posted at: 8:20am EDT

1