The Cyberlaw Podcast

What’s the difference between serving in Congress and spying in the back alleys of a Middle Eastern bazaar?  Why not ask the one Congressman who’s done both – Rep. Will Hurd (R-TX).  He also has cybersecurity chops from his career in industry, so he makes the perfect guest for episode 124a of the podcast.  Just running through his week takes us from the difficulty of setting red lines in cyberspace to what we know about foreign penetration of the Clinton email server.  But we manage as well to cover the declining fortunes of the Massie-Lofgren amendment and the reasons (and possible cures) for the disaster that is federal IT procurement.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Episode_124a.mp3
Category:general -- posted at: 1:27pm EDT

This week’s news roundup is dominated by the Ninth Circuit and the European Union.  The EU parliament has approved the Privacy Shield that replaces the Safe Harbor.  Michael Vatis, Alan Cohn and I ask whether companies should seek protection under what may prove to be a pretty leaky Shield.  And the EU has approved cybersecurity rules for critical industries and verdammte amerikanische Unternehmen … er, digital service providers.  You may not like the EU penchant for regulation as a first resort, but Alan and I conclude that the initiative on cybersecurity standard-setting may finally have moved to Brussels.

In Ninth Circuit news, the Nosal case has come back for another round of appellate decision-making, and this time the decision goes against Mr. Nosal.  Michael and I debate whether sharing a password should lead to criminal penalties.  In other news, the lib/left continues its campaign to impose a warrant requirement on reuse of section 702 data.  They’ve already lost in two courts, and my guess from oral argument in US v. Mohammud is that they won’t do better in the third.  

Elsewhere, Russia has finally adopted its aggressive new law regulating digital service providers in the name of fighting terrorism. The FCC privacy regs attract some support from other agencies, notably the FBI and Secret Service.  Silent Circle, already silently circling the drain, has dropped its faddish warrant canary “for business reasons.”  And kudos to Yingmob for its new business model; the Chinese company seems to have combined legitimate adtech business lines with a line of malware that has infected ten million Android phones.  No word yet on whether Yingmob employees can take a break from writing malware to play foosball.  

Our interview with Will Hurd will follow later in the week.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Episode_124.mp3
Category:general -- posted at: 10:01am EDT

Edward Snowden criticizes Russia’s mass surveillance law, and a Russian official retaliates by outing him ‒ as a Russian intelligence source. Silent Circle, the phone company that built its marketing on fear and loathing of the NSA, is nearing bankruptcy. And members of the dominant European Parliament faction are asking the Commission, “Hey! How come you keep demanding more data export and privacy concessions from the US without asking for bupkis from China?” And the FBI now has three politically viable paths to win back authority to obtain electronic communications transaction records with a National Security Letter.

Truly, episode 123 feels like a reward for living through 2013.

In other news, Alan Cohn and Katie Cassel report on the Bank for International Settlements’ surprisingly sophisticated cybersecurity standards. I whinge about Bob Litt’s 18 pages of binding commitments to Europe on how the US will conduct intelligence from now on. Alan and I compliment CBP on its technical savvy in easing border clearance ‒ and ponder the role of stools in protecting the homeland.

I report that Belgian courts have reversed a verdict by the local DPA against Facebook, and Maury Shenk comments on broader implications for EU data protection. Katie notes that FTC commissioner Maureen Olhausen continues to tout the advantages of her agency’s “flexible” privacy and security standard and to diss the FCC’s more explicit approach. I mock the ACLU for demanding the right to violate criminal law to get information from private companies and ask if I can do the same to get the ACLU to answer my questions about whether it provides real security for its clients. And Maury reports that China is still rolling out new internet regulations, from online search standards to where to store Chinese citizens’ personal data (China, natch).

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Episode_123.mp3
Category:general -- posted at: 4:05pm EDT

Was Iran’s cyberattack that bricked vast numbers of Saudi Aramco computers justified by a similar attack on the National Iranian Oil Company a few months’ earlier? Does NSA have the ability to “replay” and attribute North Korean attacks on companies like Sony? And how do the last six NSA directors stack up against each other? Those and other questions are answered by our guest for episode 122, Fred Kaplan, author of Dark Territory: The Secret History of Cyber War.

In the news roundup, we explore British corollary of the Pottery Barn Rule: “You Brexit, you owns it.” As the UK and the EU struggle to deal with fallout from the historic UK vote, all the incentives seem to be in place for the EU to do what it does best: vindicate the worst instincts of the European elite. In the name of deterring other departures, the EU is unlikely to offer the UK much in the way of concessions. On data protection, for example, Maury Shenk points out that the UK will likely have to keep its current law -- and adapt to the new regulation -- just to avoid a claim that British privacy law is inadequate.

In other news, DHS has released final guidelines for protecting privacy while sharing cyber threat information; I think they’re pretty good.

Michael Vatis and I also puzzle over the dicta adopted in a recent EDVA opinion that the utter insecurity of personal computers leaves users without a reasonable expectation of privacy and allows the FBI to use hackers’ tools without a warrant. I love it when a district court stakes out territory that makes even me feel like a civil libertarian.

The FTC drops a heavy fine on inMobi. Michael points out the much heavier weaponry that COPPA allows the Commission to deploy in privacy cases that involve children. But we have trouble mustering much sympathy for inMobi. 

Finally, we’re still trolling for listener feedback on whether we should go to the trouble of trying to arrange CLE credit for listening to the podcast. Based on reaction so far, we won’t. So if you’d like to get CLE credit for the podcast, it’s time to send your vote to CyberlawPodcast@Steptoe.com.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: SteptoeCyberlawPodcast-122.mp3
Category:general -- posted at: 4:35pm EDT

With Stewart on vacation, the blockchain takes over the podcast! In episode 121, Jason Weinstein and Alan Cohn talk all things bitcoin, blockchain, and distributed ledger technology, and interview Jamie Smith, Global Chief Communications Officer for the BitFury Group, one of the largest full-service blockchain technology companies.

In the news roundup, Alan led off with a discussion about Etherium and the DAO, which of course begins by answering the question, “What is Etherium and what is the DAO?” As Alan explains, Etherium is a public blockchain similar to the Bitcoin blockchain, with code written in such a way as to optimize programming of “smart contracts,” self-executing contracts that transmit funds or take other actions based on the occurrence of defined events. Etherium is run by a non-profit organization, the Etherium Foundation, and has its own native currency called Ether. The DAO is an acronym for a “distributed autonomous organization,” which is essentially an organization that can operate in a decentralized manner (for example, on a blockchain) based on its programmed code rather than the actions of any governing individuals. In this instance, “The DAO” is the first of these types of organizations, which was created to fund projects that would work on Etherium. For most of May, people could purchase DAO tokens using Ether, and the DAO tokens gave their holders the ability to vote “Yes” or “No” on funding proposals made to the DAO by companies or individuals wanting to build things. The submission of proposals, the voting, and the funding of projects were all programmed to take place essentially without human intervention, all based on the DAO’s programmed code. (Whew!)

Now for the news—the first major splash made by the DAO was not the funding of its first project, but rather an attacker’s “recursive call” attack which allowed him/her/them to withdraw approximately 3.6 million Ether—worth about $55M at the time of the attack—by exploiting an element of the code meant to allow people to withdraw from the DAO and convert their DAO tokens back to Ether. As Alan explained (and probably needed a glass of water and maybe a snack by this point), the DAO’s creators and the Etherium Foundation were left with only a few responses, none of them ideal—void the attacker’s transactions but by doing so, demonstrate that transactions on a public blockchain can be voided; lock up the funds and figure out the next steps, which probably leads to a voiding of the transaction; roll back the entire Etherium ecosystem to just before the attack (kind of like reverting your iPhone to a backup) but effectively constituting a “bailout” of the DAO; or concluding that “the code is its own documentation” and anything done under the code is permissible, which preserves the integrity of the DAO (and Etherium) but leaves the attacker holding a lot of other peoples’ money.

For listeners who made it through all of that, Jason explained how the New York State Department of Financial Services issued its second BitLicense, this time to Ripple (the global settlement network, not the fortified wine), and at this pace, would get to double digits in terms of BitLicenses issued by 2022. Jason noted that this comes at the same time as industry efforts to focus attention on the dangers inherent in state-by-state licensing systems, although a single federal approach seems far off at this time.

Alan described the European Parliament’s recent resolution concerning virtual currencies, which was hailed as an anti-money laundering and counter terrorism financing action but in fact covers many aspects of virtual currencies and distributed ledger technology. The main headline was Parliament’s call on the European Commission to create a Task Force on virtual currencies. Alan channels Stewart for a moment, noting that the resolution actually says that Parliament “recalls that the internet, despite attempts to promote a multi-stakeholder approach, is still governed by the National Telecommunication and Information Administration, an agency of the United States Department of Commerce.” That must still sting.

Jason notes that the blockchain has also come to DC in a big way, with one day of a three-day symposium run by the Federal Reserve, the World Bank, and the International Monetary Fund dedicated to blockchain. The White House also got into the game, holding a FinTech summit with various White House and Administration officials. The President’s Council of Advisors on Science and Technology heard from industry leaders on blockchain, and the White House Commission on Enhancing National Cybersecurity heard testimony on blockchain technology in one of its first meetings.

Finally, Alan reports on the Central Bank of Canada’s experiment with developing a digital version of the Canadian dollar based on blockchain technology. Dubbed “CAD-coin” and running on the “Jasper” Distributed Ledger Settlement Platform (rather than something more inspired and Canadian, like “Molson”), the Central Bank’s experiment with a private blockchain is meant to “better understand the technology first-hand,” and we applaud them for that.

In the interview, Jamie Smith first debunks rumors that she is, in fact, Satoshi Nakamoto, the original creator of Bitcoin (“We are all Satoshi,” Jamie graciously explains.) Jamie describes how she first got involved in the blockchain space, her experience leaving a comfortable post-Administration job at a global PR firm to join the BitFury Group, and her process of realizing that Bitcoin is not “criminal money” and that blockchain technology can change the world for the better. Jamie describes recent initiatives backed by the BitFury Group, including the Blockchain Trust Accelerator launched in conjunction with the think tank New America and the National Democratic Institute, and the Global Blockchain Business Council. Jamie also describes events at the second Blockchain Summit on Sir Richard Branson’s Necker Island (Jason attended the first Blockchain Summit last year, and Alan attended this year’s Summit). Jamie gives a shout-out to the Blockchain Alliance, the organization co-founded by the Chamber of Digital Commerce and Coin Center to create a forum for the blockchain industry to engage with law enforcement (full disclosure: Steptoe serves as counsel to the Blockchain Alliance and Jason serves as its Director).

Next week, Stewart will be back and the podcast will turn back to cybersecurity issues. As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 (202) 862-5785.

Direct download: PC122w_music.mp3
Category:general -- posted at: 11:09am EDT

European hypocrisy on data protection is a lot like the weather. Everyone complains about it but no one does anything about it. Until today.

In episode 120, we announce the launch of the Europocrisy Prize. With the support of TechFreedom, we’re seeking tax deductible donations for a prize designed encourage the proliferation of Schrems-style litigation, but with a twist. We’ll award the prize to anyone who brings complaints that force Europe to apply the same human rights and data export standards to Russia, China, and Saudi Arabia as it applies to the US. More on the prize here.

We’re inspired to this announcement, because as Katie Cassel tells us in the news roundup, the data protection commissioner in Hamburg is hot-dogging on the privacy issue, and with relish. He has imposed fines on US companies for the offense of being caught by surprise when the Safe Harbor went down. Naturally, as far as we can tell, no similar cases have been launched against Russia, China, or any of the other countries that never even bothered to negotiate over privacy with the EU. The Europocrisy Prize, though, should go a long way to even the score.

We’re joined for the news roundup by Paul Rosenzweig of Red Branch Consulting, and he clues us in on the fight over ICANN’s future now being waged in Congress. Meanwhile, Alan Cohn explains why standing is such a high threshold for data breach plaintiffs, leading us to muse on exactly how much harm we can show from the disclosure of our naked pictures on the internet (in contrast to viewers, for whom injury may be presumed).

I highlight a workmanlike opinion from Judge Doumar on the FBI’s remote hacking of child porn aficionados. I also thank Sen. Cornyn and others on the Judiciary Committee for exposing just how little privacy groups care about ECPA reform. Sen. Cornyn has offered an amendment that would give back to the FBI the NSL access they had in 2008 to electronic communications transactions records. In order to keep Sen. Cornyn’s amendment off their reform bill, they’ve apparently ditched the whole bill.

In other privacy misrepresentation news, the UK press is full of headlines claiming that the “controversial” Investigatory Powers Act is moving forward “despite hacking and snooping fears.” Clue for the press: When the House of Commons vote to send a bill to the House of Lords is 444 to 69, calling it “controversial” just makes you look stupid and ideological. Most significantly, the bill goes out of its way to make clear that, if Apple makes the same arguments in the UK that it made against the FBI, it will lose. Tim Cook’s publicity campaign is really paying dividends, eh?

Katie explains the US Justice Department’s proposal to modify US law and streamline the production of electronic evidence to foreign governments. If they do that without extracting an end to EU data export restraints, the DOJ’s license to practice diplomacy should be revoked.

In other news, the French government has convicted Uber and two of its executives of failing to show sufficient respect to French officialdom. And the right to be forgotten turns out to be unworkable (who could have foreseen that!?).

Finally, we poll DHS alumni on whether the department’s cybersecurity organization, NPPD, should be raised to the status of a full-blown DHS component. Suzanne Spaulding will be pleased with the answer.

Note: Our interview with Rep. Will Hurd was delayed at the last moment, so we’re releasing it separately from the episode 120 news roundup.

As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: E_120.mp3
Category:general -- posted at: 11:32am EDT

Our guest for episode 119 is Kevin Kelly, founding executive editor of Wired Magazine and author of The Inevitable: Understanding the 12 Technological Forces that will Shape our Future. Kevin and I share many views – from skepticism about the recording industry’s effort to control their digital files to a similar skepticism about EFF’s effort to control private data – but he is California sunny and I am East Coast dark about where emerging technology trends are taking us. The conversation ranges from Orwell and the Wayback Machine to the disconcerting fluidity and eternal noobie-ness of today’s technological experience. In closing Kevin sketches a quick but valuable glimpse of where technology could take us if it comes from Shenzhen rather than Mountain View, as it likely will.

The news roundup leavens deep thoughts about the future with loose talk about sex and politics. I ask whether the FOIA classification review of Hillary Clinton’s email is compounding the damage done by her use of a homebrew server. I discover the weird connection between leak defenders like Julian Assange and Jacob Appelbaum and sexual extortion – and even offer a theory to explain it (caution: involves threesomes). And we award the Dumbest Journalism of 2016 prize to Jason Leopold, Marcy Wheeler, and Ky Henderson for a VICE article that spends thousands of words trying in vain to justify its headline – and also manages to bury the only interesting news the reporters turned up. (They have pole-dancing competitions in China? And the organizer invited Edward Snowden’s girlfriend to compete, just as Snowden was getting ready to release NSA’s files? Sounds like a great story, but the authors dropped it in favor of tendentious NSA bashing.) And to cap the week off, North Korea cloned Facebook for its nomenklatura, only to have a Scottish teen take it over because the logon credentials were left at “admin” and “password.”

More seriously, I report that USTR will in the future try to negotiate limits on data localization even for financial institutions. Maury Shenk reports on the successful EU jawboning of big American tech companies to crack down on “hate speech” on line.

Organizations whose hate speech has mainly been aimed at Smith v. Maryland and the third party rule had a bad week, I note, as the only circuit to require warrants for cell-site location recedes in an en banc opinion that drastically cuts the Supreme Court’s incentive to grant cert on the issue.

Maury reports on delays to the EU’s Paris-related changes in anti-money-laundering regulation. And I puzzle over the newfound enthusiasm in Republican and cable industry circles for FTC-style privacy regulation.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 119th episode (mp3).

Direct download: Podcast_119.mp3
Category:general -- posted at: 4:19pm EDT

Episode 118 digs deep into DARPA’s cybersecurity research program with our guest, Angelos Keromytis, associate professor at Columbia and Program Manager for the Information Innovation Office at DARPA. Angelos paints a rich picture of a future in which we automate attribution across networks and international boundaries and then fuse bits of attribution data as though they were globules of the Terminator reassembling into human form. 

Direct download: Podcast_118.mp3
Category:general -- posted at: 8:20am EDT

Our guest, Patrick Gray, is the host of the excellent Risky Business security podcast. He introduces us to the cybersecurity equivalent of decapitation by paper cut and offers a technologist’s take on multiple policy and legal issues. In the news roundup, Michael explains the many plaintiff-friendly rulings obtained by the banks suing Home Depot over its data breach. We wonder whether the rulings are so plaintiff-friendly that the banks will eventually regret their successes. Michael also explains just how deliberately meaningless is the Supreme Court decision in Spokeo, Inc. v. Robins.

Alan Cohn lays out the new DOD rule requiring government contractors to adopt basic cybersecurity measures. Michael explains why the court rejected Mozilla's bid to intervene in the big FBI-child porn case. I cheer Google on in its appeal of the egregious CNIL ruling extending French “right to be forgotten” censorship to the world – and mock the handful of Senators who have gone on record as favoring legislation to overturn the Rule 41 changes and make the internet safe for child exploitation. Finally, Alan explains why the SEC thinks cybersecurity is the top threat to financial systems 

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail toCyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

Direct download: Podcast_117.mp3
Category:general -- posted at: 12:56pm EDT

Ransomware is the new black. In fact, it’s the new China. So says our guest for episode 116, Dmitri Alperovitch, the CTO and co-founder of CrowdStrike. Dmitri explains why ransomware is so attractive financially – and therefore likely to get much worse very fast. He and I also explore the implications and attribution of the big bank hacks in Vietnam and Bangladesh.

 

In the news roundup, Michael Vatis reports on the new federal trade secrets law. In addition, inspired by the Edelson firm’s sealed complaint against a Chicago-based law firm for cybersecurity failings, Steptoe’s chair emeritus, Roger Warin, charts the legal and strategic terrain of suing law firms for bad security. The hazards of class action litigation in this field are illuminated by the district court’s recent ruling on the Zappos breach, which Michael unpacks for us.

 

Unable as always to resist a sitting duck, I quote the FTC’s condescending Congressional testimony promising to give the FCC the benefit of its 40 years of security expertise. It plans to offer comments on the FCC’s proposed privacy regulations. But the FTC fails to note that in all those 40 years, it has never had occasion to ask anyone for comment on its own privacy or security standards – which are scattered haphazardly across a series of brochures and weblinks and consent decrees. As I point out, that makes it hard not just for companies that want to comply, but also for the FTC, which has no way to amend its outdated security guidance, most notably the bad advice it gave several years ago about requiring employees to change passwords frequently. Maybe it’s time for the FCC to return the favor, and give the FTC the benefit of its own years of experience in actually issuing and taking comment on proposed regulations.

 

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Direct download: Podcast_116.mp3
Category:general -- posted at: 4:46pm EDT