Due to technical difficulties, the interview for the 103rd episode will be released as a separate post next week.  In the news roundup, we explore Apple’s brief against providing additional assistance to the FBI in its investigation of the San Bernardino killings. Michael Vatis finds good and bad in the brief – some entirely plausible arguments about burden mixed with implausible ones aimed more at the public than at the magistrate judge. I suggest that the burden argument may be weaker than it seems, both because the costs can be spread over many requests for assistance and because the accounting of work to be done feels “as padded as a no-bid government contract offer.” Which, now that the FBI has offered to pay Apple’s costs, is pretty much exactly what it is.

In other news, Michael and Jason Weinstein look at the California AG’s breach report, and its unlikely suggestion that the states adopt a unified approach to breach reporting. And I offer highlights and lowlights from the DHS guidelines for information sharing, shining particular light on a troubling proposal that some shared fields will have to be scrubbed by human beings before the information is passed on to at-risk sysadmins. In the words of Silicon Valley, human review doesn’t scale.

As always, the Cyberlaw Podcast welcomes feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com. If you’d like to leave a message by phone, contact us at +1 202 862 5785.

What is the most surprising discovery a law firm partner makes when he jumps to the National Security Agency? I direct that and other questions at Glenn Gerstell, who has just finished six months in the job as General Counsel at the National Security Agency.

In the news roundup, we begin, of course, with the fight between Apple and the Justice Department. I open the discussion by reminding the audience that the war on terror cannot be a war on one of the world’s great religions and insisting that Apple remains a religion of peace. Michael Vatis describes the Justice Department’s latest filing, and we trade for deep discovery, not only at the FBI but also at Apple.

CFIUS has released its annual report – only eighteen months late – and the report shows continuing tough review standards from the Committee, Stephen Heifetz reports. There is no sign yet that Chinese acquisitions will experience a smoother ride in future.

Michael and I report on Google’s new effort to accommodate European data censors by geolocating users of google.com.

Finally, the judiciary is allowing defense lawyers to take a close look at the code used by the FBI to capture data about users of a child porn site seized by the Bureau.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The Second Annual Triple Entente Beer Summit again filled the Washington Firehouse loft with an audience at least as knowledgeable as the panel, which consisted of Ben Wittes, Shane Harris,Stewart Baker, Tamara Cofman Wittes, and Alan Cohn. The Triple Entente Beer Summit brings together members of the Lawfare, Rational Security, and the Steptoe Cyberlaw podcasts.

The topic of the day was the confrontation between Apple and the Justice Department over gaining access to the iPhone used by one of the terrorists responsible for the mass killing in San Bernardino, California. Suffice it to say that the podcast was not sponsored by Apple, nor will it be any time prior to the heat death of the universe.

We also dig into the Nitro Zeus story, claiming that in 2009 the United States prepared a massive cyberattack on Iran as an alternative to kinetic action in the event that nuclear talks failed and Iran began a nuclear breakout.

Finally, the panel explores the administration’s rekindled enthusiasm for CVE – countering violent extremism. We provide a definitive answer to the question, “Do we need more GS-14s tweeting on terrorism?” And Tamara Wittes challenges us to find the difference between late Obama and late Bush in the messaging department.

Then the audience takes over, greatly raising the tone of the podcast with a series of thoughtful questions for the panel.

It was a fine evening, and we look forward to another reunion soon.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

We devote episode 100 to “section 702” intelligence – the highly productive counterterrorism program that collects data on foreigners from data stored on US servers. What’s remarkable about the program is its roots: President Bush’s decision to ignore the clear language of FISA and implement collection without judicial approval. That decision has now been ratified by Congress – and will be ratified again in 2017 when the authority for it ends. But what does it say about the future of intelligence under law that our most productive innovation in intelligence only came about because the law was broken?

Our guest for the episode, David Kris, thinks that President Bush might have been able to persuade Congress to approve the program in 2001 if he’d asked. David may be right; he is a former Assistant Attorney General for National Security, the coauthor of the premier sourcebook on intelligence under law, "National Security Investigations & Prosecutions,” and the General Counsel of Intellectual Ventures. But what I find surprising is how little attention has been paid to the question. How about it? Is George Bush to FISA what Abraham Lincoln was to habeas corpus?

My interview with David leaves Lincoln to the history books and instead focuses entirely on section 702. David lays out the half-dozen issues likely to be addressed during the debate over reauthorization, including the risk that the legislation will attract efforts to limit overseas signals intelligence, now governed mainly by Executive Order 12333. He then pivots to the issues he thinks Congress should grapple with but probably won’t – from the growing ambiguity of location as a proxy for US citizenship to the failure of current intelligence law to adequately extract intelligence from the technologies that have emerged since 9/11, particularly social media and advertising technology.

In the news roundup, Maury Shenk and Michael Vatis take us deep into the US-EU agreement on “Privacy Shield” – a replacement for the Safe Harbor. The short version: there’s many a slip twixt cup and lip, but the EU has once again taken off the table its unenforceable threat to stop transatlantic data flows.

In other news, Michael and Alan explain how HIPAA became a divorce lawyer’s dream weapon.

The Brits, meanwhile, are lapping the United States in creative use of intelligence law. Maury and Michael explore how the UK proposes to bring the big webmail providers to heel.

I note the controversy at Berkeley over some garden-variety network monitoring, adopted in response to a serious health data breach. University academics are appalled to discover that protecting patient privacy might limit their ability to do what they want on university networks. HIPAA enforcers v. entitled academic lefties: all I ask is more popcorn.

Hey, remember Norse Security, the company that went to the press to say that the FBI was all wet when it attributed the Sony attack to North Korea? Well, Norse imploded last week, after a laid-off employee’s published criticisms were amplified by security blogger Brian Krebs. Choicest bit from the Norse co-founder’s post: the company’“demonstrat[es] how today’s media can be manipulated by persons to suit their purposes or personal vendettas and how facts can be misrepresented to lead an entire industry astray.” Yep. You know what they say: Live by the flashy but inaccurate press report, die by the flashy but inaccurate press report.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Our guest is Amit Ashkenazi, whom I interviewed while in Israel.  Amit is Legal Advisor of The Israel National Cyber Bureau and a former general counsel to Israel’s data protection agency.  Israel is drafting its own cybersecurity act, and we discuss what if anything that country can learn from the US debate – and what the US can learn from Israel’s cybersecurity experience.  We explore the challenges Israel will face in trying to start a new cybersecurity agency, how Israel strikes the balance between security and privacy, the risks of using contractors to staff a new agency, the danger of stating agency authorities with too much specificity, and why the agency is likely to look more like DHS than the FBI. 

In the news roundup, I discuss the dynamics of the Safe Harbor talks with Maury Shenk, boldly predicting that the EU will cave on the remaining issues once it’s convinced the US means business.

Jason Weinstein and I talk about the Judicial Redress Act and the gratifying Senate Judiciary Committee amendment – an amendment that the EU must have seen as a bad sign for the future if the Safe Harbor talks fail.  The Act is intended to facilitate the Justice Department’s “umbrella” agreement over data protection and law enforcement.  We conclude that it is a largely one-sided set of concessions by the United States in return for an illusory “data peace in our time.”  We nonetheless find a fine reason for the Obama administration to have accepted all these limits. 

How do you graduate as a conservative with two Harvard degrees? We learn this and much more from Sen. Tom Cotton (R-AR), our guest for episode 96 . We dive deep with the Senator on the 215 metadata program and its USA FREEDOM Act replacement. We ask what the future holds for the 702 program, one of the most important counterterrorism programs and just entering yet another round of jockeying over renewal; Sen. Cotton has already come out in favor of making the program permanent. To round things out, Sen. Cotton assesses the risks of Going Dark for our intelligence community and the difficulties that the Safe Harbor negotiations pose for US intelligence.

In the news roundup, evidence mounts that someone has hacked the Ukrainian electric grid.  Michael isn’t ready to point the finger at Russia yet; but I pretty much am. Whoever gets the blame, this probably means another aspirational cyberwar norm down the tubes.

In the United Kingdom, US tech firms are lobbying against a security bill, but Maury Shenk questions whether they’re mainly complaining about rules that are already part of UK law.

In the US, administration officials and Silicon Valley are happy talking about cooperation to discourage terrorist use of social media, but Michael isn’t sure what will come of the effort. I unveil a half-baked proposal to activate a Mom Squad, on the theory that the best weapon against radicalization of adolescents is letting their parents know what they’re up to. Michael reminds me that the government can’t tell Mom without getting a search warrant for private content, just as my daughter calls to say she’s been reading my blog and I need an intervention.

File this one in the bulging folder labeled “Privacy protects the privileged”: Volkswagen says it can’t comply with US government investigative demands because of the privacy of its employees – apparently including the privacy of employees who lied to US investigators. Maury and I explore VW’s data protection justifications, all of which seem, well, arguable.

And in short takes, as predicted, Justice wants to moot the Klayman/Leon victory over NSA. Meanwhile, NSA's General Counsel makes his maiden public statement in Lawfare, and says a few things that the Cruz campaign will welcome. Defense counsel are making explosive charges against the FBI’s handling of a child porn investigation. And in the tastiest privacy irony of the week, the EU’s otherwise pointless "cookie notice" requirement turns out to be great news for malware distributors, if no one else. Where would we be without the steady hand of wise European data protection officials?

Finally, after weeks of cajoling, our listeners have come through. We have entries in the iTunes podcast reviews, and we’re averaging five stars. Many thanks!

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the ninety-sixth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.