Does the FISA court perform a recognizably judicial function when it reviews 702 minimization procedures for compliance with the Fourth amendment? Our guest for episode 115 is Orin Kerr, GWU professor and all-round computer crime guru. Orin and I spend a good part of the interview puzzling over Congress’s mandate that the FISA court review what amounts to a regulation for compliance with an amendment that is usually invoked only in individual cases. Maybe, I suggest, the recent court ruling on 702 minimization and the Fourth amendment doesn’t make sense from an Article III point of view because the FISA judges long ago graduated from deciding cases and controversies to acting as special masters to oversee the intelligence community. We also explore an upcoming Orin Kerr law review piece on how judicial construction of the Fourth amendment should be influenced by statutes that play in the same sandbox. 

In the news roundup, Maury Shenk provides an overview of the data protection logjam now building up in Brussels, including EU Parliament approval of the new US-EU law enforcement agreement. In FTC news, Katilin Cassel explains why Amazon is liable for kids’ in-app purchases; I seize on recent UK government advice not to change passwords too often to mock the FTC for its outmoded advice on the topic and its inability to shed its old guidance gracefully; and Maury and I examine how and why the FTC is enforcing quasi-voluntary privacy regimes like the Privacy Shield/Safe Harbor.

Katie explains HHS’s remarkable new enforcement policy – imposing large fines on health providers who voluntarily disclose a paperwork omission that caused no actual privacy harm. I flag the First Circuit’s decision to create a circuit conflict on the meaning of the Video Privacy Protection Act.

I express astonishment that the tech press continues to think there’s a constitutional problem with forcing someone to use his fingerprint to unlock a phone. The Onion and Operation Vowel Lift also make an appearance.

Our guest for episode 114 is General Michael Hayden, former director of the NSA and CIA; he also confirms that he personally wrote every word of his fine book, Playing to the Edge: American Intelligence in the Age of Terror. In a sweeping interview, we cover everything from Jim Comey’s performance at the AG’s hospital bedside (and in the Clinton email investigation) to whether the missed San Diego 9/11 calls were discovered before or after the 215 program was put in place. Along the way, we settle the future of Cyber Command, advise the next president on intelligence, and lay out the price the intelligence community is paying for becoming so darned good at hunting terrorists.

Michael Vatis and I do the news roundup. It’s bad news this week for the same child porn defendants who got good news last week, when a court overturned the search warrant used to search their computers after they visited an FBI-run Tor node. Now, though, the Supreme Court has approved a change to Rule 41 authorizing geographically unbound search warrants in computer cases. Unless Congress comes to their rescue by rejecting the proposed rule change, an unlikely prospect indeed, the new rule will take effect at the end of the year.

Well, that was fast, at least by the standards of Washington lawyers. We’ve gone from attribution to proposed retribution in less than two years. Indictments in 2014 charged that the Chinese government had broken into US Steel’s computer network. Now US Steel is claiming that the hackers stole advanced steel technology and gave it to a Chinese competitor, and it’s asking the International Trade Commission to exclude the competitor’s products from the United States, on the ground that stealing secrets is an unfair trade practice. With the government eager to send a message on commercial cyberespionage, look for plenty fireworks over the next year as the case is brought to judgment.

The big FISA news revolves around notices given to litigants when section 702 played a role in their cases. A rare notice of that kind has been given to an Iraqi refugee accused of traveling to Syria. He has promised a constitutional challenge. Meanwhile, if you’re wondering whether OFAC uses 702 intelligence to issue sanctions, and whether the targets get notice when that happens, the New York Times is fighting to get those answers, using FOIA. It’s losing. Congress is also taking a harder look at 702, with fourteen of the usual suspects asking DNI Clapper to estimate how many Americans’ communications are swept up in the program.

In other news, Michael notes that Nebraska has expanded its breach law to cover more data – and to make sure that the encryption exception only applies to encryption that’s not fatally compromised.

No holds are barred as a freewheeling panel of cryptographers and security pros duke it out with me and the Justice Department over going dark, exceptional access, and the Apple-FBI conflict. Among the combatants: Patrick Henry, a notable cryptographer with experience at GCHQ, NSA, and the private sector; Dan Kaminsky, the Chief Scientist at White Ops; Kiran Raj, who is Senior Counsel to the Deputy Attorney General; and Dr. Zulfikar Ramzan the CTO of RSA Security. Our thanks to Catherine Lotrionte who generously agreed to let me record this one-hour panel at her remarkable Annual International Conference on Cyber Engagement.

In the news roundup Maury Shenk discusses the real and mythical import of the UK’s pending surveillance bill, and I mock the journalists who claimed to find scandal in GCHQ’s elaborate compliance regime for access to bulk personal data. Alan Cohn and I return to the Apple-FBI fight, and I can’t help pointing out that Apple, the self-proclaimed champion of security, didn’t bother to tell its customers that it was no longer providing security patches to QuickTime on Windows. Alan manages to explain Apple’s thinking with two words: “on Windows.”

The FBI’s decision to manage a child porn distribution node for a few weeks and prosecute its customers has come a cropper, but not for the reason you might think. Instead, Alan reports, at least one court is now willing to enforce the limits of Rule 41 and declare that a Virginia magistrate cannot issue a search warrant for a computer located in Massachusetts. That ups the stakes for the ongoing effort to amend this problem out of the Federal Rules.

I read an 80-page FISA opinion so you don’t have to. One of the technolibertarians’ favorite proposals – requiring warrants for searches of already-collected 702 data – has now been briefed to the court by one of the first FISA amici. And rejected. The argument was slapped down in an opinion by Judge Hogan. In the old days, government critics would have been able to press such an argument for years; now, thanks to the vigilant FISA amici and the transparency in FISA opinions that they cried for, that argument has suffered a body blow before it has even built up a head of steam.

And, just to show that we yield to no one in condemning abusive government data collection, I brief our listeners on where all the data created by their cheap Chinese drones is ending up – and which government has access to it. Suddenly, European-style data export bans are acquiring a strange new appeal.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

European news and sensibilities dominate episode 112. I indulge in some unseemly gloating about Europe’s newfound enthusiasm for the PNR data it wasted years of my life trying to negotiate out of the US counterterrorism toolbox. I pester our guest, Eric Jensen, about his work on the Tallinn 2.0 manual covering the law of cyberwar; the manual seems to offer an ever-more-European take on cyberweapons and the law of armed conflict. And if you think that’s a compliment, you haven’t been listening.

In other European news, Michael Vatis notes that the European Parliament has formally approved the EU’s sweeping new data protection regulation. And Maury Shenk tells us the Privacy Shield is acquiring a few dents, particularly from the Article 29 Working Party of data protection regulators, who are raising hard questions about US intelligence policy.

The fad for ruling that phone location records can only be obtained with a warrant may be receding. Michael says that another circuit has rejected the claim, while the last circuit to credit the notion has now gone en banc.

There’s better news for privacy campaigners in the House, where the Judiciary Committee has reported out a bill requiring warrants for even very old email content. It will face more scrutiny in the Senate, I predict, and with luck will attract a few balancing amendments that favor law enforcement and intelligence.

In Apple news, the FBI files the world’s shortest brief, saying “Yes we still want the data on that New York iPhone.” Leakers say the FBI hasn't learned much from the unlocked San Bernardino iPhone, a phone which it appears the FBI paid professional hackers a one-time fee to crack.

Alan Cohn and I have fun unpacking a report that the US government has worse cybersecurity than any other industry segment. Among agencies the FTC fares far better than NASA, and I manfully admit that the Commission must be doing something right.

Michael notes that the Seventh Circuit has again found plaintiffs to have standing in a data breach case, this time on grounds that will make future breach notices a lot less user-friendly.

Alan and I offer at least faint praise for the White House Commission on Enhancing National Cybersecurity. And Uber issues a transparency report that (surprise!) does more to serve the company’s interests than to educate the public.

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Just how sophisticated are the nations planning and carrying out cyberattacks on electric grids? Very, is the short answer. Our guest for episode 111, Suzanne Spaulding, DHS’s Under Secretary for the National Protection and Programs Directorate, lays out just how much planning and resources went into the attack on Ukraine’s grid, what it means for US industry, the information sharing that can mitigate the consequences, and why the incident reinforces the need to stand up the Cyber and Infrastructure Protection Agency at DHS.

Our news roundup concentrates on the draft Senate bill on encryption from Senators Burr and Feinstein. Not surprisingly, I find the critics to be mostly off point and occasionally unhinged in inimitable tech-sector fashion. Sen. Wyden condemns the bill, and no one is surprised. The White House ducks a fight over the legislation, and mostly no one cares any more. I offer the view that as more Silicon Valley firms adopt easy, universal, unbreakable crypto, the tide will slowly turn against them, as the list of crypto victims keeps getting longer.

Kaitlin Cassel and Alan Cohn unpack the consequences for law firms of the Mossack Fonseca leak, and Suzanne Spaulding weighs in with advice for the legal profession.

The US adds China’s Internet controls to its list of trade barriers. Kaitlin and I muse on the significance of that step (short term: none; long term: we could see a WTO case against China).

As always, the Cyberlaw Podcast welcomes feedback. Send e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe recently held a client briefing in its Palo Alto office on developments in the Chinese legal and regulatory environment that are impacting US technology companies operating in China. I took advantage of the event to sneak in a quick discussion with Susan Munro and Ying Huang of Steptoe's China practice, on how China is regulating the Internet, with special emphasis on data protection, data localization, and more.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

In episode 109, we interview Perianne Boring of the Chamber of Digital Commerce on the regulatory challenges of bitcoin and the blockchain. In the news roundup, we bring back Apple v. FBI for what we hope will be one last round, as the San Bernardino magistrate voids her All Writs Act motion for mootness and attention shifts to other investigators hoping to crack iPhone security, both in the US and in Europe. 

In a change of pace, I dip into the Hillary Clinton email scandal, wondering whether US intelligence agencies caught foreign spies exploiting Clinton’s unsecured emails on her first trip to Asia. Alan Cohn reminds me that using government networks wouldn’t have exactly guaranteed their security.

Kaitlin Cassel makes her first appearance on the podcast, explaining the FCC’s new ISP privacy rules. We all try, unsuccessfully, to figure out why the FTC is so sure it knows more about privacy and security regulation than the FCC.

Alan and I explore the flap over insider-trading attacks on BigLaw, and I wonder out loud whether the whole story is hype. What’s not hype, however, is a breaking story on the biggest data spill in history, which outs the hidden assets of everyone from Putin cronies to Icelandic pols.

The FBI’s reluctance to expose its investigative techniques to the world did not begin with the iPhone, I remind listeners; the Bureaus is fighting a court order demanding that it turn over its Tor exploit source code to a defendant in a child porn case.

And speaking of “privacy” tools that turn out to be mostly boons for criminals, the US government-funded Tor Project is sinking ever deeper into swamps of human depravity. According to Cloudflare, 94 percent of Tor traffic is per se malicious. And according to other sources, most of the remaining 6% is to child porn and other criminal sites. I’m not sure how many more privacy victories like that the tech world can afford. And if you were wondering whether that’s just a one-off, check out the remarkable story of everyone’s favorite encryption program – which it turns out was mostly created by a Deep Nerd who evolved into a no-kidding, murder-for-hire monster. But don’t worry. I’m sure there’s no connection between a burning desire for privacy and a burning desire to do things abhorred by the overwhelming mass of humankind. It’s probably just a coincidence.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

It’s an extended news roundup with plenty of debate between me and Nuala O’Connor, the President and CEO of the Center for Democracy and Technology (CDT). We debate whether and how CDT should pay more attention to Chinese technology abuses and examine the EU ministers’ long list of privacy measures to be rolled back and security measures to be beefed up in the wake of the Brussels and Paris Daesh attacks.

Meredith Rathbone reports on the sanctions case of the decade, as ZTE gets hit with a bag full of bricks – or is it marshmallows? – for its role in flouting US export controls. We speculate about why the US danced an enforcement two-step in this case – and who its next dance partner might be.

The Justice Department has launched a second set of indictments against foreign cyber hackers, this time aimed at Iranians who DDOS’s US banks and tried to flood the basements of Rye, NY, suburbanites. Michael Vatis and I speculate on whether other finance ministers might agree that sanctions should be imposed on those who hack banks – and on whether the Southern District will overreach in its forfeiture tactics.

I fume over the French bureaucracy’s claim that it can regulate what Americans are allowed to read on line. Nuala weighs in, and we find ourselves – mirabile dictu – in broad agreement about the dangers of the “right to be forgotten.”

I confess to uncharacteristically muted views about whether NSA should share raw traffic with other agencies. Nuala almost does the same.

And as a palate cleanser, who can resist a bitter, pointless turf fight, complete with public disparagement of one regulator by another? Hatfield v. McCoy? Stalin v. Trotsky? Hamilton v. Burr? They got nothin’ on FTC v. FCC, as FCC Commissioner Ohlhausen makes the imprudent decision to hold up FTC’s inscrutable security regulation as a gold standard – just when LabMD is making it look more like a protection racket.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

What kind of internet world order does China want, and will it succeed? That’s the question we ask Adam Segal, Maurice R. Greenberg Senior Fellow at the Council on Foreign Relation and author of The Hacked World Order. We review China’s surprising success at getting tech companies to help it build an authoritarian Internet – the technological equivalent of persuading Jello to nail itself to the wall. Meanwhile, every nation, it seems, is busy reasserting sovereignty over cyberspace. Except the United States. Which raises the question whether other countries will decide to assert sovereignty over our cyberspace. We’re the Syria of cyberspace!

In the news roundup, I note that an apparent FBI raid on Tiversa is making the FTC look more and more like the dumb muscle called in to enforce someone else’s shakedown scheme. Imagine Edith Ramirez as The Hulk: “LabMD bad! FTC smash!”

Maury Shenk examines the latest Spanish decision on Google and the Right to Be Forgotten and I conclude that it’s classic TL;DR material.

Turning next to the FBI-Apple fight, I thank the President for opening SXSW for me and muse on his surprisingly strong endorsement of the FBI’s position. I also dissect the “lawyerly” affidavit submitted by Apple to deflect (though not answer) the questions I asked in an earlier blog post.

Maury and I consider whether WhatsApp is likely to be hit with an Apple-style wiretap order due to its strong end-to-end encryption, and I am surprised to hear that WhatsApp may have its own intercept backdoor, which makes an Apple order more likely.

Alan Cohn explains how a lost laptop can cost you $3.9 million. And I claim vindication when the Home Depot breach lawsuits settle at or below the Baker Range of $.50 to $2.00 per victim. Home Depot gets its bill down to $.10 to $.50 per victim – though that’s before the banks take their cut.

If you’re left feeling sorry for the plaintiffs’ bar, though, I have one word for you: malvertising. Alan notes that I’ve waited a lifetime to be able to sue the BBC and New York Times, but that time has come, as both have apparently infected their readers with ransomware.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

In bonus episode 106, Stewart and Alan interview Phil Reitinger, former DHS Deputy Undersecretary for Cybersecurity and Sony Corporation CISO and current Director of the new Global Cyber Alliance, making up for the famous “lost episode” that Stewart and Alan recorded with Phil on the sidelines of the RSA Conference (“The best interview I ever conducted,” according to Phil).

Stewart first asks Phil about his old organization, DHS’s National Protection and Programs Directorate (NPPD).  Phil waxes eloquent about the triumphs and travails of NPPD, and also wonders what the impact on NPPD will be from President Obama’s recent creation of a Federal Chief Information Security Officer in the Executive Office of the President (Alan wonders—less eloquently—about that too).  Phil also notes that “we are all medieval barbers” when it comes to knowing how to treat today’s cybersecurity ills (“We know where to put the leeches, but that’s about it,” says Phil).

We then get to the meat of the interview.  Alan asks Phil all about the new Global Cyber Alliance, launched in partnership with the Center for Internet Security, the New York County District Attorney’s Office (and its asset forfeiture funds), and the City of London Police Department.  Phil explains that the Alliance will not follow the example of other organizations that are long on talk and short on action, and instead will gather subject matter experts to focus specific things, using the mantra of “Do Something.  Measure It.”  The Alliance will look in particular for issues where the global cyber community has an answer to a problem, but is struggling with implementation; the Alliance will provide the project management backbone to allow ad hoc groups of subject matter experts to drive towards implementation of the solution.  Ultimately, the Alliance wants to move from addressing specific risks to measuring and mitigating systemic cybersecurity risk—for example, the global risk of DDOS attacks— but the Alliance has no intention of leaving discrete problems unsolved while it searches for ways to address systemic problems.  Phil also explains that despite its founding partners, the Alliance will not be solely focused on cybercrime or prosecution issues, but rather will be focused on prevention.

Finally, Stewart and Phil talk about the FTC and FOIA, noting that Steptoe represented Phil in a FOIA action against the FTC to get it to disclose exactly what standards it is holding business to regarding cybersecurity and data privacy.  Phil colorfully explains the different ways in which the FTC told him to “pound sand,” and also throws around fancy legal terms like the “non-delegation doctrine."

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail toCyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.