The Cyberlaw Podcast

Our guest this week is Joanne McNabb, Director of Privacy Education and Policy for the California Attorney General’s Office.  Joanne discusses the findings and recommendations in the recently released 2014 California Data Breach Report.  She also offers insight into some of the key factors the Attorney General’s Office considers in deciding whether or not to investigate a breach.  Finally, she discusses changes in California privacy law that will go into effect on January 1 – including SB568, the so-called “online eraser” for minors seeking to delete unwanted posts, and AB1710, which extends data security requirements to companies that “maintain” personal information, not just those that own or license it.  Finally, she settles a dispute only privacy lawyers could find interesting regarding the scope of AB1710’s provision requiring identity theft prevention/mitigation services.

We almost got through the week without any NSA news, but the FISA court made the news for doing exactly what you’d expect – renewing the section 215 orders for metadata.  More interesting was the news from Turkey, which effectively rewrites the history of cyberwar, and it no longer begins with Stuxnet.  It looks as though Russia launched a distinctly kinetic and sophisticated cyberattack in 2008 on the Turkish-Azeri pipeline that threatened to break its chokehold on Caspian oil.  Michael Vatis takes the day off to file an amicus brief in support of Microsoft in the fight over overseas warrants.

The Sony breach fallout continues to be severe. Things are bad enough that the Hollywood Reporter is asking me to write op-eds. We question whether Sony is really resorting to “active measures” to block distribution of the stolen files. And Aaron Sorkin calls the media “dishonorable” for publishing all these leaked documents. Funny, but I don’t remember him saying the same thing when it was Manning and Snowden putting stolen docs on the front page.

Chris Conte explains the SEC’s new cybersecurity rules for exchanges and other trading platforms.

And the lame duck allows cybersecurity legislation to pass in a convoy:  Five cybersecurity bills, all modest in impact, were adopted by Congress in the last few days:

            S. 1691 – allowing pay flexibility to attract cybersecurity professionals;

            H.R. 2952 – requiring DHS to adopt a workforce strategy and assessment plan;

            S. 2519 – authorizing  DHS to run an integration center providing threat information to civilian agencies and modifying federal government data breach rules;

            S. 1353 – a very NIST-centered set of authorizations for cybersecurity awareness, research and workforce measures that may or may not be funded

            S. 2521 – confirming DHS’s role in providing FISMA oversight under OMB guidance

And Sony has company. It turns out that an Iranian hack on the Sands Las Vegas may be first cyberattack on US soil. Both Sony and Sands join the DDOS attacks on our banks as cyberattacks on the US that have gone unanswered. Instead of a digital Pearl Harbor, it looks as though we’re getting a lot of digital Sudetenlands.


We remind everyone that the Podcast welcomes feedback, either by email ( or voicemail (+1 202 862 5785).

Direct download: Podcast_47.mp3
Category:general -- posted at: 2:49pm EST

Our interview focuses on Shane Harris and his new book, @War:  The Rise of the Military-Internet Complex.   It’s a good read and a good book, marred by the occasional deployment of easy lefty tropes – government contractors are mercenaries, the military sees war as an opportunity to expand turf, cybersecurity is a threat to privacy, anonymity is all about rights, etc.  But Harris is first and foremost a storyteller, and his zeal for the story is far more important to him than ideology.  When he tells the story of the guys who used cybertactics to break al Qaeda in Iraq during the surge, or of the banks’ cyberbattle with Iran, he lets the reader decide who to root for. 

We talk about some of the more surprising stories that Harris tells, including: 

            The (contested) claim that Chinese hackers caused a large Florida blackout by mistake

            The mismatch between an estimated 300-1000 US government hackers and China’s estimated 20 thousand  (A land war in Asia could be coming to a network near you)

            Harris’s controversial suggestion that the banks may be assembling their own zero-day exploits in preparation for a hackback campaign against Iran

            The possibility that foreign governments systematically compromised the networks of American natural gas pipeline companies in preparation for an attack – and whether we’d even know when cyberweapons had been used

In our news roundup, we start with This Week in NSA, but the latest Intercept story on NSA and cell phone interception is so boring and opaque it’s practically encrypted.   So we switch to This Week in GCHQ.   At the suggestion of a listener, we mine the UK parliamentary report on the killing of a soldier on the streets of London for lessons about the need for MLAT reform in the United States. 

Verizon escapes an FTC investigation without an eternal oversight regime.  Why?  Because of its aggressive effort to cure a security flaw or because the FTC realized it had overreached?  You be the judge.

We unpack the judicial decision refusing to dismiss bank claims against Target for its credit card breach, raise questions about a Boston hospital’s surprisingly cheap settlement of a privacy case arising from a stolen laptop.  And then dive into the biggest breach case of the year, maybe the decade: Sony. We think North Korea did the hack, and the lack of a US response could have bad consequences for the country.  Among other things, the only bad guys we’ll ever see in future movies are Serbs. And US government officials, of course. 


We remind everyone that the Podcast welcomes feedback, either by email ( or voicemail (+1 202 862 5785).

Direct download: Podcast_46.mp3
Category:general -- posted at: 2:58pm EST

Our guest for the week is Troels Oerting, the head of EC3, Europe’s new cybercrime coordination center.  He talks about EC3’s role in the recent take down of over 400 darknet sites, arrests of travelers using fake credit cards and of users of the Blackshades Remote Access Tool. He repeats his view that there are probably only a hundred talented criminal writers of malware, whose work is then used by a host of dimmer bulbs.  So striking at the hundred could make a big difference.  Troels Oerting thinks we’re in a position to hurt a number of them.

The interview compares US and European willingness to name and shame Chinese PLA hackers.  I ask Troels if he’d order the arrest of any of the five indicted PLA hackers if they vacationed in Europe.  And we compare US and EU legal constraints on private sector “direct action” against hackers. 

This week in the NSA:  NSA’s privacy officer speaks; and she has a sense of humor.  Regin schools hackers around the world, and German hypocrisy about NSA spying is on full display.  It turns out that Angela Merkel’s phone was being tapped by the Brits, the Chinese, the Russians and even the North Koreans.  But Merkel has yet to say that Russian, Chinese, or North Korean spying reminds her of the Stasi; only NSA seems to remind her of Communist espionage.  Meanwhile, the BND reveals that it too spies on everyone but Germans, and that it has a remarkably narrow definition of who qualifies as “German.”

Michael Vatis previews a Supreme Court argument about when online abuse passes from colorful imitations of rap lyrics to prosecutable threats.   Jason Weinstein counts the growing library of lawsuits against Home Depot and evaluates the risk.

Doug Kantor, a Steptoe government affairs partner specializing in cybersecurity issues, gives a rundown on the new, Republican-dominated Congress, including the many chair changes in both House and Senate.  Firedoglake makes an appearance.

Meanwhile, US tech companies have become all-purpose European whipping boys.  They don’t volunteer enough information about terrorists to satisfy the Brits. They don’t hide enough “right to be forgotten” information to satisfy the European privacy regulators.  And they make too much money for the European Parliament, which wants to break up Google.

The Justice Department has claimed a scalp in its campaign against spyware.  Jason has the back story. And it’s a good thing the All Writs Act didn’t come with a sunset clause, or it would too would be attracting the wrath of EFF and Silicon Valley.  Michael explains why the act is now part of Apple’s future, and Google’s too.


The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates or topics to  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_45.mp3
Category:general -- posted at: 10:44am EST

Our guest for episode 44 of the Steptoe Cyberlaw Podcast is Sal Stolfo, Professor at Columbia University’s Computer Science Department and CEO of Allure Software.  Stolfo brings an attacker’s sensibility to network security approaches usually dominated by defensive thinking.  His approach to computer security includes flooding the network with plausible fake documents wired to alarm when touched by a user.  The alarm, in turn, shuts down a user’s access and prompts for a second form of authentication.  Documents that are successfully exfiltrated persistently attempt to beacon back to the home network, betraying the attacker and his customers long after the hack.  He’s already deploying some of these concepts commercially.  It’s the kind of active defense even the Justice Department should love.

In our news roundup, This Week in NSA is dominated by speculation that the 215 program will never die.  Conventional wisdom says that the metadata program will ride into the sunset on June 1, 2015.  But a “transition” note could allow the program to last for years.   Meanwhile, the NSA director, Adm. Mike Rogers, is warning that China and one or two other countries have the ability to bring down the electric grid in the United States.

The FTC has gone to mediation with Wyndham, but no one is betting that the mediation will succeed.  And the FTC’s settlement with TRUSTe puts the privacy certification company under the FTC’s thumb for years.

Telephone companies have long been the most government-friendly of technology firms, but that may be changing.  Now even the heir of Ma Bell’s name, AT&T, has filed an amicus brief demanding clearer standards before the government could get access to location information.

One solution is for the government to cut out the middleman and get the location information directly from the consumer – by offering fake cell towers to connect to. But that tactic, and the secrecy surrounding “stingray” collection, has its costs.  Baltimore has abandoned a criminal case to keep from describing the technology and how it’s used.  And a North Carolina judge has unsealed hundreds of stingray orders.

In the words of the old country song, how can I forget you if you won’t go away?  Much as we wish the right to be forgotten would go away, that’s looking less and less likely. Google's Global Privacy Council, Peter Fleischer, has disclosed new details about how the search giant administers the right.  And Norway has (unsurprisingly) followed the rest of Europe in adopting the doctrine.  But most troubling is the news from France, where Google is facing fines of €1000 a day for refusing to apply a French defamation takedown order to its domain – or, more accurately, for not letting a French judge censor what Americans can read. 

Finally, in our first item derived from a listener request (h/t Lee Baumgardner), we look at the regulatorily challenged transport company, Uber, and its potential liability for a steady stream of privacy flaps, including its unwisely but appropriately named “God Mode.”  

Tune in next week when our guest will be Troels Oerting the Assistant Director, Head of European Cyercrime Centre (EC3). 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates or topics to  If you’d like to leave a message by phone, contact us at +1 202 862 5785.



Direct download: Podcast_44.mp3
Category:general -- posted at: 3:35pm EST

Our guest this week is Amb. Daniel Sepulveda, the man charged with managing the U.S. relationship with the International Telecommunications Union.  The ambassador helps us make sense of the recent ITU meeting in Busan, South Korea, where efforts to validate a greater government role in internet affairs seem to have been turned back for another four years.  Markham Erickson, a Steptoe partner specializing in internet law, also joins regulars Jason Weinstein, Michael Vatis, and me.

This week in NSA:  The USA Freedom Act is showing signs of life, as Sen. Reid promises Sen. Leahy floor time in the lame duck session.  But with Sen. Feinstein opposed to the Judiciary-written bill, and the House having passed a different one, it’s still a long haul to get a bill to the President before the lame duck limps into history.  After a year-and-a-half-long Snowden-induced cringe, the U.S. is again raising Chinese espionage more aggressively.  But that’s the only thing that has changed in the U.S.-China dialogue on cyberespionage.  Just ask the Postal Service and the NOAA weather network.

We try out a new feature:  The Law Behind the Headlines, where we provide the legal background behind tech stories in the news: 

•           Remember that Insecam website that streams video from thousands of video surveillance cameras that are still using the manufacturers’ default login credentials?  To Jason, it looks like the world’s most public confession to thousands of criminal violations. 

•           And according to the press, law enforcement uses flying DRT Boxes (not to mention ground-based stingrays) to imitate cell towers and thus locate particular phones very accurately.  But to do so, the machines have to accept and then drop thousands of connections from the phones of ordinary Americans who aren’t suspects.  Is that legal?  How is it different from the NSA’s program of collecting data but not looking at it?  And can we get the U.S. Marshal’s service to actually connect some of the calls they get from dead spots out in Great Falls? Answers to all these questions in the podcast!

This week in bad law:  the Ninth Circuit will be revisiting the too-creative Kozinski opinion that based a takedown order on the dubious copyright claim of an actress who appeared in in “The Innocence of Muslims.” 

This week in data breaches:  Anthem Blue Cross puts a bunch of medical advice and data in the subject line of its emails to patients.  That doesn’t inspire confidence in its data security, but is HIPAA violated?  Maybe not, Jason explains.

Argentina’s Supreme Court joins the great debate over search engine liability, spurring Michael and Markham to a debate of their own.  A Justice Department advocate admits to a mistake in oral argument on how forthcoming companies can be in NSL disclosures.  We debunk left/lib claims that the mistake is a government “misrepresentation.”

Google has weighed in on another privacy issue, essentially taking Europe’s side in a long-running debate over whether and how non-Americans should be covered by the Privacy Act.  I argue that changing the Act would simply enable European unilateralism in the long privacy debate with the United States.  Amb. Sepulveda and I tangle over whether the demand is a legitimate part of negotiations over the data protection U.S.-EU Safe Harbor Agreement.


The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_43.mp3
Category:general -- posted at: 10:16am EST

We share the program this week with Orin Kerr, a regular guest who knows at least as much as we do about most of these topics and who jumps in on many of them.  Orin, of course, is a professor of law at George Washington University and well-known scholar in computer crime law and Internet surveillance.

This week in NSA:  With NSA Director playing good cop in Silicon Valley, new GCHQ director Robert Hannigan seemed happy to play bad cop, releasing an op-ed saying that US tech companies were providing the “command-and-control networks of choice for terrorists and criminals” and would need to do a better job of cooperating with governments to combat terror and crime.  If nothing else, the speech is a hint to Silicon Valley that its clout in the Obama administration does not foretell success in fighting other governments’ surveillance goals. 

And, with the election over, and it looks more likely than not that the GOP will end up with a 54-46 majority next year.  We surmise that this means no action on the USA Freedom Act (or Sen. Grassley’s substitute) until Spring 2015.

Finally, the DC Circuit heard argument in the appeal of Judge Leon’s famously exclamatory invalidation of NSA’s 215 metadata program.  As expected, Larry Klayman did nothing to help his case, and the panel was considerably more skeptical about the challenge than the Second Circuit panel that heard many of the same issues.  Our best guess from the arguments:  The Second Circuit decides that the program is inconsistent with section 215, the DC Circuit finds that the program is constitutional and that statutory issue has been waived, so there’s no split in the circuits until the Ninth Circuit rules, at which point the whole issue is cert-proof anyway because the statute has expired or been revised.

Talk about opening a can of worms.  The Supreme Court’s decision in Riley that cell phones can’t be searched without a warrant has now spawned fights about what the warrant should say, and how many limits it should set on what the police can look at.  The Nebraska Supreme Court has weighed in – but leaves the police more or less in limbo.

Whether the contents of a webmail account are protected from government search depends on the webmail provider’s terms of use.  Or so says the Southern District of New York, in a decision none of us can understand or really get behind.  

Speaking of the Southern District of New York, prosecutors there may singlehandedly make more tech surveillance law than the rest of the country.  They’re fighting with a phone manufacturer to get help unlocking a suspect’s phone. 

And a Virginia court has ruled – to our utter lack of surprise -- that suspects may be forced to apply their fingers to cellphones protected by fingerprint readers.  More interesting is whether they can be forced to enter “patterns” or tell the police which finger unlocks their phone (our view: no and no).

Google has finished its “right to be forgotten” road trip, and Americans’ freedom to read accurate information is on the block in Europe.  An official of the European Commission made clear that the Commission would not rest until it had imposed its link censorship regime on and Google’s American users.  The administration’s response?  Crickets.

Data retention is making a comeback in Europe, as Sweden joins the UK in demanding continued retention despite a European Court of Justice ruling against the directive that originally led to retention requirements.

Is the financial industry worried enough about cybersecurity that it’s actually calling for more activist government action?  SIFMA’s latest call comes close.

We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email ( or voicemail (+1 202 862 5785).

Direct download: Podcast_42.mp3
Category:general -- posted at: 2:09pm EST

Our guest is one of the most highly regarded cybercrime prosecutors in the country - John Lynch, the Chief of the Computer Crime and Intellectual Property Section (CCIPS) in DOJ's Criminal Division.  Among other things, John talks about how DOJ is organized to investigate and prosecute cybercrime and about its efforts to strengthen partnerships with and build capacity among foreign law enforcement partners in what is increasingly a global fight.  John also reflects on the impact of the Snowden leaks on domestic law enforcement and on the challenges the courts and prosecutors are facing dealing with electronic evidence issues in a time of rapidly changing technology.  And we talk about the role of the private sector in cyber defense. 

This Week in NSA: “Second leaker” identified by the FBI – does Snowden have a spare bedroom? GCHQ says it can access data provided by the NSA without a warrant.  That bothers privacy groups, who apparently are unfazed by the fact that GCHQ can also access data on its own citizens without a warrant, and can get a warrant without seeing a judge.  On a related front, former FBI Director Bob Mueller calls the Snowden leaks “devastating” to efforts to investigate and disrupt national security threats, in the process noting that the US is unique in terms of the level of judicial review required for electronic surveillance.  

The ITU continues to try to take control of the Internet. Law firms become a focus of hacking concern, as NYDFS letter puts spotlight on vendor management. A Private sector coalition engages in what you might call active defense against “Axiom” group of Chinese hackers.  The FCC becomes America’s latest de facto data protection authority.

Move over China, as FireEye identifies a Russian cyberweapon.  Meanwhile, a DARPA official basically says that since we use the same popular software, we’re making it too easy for hackers.

And we bring you another candidate for Dumbest Privacy Case of the Year, involving both privacy and cleavage.


We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email ( or voicemail ( +1 202 862 5785).

Direct download: Podcast_41.mp3
Category:general -- posted at: 1:10pm EST

Our guest this week is Bob Litt, the General Counsel of the Office of the Director of National Intelligence.  Bob has had a distinguished career in government, from his clerkship with Justice Stewart, his time as a prosecutor in the Southern District of New York and at Main Justice, and more than five years in the ODNI job. 

This week in NSA:  The latest fad in news coverage of the agency is a hunt for possible conflicts of interest in its leadership.  And it’s having an effect.  Two high-ranking NSA seniors, the CTO and the head of signals intelligence have recently left positions that drew scrutiny for getting too close to private industry.  I ask Bob whether we should be pleased or worried about the trend toward individual converts to Islam carrying out random attacks with whatever weapon comes to hand.  Prudently, he refuses to be drawn into my comparison of Islamists to the Manson Family.  We debate whether the USA Freedom Act has a chance of passage in the lame duck Congress – and whether it should, focusing among other things on how the act’s FISA civil liberties advocates would function and what ethical rules would govern their day jobs.  

And we explore another ODNI project – implementing the President’s directive on protecting the privacy of foreign nationals while gathering intelligence.  Are the nation’s spies really required to wait until a foreign target’s speech goes beyond what the first amendment protects before they collect and analyze the remarks?  Will the requirement for advance justification for collection projects institutionalize risk aversion at NSA?  And can government officials look forward to intelligence reports that read like this: “[SYRIAN NATIONAL 1] asked [IRAQI NATIONAL 1] to kill [US PERSON 1]”?

Our news roundup begins with the sudden press interest in possible conflicts of interest in NSA’s leadership.  The Supreme Court takes another privacy case – one with no obvious federal connection.  Lots of city ordinances require hotels to keep guest registries – and to let the police inspect those registries on demand.  But the 9th circuit recently held en banc that these laws touch the privacy interests of the hotel owner, not just the guests, and that the laws are unconstitutional if they offer no opportunity for prior judicial review of the police demand.  Just what we need:  another opportunity for the Roberts Court to pad a narrow ruling with a lot of ill-considered dicta about Smith v. Maryland.

Harking back to last week’s interview with Tom Finan about insurance coverage for cyber incidents, we discover that where there’s insurance coverage there are also insurance coverage disputes. The head of Steptoe’s insurance coverage practice explains the P.F. Chang dispute with Travelers Insurance and hints that it’s in the first wave of what could be thirty years of litigation. Not that there’s anything wrong with that.

FBI Director Comey isn’t alone in complaining about Silicon Valley’s reluctance to help law enforcement.  Leslie Caldwell, the new head of the Justice Department’s criminal division, has joined the chorus

According to the Stored Communications Act, companies like Google may not provide the contents of emails in response to subpoenas.  So what do civil litigants do when they need access to Gmail accounts in, say, divorce cases?  The usual solution is for the court with jurisdiction over the civil suit to order the litigants to “consent” to the disclosure of their email messages.  But is court-ordered consent really consent?  According to a California appeals court, it is. Michael explains.

Whoa!  The FCC really is taking cybersecurity seriously.  It’s proposing $10 million in fines for two carriers who stored hundreds of thousands of “Obamaphone” beneficiaries’ personal data on a server accessible by anyone on the internet.

Confusion over when you need a warrant to get third party information continues to roil the courts.  The Florida Supreme Court raises the bar for cell-site location data.  And the NJ AG plots a counter-attack on a billing record warrant requirement in the Garden State.  Michael suggests a new feature to keep all the litigation straight:  This Week in Smith v. Maryland.

Lawyers with banks for clients have a new reason to upgrade their cybersecurity.  As the banks struggle with increasingly sophisticated intrusions, they’re sharing the pain, demanding that their contractors and suppliers adopt stronger cybersecurity.  Law firms are expressly included, since they’ve been targeted frequently for what inevitably will be called “bank shot” intrusions.


We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email ( or voicemail ( +1 202 862 5785).

Direct download: Podcast_40.mp3
Category:general -- posted at: 3:40pm EST

Our guest today is Tom Finan, Senior Cybersecurity Strategist and Counsel at DHS’s National Protection and Programs Directorate (NPPD), where he is currently working on policy issues related to cybersecurity insurance and cybersecurity legislation. Marc Frey asks him why DHS, specifically NPPD, is interested in cybersecurity insurance, what trends they are seeing in this space for carriers and other stakeholders, and what is next for their role in this space. He is incredibly forthcoming in his responses and even asks listeners to email him with their feedback.      

This week in NSA: The House and Senate Judiciary chairs call for action on USA Freedom Act.  And nobody cares. We conclude that the likelihood of action before the election is zero, and the likelihood of action in a lame duck is close to zero. But next week we’ll be interviewing Bob Litt, one of the prime negotiators for the intelligence community on this issue, and he may have a different view.

The Great Cable Unbundling seems finally upon us, as several content providers announce that they’re willing to sell content direct to consumers over the Internet. Does that mean more support for net neutrality? Not necessarily. Stephanie Roy explains.

Are parents responsible for what their adolescent kids do and say on Facebook? That makes sense, if you’ve never had adolescent kids. Maybe that explains why Michael Vatis sees merit in the Georgia appellate court decision finding potential liability. It reversed the trial court, which had granted summary judgment in favor of the parents of a kid who set up a fake and defamatory Facebook page in the name of a classmate he hated. The facts are a little odd. The kid who set up the page never took it down, even after he’d been caught and punished by school and parents. The appeals court thought that the parents had a “supervisory” obligation to make their child delete the fake account, and that they could be held liable for negligently failing to do so. It’s quite possible, though, that everyone in this case is a Privacy Victim; the issue could have been hashed out with a phone call from the parents of the victim to the parents of the perpetrator, but according to the press, “the child’s parents didn’t immediately confront the boy’s parents because their school refused to identify the culprit.” Because privacy.

FBI Director Comey comes out swinging for CALEA reform, saying in a speech at Brookings that the law needs to be updated to require cooperation from makers of new communications systems when the FBI has a court order granting access to those systems. 

When it comes to regulating on other topics, though, the Justice Department is a little less restrained; it has opened the door to a round of new disability claims against websites, offering a roadmap to what it thinks the law requires.

The right to be forgotten is attracting more flak in Europe, as the BBC announces a competing “right to remember” website devoted to publicizing stories that Google has delinked. It’s Auntie BBC v. Nanny Europe. Cue popcorn. Unhappily, a “progressive” group most famous for relentlessly sliming Google on privacy issues has urged the search engine to bring the right to be forgotten  to the United States. Sigh.

In breach news, TD Bank pays $850,000 to the state AGs over a “breach” that may never have happened. TD lost a backup tape in transit, and the data wasn’t encrypted. Was anyone’s data actually compromised by the loss of the tape? The AGs don’t say. They just want their money. And they get it. 

The Russians are getting sloppy, or maybe they’re taking a leaf from China’s book – figuring it doesn’t matter if they get caught. And caught they have been, by iSight Partners, which reports that Russian hackers used a Microsoft zero-day to target Western governments and Ukraine.  Meanwhile, the FBI is warning about another and even more sophisticated set of Chinese government hackers. And hackers are now adding a new form of targeted attack to their arsenal - a tactic that combines spearphishing with watering hole attacks. They’re targeting ads at users that take them to a compromised website that serves malware.

And, in good news for privacy skeptics, the Video Privacy Protection Act gets a narrow reading.


We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email ( or voicemail ( +1 202 862 5785). 

Direct download: Podcast_39.mp3
Category:general -- posted at: 11:44am EST

Our guest for the podcast is Shaun Waterman, editor of POLITICO Pro Cybersecurity. Shaun is an award-winning journalist who has worked for the BBC and United Press International; and an expert on counterterrorism and cybersecurity.

We begin as usual with the week’s NSA news. NSA has released its second privacy transparency report. We’ve invited Becky Richards, NSA’s privacy and civil liberties watchdog, on the program to talk about it, so I’m using this post to lobby her to become a guest soon: Come on in, Becky, it’s a new day at the NSA!

Laura Poitras’s new film about Snowden gets a quick review. We question the hyped claim that there’s a “second leaker” at NSA; most of the leaked information described in the film was already pretty widely known. 

Two more post-Snowden pieces of litigation are also in the news. As promised, we dig deeper into the Justice Department’s botched handling of the notice that must be given to parties on the receiving end of FISA taps and section 702 of FISA. As often turns out to be the case, the Justice Department develops a limp, and all the other agencies have to put stones in their shoes: It looks as though OFAC is going to be dragged into this comedy of errors. 

The second piece of litigation began as a humdrum piece of FOIA litigation (though with a bit of Glomar for spice). It has now has produced a much more interesting result: Judge Pauley, ordinarily a good friend to the government, declares that he has lost confidence in the Justice Department’s representations about the risks of releasing FISA opinions; he insists on reviewing the FIS court’s opinions himself in camera to decide what can be released.

In other national security litigation, we all know that a canary can emit a twitter, but can Twitter emit a canary? The social media giant is going to court to get approval for its “warrant canary,” claiming a first amendment right to list the orders it has not (yet) received under national security surveillance laws.  Meanwhile, on the opposite coast, the government’s authority to issue gag orders in national security letters is argued before the Ninth Circuit, which seems to find the issue at least a little troubling.

Maybe it’s a coincidence, but just as Europol is raising the possibility that the internet might be used to kill people, the FDA is trying to do something about it, issuing cybersecurity guidelines for manufacturers. We damn them with faint praise, note that our refrigerators have been trying to kill us slowly for years, and wonder when the National Highway Safety Administration will issue security guidelines for self-driving cars.

The pendulum may be swinging toward privacy in the US but it swings hard the other way in the Southern Hemisphere. First New Zealand gives Snowden a swift kick and now the Australian government is enacting surveillance reforms that increase government authority to conduct national security intercepts.

There’s a bit of good news in our update on the right to be forgotten. The European Commission has poured cold water on the European Court of Justice, hinting strongly that the court’s enthusiasm for sacrificing free expression is a bad idea. Sad to say, though, the notion seems as communicable as Ebola; even Japan is getting in the act, as a Tokyo court orders Google to take down search links at the request of an individual. 

The prize for Dumbest Judicial Opinion of the Month goes (where else?) to the Ninth Circuit, which expressed shock and dismay over the idea that a Navy investigator conducted “surveillance of all the civilian computers in an entire state” in the course of looking for military personnel trading child porn. Turns out that the investigator in question simply looked at images being shared publicly online using a common file-sharing program, Gnutella. And when he had the IP address of someone sharing child porn images he checked to see if the suspect worked for the military. When that turned out not to be the case, he turned the information over to civilian law enforcement, giving the Ninth Circuit a severe case of the vapors and ultimately leading to exclusion of the evidence. Because posse comitatus. You won’t want to miss my translation from the Latin.


We unpack the controversy over Ross Ulbricht and how the FBI managed to captcha him. And we congratulate the FCC for a regulatory action near and dear to anyone who’s ever paid too much for bad Wi-Fi in a good hotel.

Finally, we remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email (CyberlawPodcast[at] or voicemail (+1 202 862 5785). And to prove it, I read a message from Dick Mills, a libertarian blogger who started out tagging me as the Great Satan of statism but ended by admitting that the podcast occasionally changed his mind. We can’t ask for more than that.

Direct download: Podcast_38.mp3
Category:general -- posted at: 3:59pm EST

Our guest today is Rob Corbet, a partner and head of the Technology & Innovation group in Arthur Cox, a large Irish law firm.   Ireland is a uniquely important jurisdiction for US companies dealing with data protection issue.  I ask whether Ireland’s role is going to become more or less powerful under the proposed revision, and we talk about the replacement of its longstanding data protection commissioner.   

This week in NSA:   NSA is getting ever thinner, but there is still a knock-on effect from the Snowden revelations, which is now complicating the way Treasury designates people and institutions for sanctions.  This is a complex tale, and we will dig deeper into it next week.  

Web publishers are taking it on the chin everywhere.   Russia has told Google, Twitter, and Facebook to register under Russian law and submit to Russian regulation, including local storage of Russian data.  And the EU Article 29 Working Party is working on how to implement the right to be forgotten, combining its usual ineffectual bureaucratics with politically correct misrepresentations. Bet you didn’t know that the right to be forgotten isn’t censorship, apparently because you’re being censored first by companies, then by “independent” data protection agencies, and finally by the courts. That’s not censorship, say European regulators, it’s “balancing.” I’m reminded of Mary McCarthy, who famously said of Lillian Hellman, “Every word she writes is a lie, including “and” and ‘the’.” (Meanwhile the New York Times announces that it’s been hit by the right to be forgotten, with several of its stories going down the memory hole.) 

 In the US, the attack on web publishers is taking a different form, but it’s no less effective.  When Apple screws up and allows the disclosure of celebrity nude photos, it’s Google that gets hit with the threat of a $100 million lawsuit, on grounds that are half copyright, and half a kind of right to be forgotten.  Google immediately surrenders, claiming that it’s taken down links to the photos.   

 Finally, in the most troubling cybersecurity news of the month, maybe the year, JP Morgan acknowledges a deep penetration of its computer networks by sophisticated hackers – quite possibly aided by the Russian government.  Exactly what the hackers took and what they intended is still not clear, something that makes the intrusion more ominous not less, raising as it does the possibility that Russia intends to impose its own style of financial sanctions on the United States.   

All of which raises the question whether JP Morgan should protect itself by adding a “Herod clause” to its terms of service:  anyone accessing the site without authority automatically surrenders custody of his firstborn.  If it worked for F-Secure’s free wi-fi service, maybe it will work for cybersecurity.

The Cyberlaw Podcast is now open to feedback. Send your questions, suggestions for interview candidates or topics to   If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the thirty-seventh episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.



Direct download: Podcast_37.mp3
Category:general -- posted at: 2:36pm EST

Our guest today is Admiral David Simpson, Chief of the FCC’s Public Safety and Homeland Security Bureau.  Admiral Simpson has more than 20 years of Information and Communications Technology experience supporting the Department of Defense.  Adm. Simpson is joined by Clete Johnson, his Chief Counsel for Cybersecurity.  The interview digs deep into Chairman Wheeler’s cybersecurity initiative, asking among other things exactly how voluntary it will be, what telecom companies can do to stop DDOS attacks, and what CSRIC really stands for. 

It’s getting harder and harder to find new NSA stories, which must be a relief to the agency.  Last week, the only news was NSA’s decision to name Anne Neuberger its Chief Risk Officer.  Anne is an able woman who knows the outside world better than practically anyone at the agency, but I can’t shake the feeling that what the agency wants is a Chief Risk-Aversion Officer. 

In other news, how to handle location data after Riley continues to bedevil the circuit courts, but the Fifth Circuit seems to have come to a surprisingly reasonable result, holding that users don’t have a reasonable expectation of privacy in the cell-site data that they give the phone company so it can connect calls to them. 

Adm. Simpson and I dig into three stories that are more technical than legal but which will all have legal fallout soon:   It turns out that Apple may have known about the iCloud security flaw that enabled disclosure of nude celebrity photos for as long as six months before the hack.  The Shellshock bug debunks the notion that open-source is inherently more secure than proprietary code, and it means that anyone who has built their business on Linux should be scrambling (that means you, Apple and Google). And the financial industry launches a real-time information-sharing program that will finally test-drive the vision underlying the bills that Congress has been trying to pass for years.

In retaliation for Western sanctions, Russia is advancing the date for mandatory social media data localization.  Meanwhile, Google’s staggering potential liability for “wiretapping” publicly broadcast Wi-Fi signals has led to an interesting discovery fight, with the self-proclaimed victims of the wiretapping challenged to show that Google actually intercepted any of their data when the Street View car drove past their homes.  If the plaintiffs fail, their whole case (and their lawyers’ payday) are at risk, since non-victims are not proper class representatives.

Finally, a brief cybersecurity obituary:   Apple’s warrant canary is pining for the fjords.


The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates or topics to  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_36.mp3
Category:general -- posted at: 2:15pm EST

For those who think the podcast is best when we have a guest from the opposite end of the political spectrum, episode 35 should be a treat.  (We’re late this week, but it will be well worth the wait.) Our guest is Julian Sanchez, a senior fellow at the Cato Institute who studies surveillance and other issues at the intersection of technology and civil liberties.  He is a founding editor of the policy blog Just Security, and recently debated another of our guests, Orin Kerr, on Apple’s recent announcement that it would no longer be able to decrypt iPhones for law enforcement.    We dig into that issue in detail, asking such questions as how often encryption has actually stymied an investigation, whether “hacking” the phone is a substitute for help from the company, what this means for corporate users of iPhones, the implications for Apple (and Google) in other countries, and whether Google/Apple run a risk under current US law of lawsuits by prosecutors or by crime victims.

Our news roundup begins with some of the first good news NSA has received in months.  It looks as though Snowden fatigue may finally be setting in abroad as well as here.  Last week, Glenn Greenwald, Edward Snowden, and Internet multimillionaire Kim Dotcom teamed up to “close one of the Five Eyes” by driving New Zealand’s government out of office in national elections.  They combined strategic leaks, a Snowden attack on the prime minister as a liar, and Dotcom’s multimillion dollar campaign war chest.  Well, the elections are over, and the Anti-NSA Dream Team was trounced.  In less good news, NSA Director Mike Rogers admits to having missed more than he’d like about ISIS’s rise.  We debate how much the political furor over the agency contributes to these problems.

In other news, we discover that auto-forwarding someone else’s email is a wiretap – and why suing for a privacy violation is much better than seeking alimony.   Meanwhile, the Home Depot case sets a new record, and the Neiman Marcus data breach case gives comfort to class action defense lawyers all across the country.  The Texas Court of Criminal Appeals tells us that the constitution may protect upskirt photos.

And, finally, we speculate whether the whole privacy law thing will finally melt down over health data, especially now that concerns about HIPAA are stifling innovation by app companies, spurring a turf war between the FTC and HHS, and, most of all, getting in the way of rapid response by government agencies accused of wrongdoing.


Finally, we announce a new feature of the Steptoe Cyberlaw Podcast:   feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.comIf you’d like to leave a message by phone here’s the number: 202.862.5785. We may play your message on the podcast if it’s particularly insightful or entertainingly abusive.

Direct download: Podcast_35.mp3
Category:general -- posted at: 2:49pm EST

Our guest this week is Dr. Phyllis Schneck, the Deputy Undersecretary for Cybersecurity for the Department of Homeland Security’s National Protection and Programs Directorate (NPPD).    She and Marc Frey, Senior Director in Steptoe’s DC office and former Chief of Staff at DHS’s Office of Policy Development, discuss the status of cybersecurity legislation and DHS’s highest cybersecurity priorities.

We begin the podcast with This Week in NSA, as newly released documents indicate that back in 2008, the US government threatened to fine Yahoo $250,000 a day if it failed to comply with an order for data under the PRISM program. 

We dive into the Alien Tort Statute suit that was dismissed against Cisco.  And, even though Stewart isn’t here this week, we give an update on his favorite topic – the right to be forgotten.   We also have a new competitor for the title of “strangest ruling against Google in a European court this year” – as a German court has ordered Google to provide more responsive customer support.  

Last week, we told you about how Yelp had prevailed in an extreme case claiming that the company suppresses bad reviews for its advertisers.   This week, California adopted a law that further protects customers’ ability to post negative reviews to Yelp and other sites.   

This week in data breaches: Home Depot confirms its breach, and the congressional reaction is predictable.  On a related front – in the newly minted “This Week in Judge Koh,” she finds that the Adobe breach victims have standing based on risk of future harm – we explain how this can be reconciled with Clapper and what its implications might be for future class actions.


Finally, tech companies again try to ramp up the pressure for ECPA reform, and in the Microsoft search warrant litigation in New York, Microsoft agreed to be held in contempt – we explain why. 

Direct download: Podcast_34.mp3
Category:general -- posted at: 2:32pm EST

Our guest this week is Orin Kerr, professor of law at George Washington University and well-known scholar in computer crime law and internet surveillance.  Orin is our second return guest, and he demonstrates why, opining authoritatively on the future of NSA’s 215 program and the “mosaic” theory of fourth amendment privacy as well as joining in our news roundup.   

We begin the podcast with This Week in NSA, which again consists of news stories not written by Glenn Greenwald and the Snowdenistas. Most prominent are the stories claiming that Snowden’s leaks contributed to US intelligence failures against ISIS, the decision by Justice and DNI officials to support Sen. Leahy’s USA Freedom bill, and the release of a less-redacted version of Jack Goldsmith’s OLC opinion holding that the 215 program’s predecessor is not only legal but requires no FIS court approval, at least in time of war.  We find even more evidence that Snowden leaks harmed our ability to monitor ISIS, doubt that Sen. Leahy’s bill will pass before the elections, and speculate about whether OLC has a macro that inserts its plenary Article II article into every opinion it produces.

Meanwhile, Yelp prevails in an extreme case claiming that the company suppresses bad reviews – but only for advertisers.  To which the Ninth Circuit says, “So what? It’s Yelp’s site.”  If only the aggrieved shopowner had sued under EU privacy law, which might require Yelp to forget those bad reviews.

Speaking of the right to be forgotten, I explain what I’ve learned by actually filing censorship demands of my own.  The headline?  Google will suppress European search results for anyone anywhere.  You don’t have to be a European to have your peccadilloes forgotten.  The full post is here.

And, speaking of foreign censorship of US information, LinkedIn is being accused of applying Chinese censorship to Chinese customers, even on LinkedIn’s U.S. site.  Three cases make a trend, and censoring the news that Americans read by threatening to hold their news suppliers liable abroad is definitely a trend.

This week in data breaches:  Home Depot is accused, and Sen. Rockefeller calls on the company to respond.  Will “tokenization” solve the problem, at least for stores – or is that a solution only a lawyer could love?  We also look at the hack and conclude that it’s been hyped.

In other regulatory action, Google takes a big hit for kids’ in-app purchases and Verizon agrees to pay $7.4 million for sending inadequate notices to customers.  But the class action bar isn’t likely to get rich off either case.


And Jason lays out the details of a Hasidic child abuse trial that has already produced not one but two noteworthy privacy rulings in New York. 

Direct download: Steptoe_Podcast_33.mp3
Category:general -- posted at: 4:40pm EST

We’re back!  After a much needed hiatus, during which we shared wilderness paths with bison, woke up to wolf cries, and celebrated the value of ibuprofen, the Steptoe Cyberlaw Podcast is back on the net.

The hiatus allows us to cover this month in NSA, which is a good thing, because the Snowden News Machine is sputtering.  The most significant news was probably made by NSA itself, which released a redacted opinion of the FISC, shedding a lot of light on why the government abandoned its internet 215 program.  Judge Bates’s heavily redacted program criticizes the agency relentlessly for making promises about its technology and procedures that it just couldn’t keep.  My guess is that the agency heads and DOJ got so tired explaining and apologizing to the court that they finally just killed the program.

In other NSA news, Snowdenista journalists try to make an issue of the fact that NSA has developed a search engine for metadata called ICREACH.  Public reaction: Well, duh.

More egregiously, Laura Poitras and Der Spiegel provided detailed information about US intelligence collection on Turkey in a scarcely veiled effort to sabotage the US-Turkey relationship – and to relieve the German government of the embarrassment of a leak showing that despite Angela Merkel’s claim that friends shouldn't spy on friends, Germany spies enthusiastically on Turkey.

Mustn't embarrass the German government, after all.  Its insistence on moral purity in intelligence collection is the main political/diplomatic support for what’s left of the Snowden campaign.  But that purity is looking a little sullied after revelations that German intelligence intercepted both Hillary Clinton and John Kerry as they carried out diplomatic efforts.

In other August news, the Microsoft case questioning the government’s authority to issue warrants for overseas data continued to evolve over the month, with the government greatly raising the stakes:  If Microsoft wants to appeal, the government says, its only option is to refuse compliance with the warrant and let the court hold it in contempt.  And it looks like the district court agrees.

Elsewhere, Linkedin settles its data breach case for a relatively modest $1.25 million.  NIST seeks comment on how its Cybersecurity Framework is working out.  And a federal court in Massachusetts offers novel (and probably bad) advice to those hoping to avoid liability under federal computer abuse law:  Just make sure the computer’s been disconnected from the Internet before you attack it.  Finally in what looks like an increasingly American exceptionalist view, US courts continue to hold that search engines aren’t liable for the links they publish or their autocomplete suggestions.

Our guest for the week is David Hoffman, Intel’s Chief Privacy Officer, and one of the most thoughtful privacy officials going.  Apart from his unaccountable fondness for the European Court of Justice’s decision on the right to be forgotten.  We debate the decision again, and I discover that David and I are famous by Google’s standards, while Michael is not.  I propose new ways to throw a legal spanner in the European data protection agencies’ works.



Direct download: Podcast_32.mp3
Category:general -- posted at: 3:32pm EST

The Steptoe Cyberlaw Podcast is on hiatus in August, but we’ve brought it back for a special appearance – a debate over Senator Patrick Leahy’s version of the USA Freedom Act sponsored by the Federalist Society. Moderated by Christian Corrigan, the debate pitted me against Harley Geiger, Senior Counsel and Deputy Director for the Freedom, Security and Surveillance Project at the Center for Democracy and Technology. Surprisingly, Harley and I manage to find some significant points of agreement, not only on the superiority of the Senate’s definition of ‘special selection term’ over the House’s, but also on the need to deal with what ethical and conflicts standards should apply to special advocates appearing before the Foreign Intelligence Surveillance Court – a topic that neither the House nor the Senate bill presently addresses.

Direct download: Steptow_Podcast_31.mp3
Category:general -- posted at: 10:51am EST

Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: The Senate Judiciary Committee has come up with a new version of the section 215 reform bill passed by the House; Glen Greeenwald discloses that the NSA has a limited intelligence sharing arrangement with Saudi Arabia; four senators express concern about NSA's overseas intelligence collection program; Sony settles its service-suspending hack for $15 million worth of free stuff for users; the 9/11 Commission issues a soft endorsement of "direct action" by private parties who are hacked; Vladimir Putin signs legislation to keep Russian data in Russia; The Washington Post explains that the FBI "Going Dark" is real; the President's plan to talk about drone privacy; and Congress votes to end DMCA protection for locked cell phones. In our second half we interview, Richard Danzig, former Navy Secretary, board member of the national security think-tank, The Center for a New American Security, and author of the paper Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America's Cyber Dependencies. The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Steptoe_Podcast_30.mp3
Category:general -- posted at: 3:22pm EST

Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: Snowden claims that NSA employees are circulating inappropriate pictures and Glen Greenwald reports that the Government Communications Headquarters has developed the ability to send spam and tamper with web polls; last week's UK data retention legislation has been passed into law; advocates of the right to be forgotten push for censorship of the forgotten; the Chinese government demands that Internet companies self-censor; the FBI is concerned Google's driverless cars could be used as ‘lethal weapons'; to prevent whistleblowers, the Veterans Administration claims that talking about patient mistreatment is a violation of patient privacy; FBI affidavit by Agent Noel Neeman on Chinese cyberespionage tactics and motivations; class action privacy issues move from West Virginia to Illinois; and Massachusetts Supreme Judicial Court declares that you can be forced to decrypt your files. In our second half we interview, Orin Kerr, computer crime law guru and professor of law at George Washington University. The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.
Direct download: Steptoe_Podcast_29.mp3
Category:general -- posted at: 12:37pm EST

Stewart Baker and Maury Shenk discuss false claims that NSA has flagged the Linux Journal as an "extremist forum"; the UK has introduced new stopgap legislation to make sure it doesn't lose its data retention authority in the wake of an unfavorable ECJ decision, and to allow UK law enforcement to require foreign entities to turn over data under a warrant; the UK government has also proposed creating their own PCLOB; the Senate Intelligence Committee produces a cybersecurity information sharing bill as a bookend to the House's bill; and Russia has proposed their own data protection rule. In our second half we have our first repeat interviewee, David Medine, Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB). We discuss the 702 report and have a roundup of this week in NSA, including a discussion of Glenn Greenwald's disclosure of the Americans targeted by NSA and Bart Gellman's defense of his Washington Post article. The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: Podcast_28_Final.mp3
Category:general -- posted at: 10:04pm EST

Stewart Baker and Michael Vatis discuss this week in NSA: Glenn Greenwald decides not to expose individuals who are targeted for surveillance; The Washington Post reveals that "9 out of 10" targets in the NSA's datasets are non-targets; NSA Director Mike Rogers says that Snowden's thefts can be managed; the Seventh Circuit ruled that FISA intercepts cannot be routinely shown to defense counsel; Ellen Nakashima and Bart Gellman reveal that the NSA thinks it may have to gather foreign intelligence from every country in the world; government reports triggered by Snowden continue to multiply; Microsoft's fight with the US government over warrants for overseas data gets more support; Google continues to reveal how it is applying the right to be forgotten; New York's cyberbullying law is struck down; and the SEC has begun investigating network intrusions, starting with Target. In our second half we have an interview with David Heyman, former DHS Assistant Secretary for Policy. The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: pc27_WM_CU.mp3
Category:general -- posted at: 11:34pm EST

Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: The Lofgren amendment, which prohibits NSA and CIA from asking a company to "alter its product or service to permit electronic surveillance;" NSA's bulk collection program is extended again; the Supreme Court's 9-0 decision in Riley, refusing to allow police to routinely search the cell phones carried by people they arrest; Facebook challenges 300+ search warrants on behalf of the targets; Wyndham files an appeal on the FTC's jurisdiction over Internet privacy and security; and Steptoe launches the Data Breach Toolkit. In our second half we have an interview with Dmitri Alperovich, CEO of Crowdstrike, a well-known incident response cybersecurity startup whose recent report introduced the world to another unit of the PLA hacking force - one that is quite distinct from unit 61398, which was exposed by Mandiant last year, six of whose members were indicted recently by the Justice Department.

Direct download: Episode_26.mp3
Category:general -- posted at: 11:55am EST

Stewart Baker, Maury Shenk, and Michael Vatis discuss this week in NSA: The House passes an NDAA amendment to regulate "secondary" searches of 702 data; the GCHQ defends its view that sending email thru Yahoo and Hotmail is an "external" communication; Darryl Issa raises questions about the FTC's investigation into LabMD and asks for an IG investigation; an Irish court backs the Irish data protection authority's decision not to investigate Facebook for cooperating with NSA; the Eighth Circuit decision on bank liability for weak security; the Senate Intelligence Committee's information sharing bill; and privacy class actions. In our second half we have an interview with Ralph Langner, decoder of Stuxnet and founder of the Langner Group, which specializes in industrial control system security.

Direct download: Episode_25.mp3
Category:general -- posted at: 9:17pm EST

Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: A federal judge in San Francisco announced that she was not willing to take the Justice Department's word that several FOIA'd FISA court opinions cannot be partially declassified and demanded that they be produced for in camera inspection; Crowdstrike outs another PLA hacker by name; the Chinese claim that the US government needs to provide more information about alleged Chinese hacking; and the DoD authorization bill is due to add a few more provisions tightening restrictions on China's IT sector; Microsoft's legal objections to getting a warrant for other people's data stored in Ireland; fourth amendment news: Wi-Fi moochers have no expectation of privacy, but how to treat location data stored by cell phone companies continues to drive the federal courts to distraction; a study that Stewart and Jim Lewis of CSIS unveiled last week on the cost of cybercrime; the West Virginia data breach doctrine; and the FCC catches up to the FTC and SEC in cybersecurity "nudge" regulation. In our second half we have an interview with Paul Rosenzweig, consultant at Red Branch Consulting, blogger for Lawfare, writer for the Homeland Security Institute, and lecturer for the Great Courses on Audible.

Direct download: Episode_24.mp3
Category:general -- posted at: 7:31am EST

Stewart Baker, Stephanie Roy, and Michael Vatis discuss Google's effort to implement the European Court of Justice's "right to be forgotten" decision; New York Court of Appeal's case on cyberbullying; Google's decision to promote more encryption; how stingray cell phone location systems work, and why the US marshals might seize stingray records from the Florida police; the regulatory issues that might be involved with using satellites to provide internet service to developing countries; this week in NSA: German prosecutors have opened a criminal investigation into the tapping of Angela Merkel's phone but not the hacking of her computer; and the EFF still wants NSA to hang on to more Americans' records than NSA wants to keep. In our second half we have an interview with Congressman Mike Pompeo (R-KS), a member of the House Intelligence Committee who joined the House in 2010.

Direct download: Episode_23.mp3
Category:general -- posted at: 7:50am EST

Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: Edward Snowden's NBC interview and his claim to have raised concerns about the agency's intelligence programs before he launched his campaign of leaks; the New York Times' article on face recognition by the NSA; China responds to the indictment of its hackers by pointing to old Snowden documents; the FTC issues a report on data brokers; the LabMD litigation continues; Google starts to spell out how it will implement the right to be forgotten; NSL transparency is back in court; Iranian cyberattacks; and what happened with TrueCrypt. In our second half we have an interview with Ron Deibert, director of the Canada Centre for Global Security Studies and the Citizen Lab at the Munk School at the University of Toronto.

Direct download: Episode_22.mp3
Category:general -- posted at: 6:52am EST


In our twenty-first episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Maury Schenk, Michael Vatis, and Jason Weinstein discuss this week in NSA: The House passage of the USA Freedom bill; LabMD goes to trial; China lashes back over the Justice Department's indictment of PLA members; Apple loses a preliminary fight over its liability for the privacy practices of third party apps; the Blackshades indictments; the mild treatment given to the Anonymous hacker, Sabu; and California's Attorney General's guidance on how to comply with California's latest privacy law. In our second half, we have an interview with Peter Schaar, a proponent of the right to be forgotten and an eminent former data protection chief. From 2003 to 2013, Peter was the Federal Commissioner for Data Protection and Freedom of Information. He is currently Chairman of the European Academy for Freedom of Information and Data Protection (EAID) and a guest lecturer at the University of Hamburg.
Direct download: Podcast_21.mp3
Category:general -- posted at: 10:13am EST

In our twentieth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Stephanie Roy, and Michael Vatis discuss Breaking News: American counterattack on Chinese cyberspying - the indictment of several PLA members for breaking into US computers to steal commercial information; this week in NSA: It turns out that telcos did challenge the 215 program; Glenn Greenwald's book claims that NSA considers Israel the most effective at spying on the US after China and Russia; Greenwald also says that NSA modifies equipment after it's been sold to make hacking easier; and Greenwald's book has now been leaked to Bittorrent; it looks as though LabMD is down to one lawsuit; the Justice Department released a statement that some kinds of information sharing don't violate the antitrust laws. Now it's put out a white paper saying that ISPs can release aggregate information about cybersecurity without violating the Stored Communications Act's prohibition on releasing customer information; net neutrality and the difference between Title II and section 706 as a basis for net neutrality; and the European Court of Justice's embrace of the "right to be forgotten" In our second half, we have an interview with Shane Harris, senior writer at Foreign Policy magazine, where he covers national security, intelligence, and cyber security. Shane's book, The Watchers, offered thoughtful insights into the rise of surveillance in America.

Direct download: podcast20.mp3
Category:general -- posted at: 4:30pm EST

Stewart Baker and Michael Vatis discuss this week in NSA: Al-Jazeera gets an exclusive on e-mails where google execs turn down NSA invitations and talk briefly about online security threats; the State Department's Coordinator for Cyber Issues; Oracle wins a Federal Circuit victory over Google, establishing that APIs can be copyrighted; New York State issues a short report on bank cybersecurity practices and promises to start asking banks about these practices in inspections; in other litigation, LabMD claims a victory over the FTC, and we interview LabMD's CEO, Michael Daugherty; the ACLU argues that criminal defendants who are acquitted should have no more privacy rights than those who are convicted; Zynga and Facebook get a reprieve from the Court of Appeals, but can face lawsuits under state law for breach of contract; and Snapchat finds itself exposed at the FTC. In our second half, we have an interview with Chris Painter, the State Department's Coordinator for Cyber Issues. Chris discusses norms in cyberconflict, MLAT reform, Brazil's recent Net Mundial conference, and much more.

Direct download: Podcast19.mp3
Category:general -- posted at: 8:20am EST

In our eighteenth episode of the Steptoe Cyberlaw Podcast, Stewart Baker and Michael Vatis discuss this week in NSA: The internal NSA briefing memo surmising that GCHQ probably hoped to expand its access to PRISM data; Microsoft loses a big case before a magistrate in SDNY, who rules that the government can enforce warrants requiring Microsoft to produce data stored abroad; The Supreme Court hears oral argument over cell phone searches incident to arrest; The White House has released a couple of reports on Big Data—one from the PCAST and one from John Podesta's group—along with several recommendations; The White House also released guidance on when NSA will exploit cybersecurity flaws and when it will try to fix them; GCHQ's own independent monitor has released a long and favorable report; and data breaches claim their first CEO, as Target makes room at the top. In our second half, we have an interview with Brian Krebs, the noted security researcher behind Krebs on Security. Brian comments on the week's news before giving us an interview on the latest in Russian cybercrime.

Direct download: Episode18.mp3
Category:general -- posted at: 6:16pm EST

In our seventeenth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Stephen Heifetz, Stephanie Roy, Michael Vatis, and Jason Weinstein discuss this week in NSA: No new scandal stories but the principal new release came from the US government and consisted of a FISA court ruling that took apart the only decision declaring NSA's section 215 metadata program illegal - Judge Leon's opinion in Klayman; the top story this week is the claim that the FCC is gutting net neutrality; the New York Times' story suggesting that the FBI may have used Anonymous to help compromise foreign nations' networks; the cell phone warrant case; the Aereo case; Magistrate Facciola's approach to warrants, and DOJ's method to appeal his latest ruling; and DHS' announcement that it has notified all critical infrastructure companies that they are considered critical. In our second half, we have an interview with two government CFIUS experts, Elana Broitman, a deputy assistant secretary at DOD and Shawn Cooley, who manages DHS's participation in CFIUS as well as Team Telecom.

Direct download: Episode17.mp3
Category:general -- posted at: 4:14pm EST

In our sixteenth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Chris Conte, Michael Vatis, and Jason Weinstein discuss this week in NSA: Edward Snowden questions Putin; and the Bloomberg story that NSA exploited the Heartbleed vulnerability steadily loses altitude and believers; the SEC releases thoughtful and detailed set of cybersecurity questions for its examiners to use in dealing with the private sector; US magistrate Facciola calls for an amicus brief on cell-site data; Kentucky adopts a state breach notice law; the conviction of Andew "Weev" Auernheimer for the AT&T hack was overturned on appeal; the implications of giving first amendment protection to censored search results; and in bitcoin news, a more plausible candidate for Satoshi Nakamoto has emerged. In our second half, we have an interview with Alex Joel, the Civil Liberties Protection Officer of the Office of the Director of National Intelligence.

Direct download: Episode16.mp3
Category:general -- posted at: 1:39pm EST

Stewart Baker, Maury Shenk, and Jason Weinstein discuss this week in NSA: The FBI and ACLU tangle over FOIA; Larry Klayman loses an appeal over Section 215 metadata collection; according to a Bloomberg article the NSA exploited the Heartbleed security flaw for years - the NSA conclusively denied the story immediately; this week in FTC: the District Court ruling in the Wyndham case was largely unsurprising; Whatsapp and Facebook are being locked into their current privacy policies; the commission fairly charges with deceptive practices and orders them to delete data; the European Court of Justice makes news, striking down parts of the data retention directive that have long distinguished Europe as a far less privacy-protective jurisdiction than the United States; continuing the tutorial in class action tactics, the Target litigation is consolidated in Minnesota; the Justice Department and the FTC issue antitrust guidance designed to ease the fears of companies that sharing cybersecurity information will create antitrust liability; and international cyberdiplomacy is slowly recovering from the Snowden leaks. The US makes a creative response to Iran's DOS attacks on banks, and it tries candor on China. In our second half, we have an interview with Dan Sutherland, Associate General Counsel, National Protection and Programs Directorate at the US Department of Homeland Security.

Direct download: CyberBlogPodcast_15.mp3
Category:general -- posted at: 12:23pm EST

Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: A Reuters story claims that researchers showed something bad about the way NSA influenced the Dual EC encryption standard; a civil libertarian academic who was part of the President's expert's group NSA published a candid assessment of the agency - almost all of it positive; and Yahoo! has finally been able to encrypt its back-office communications; this week in Reruns: LabMD's latest filing; the banks that sued Target's security assessor have had second thoughts; Microsoft's search of Hotmail to protect its property yields a guilty plea; and Google's struggle with the most famous ten-second video performance in history ends abruptly; The Onion Router doesn't really turn your messages into spoofed news stories (cool as that would be); Federal magistrates impose limits on computer search warrants as a condition of signing them. In our second half, we have an interview with Benjamin Wittes, senior fellow in Governance Studies at The Brookings Institution and co-founder and editor-in-chief of the Lawfare blog.

Direct download: Episode_14.mp3
Category: -- posted at: 3:08pm EST

Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: Proposal to replace NSA's 215 metadata program with one where the data remains with the telephone companies; the new chief judge at the FISA court; and China has promised to bolster its cybersecurity while protesting news that Huawei was hacked by NSA, this week in Target: Banks suing not just Target but also its security assessor, Microsoft admits to opening a subscriber's Hotmail account to track an employee who was leaking its business secrets, Bitcoin assets to be subject to capital gains calculations. In our second half, we have an interview with Michael Allen, former Majority Staff Director of the House Intelligence Committee and Founder & Managing Director of Beacon Global Strategies.

Direct download: Episode_13.mp3
Category:general -- posted at: 12:50pm EST

In our twelfth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Michael Vatis, and Jason Weinstein discuss this week in NSA: The President meets tech execs again on privacy and NSA; a decision/announcement on 215 changes seems imminent; Silliest Press Angle of the week: the press is shocked to hear government lawyers say that tech companies knew of PRISM intercepts; NSA "reaches into the past"; IBM denies helping NSA; NSA hacks Huawei; Brazil drops localization requirement, IL two-party consent law struck down, Gmail intercept class denied, settlement for victims who didn't suffer harm, Android user privacy/battery case advances, and additional stories: Ninth Circuit "Innocence of Muslims" ruling undermined by Copyright Office but enbanc denied; SSCI-CIA forensic review ordered. In our second half, we have an interview with Jim Lewis of the Center for Strategic and International Studies.

Direct download: Episode_12.mp3
Category:general -- posted at: 6:18am EST

In our eleventh episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Markham Erickson, Daniella Terruso, and Michael Vatis discuss this week in NSA: The EFF overrides one of the privacy protections in NSA's metadata program by killing the 5-year retention limit; what is the New York Times story on "raw take" about?; will the NSA and the telcos will end up going "Dutch," as in Ruppersberger; and Stewart brags about the results in his latest debate over Edward Snowden, who is starting to wear out his welcome with Americans; other fallout from the NSA leaks: Commerce announced its willingness to give up an oversight role for ICANN; members of the European Parliament start work on a data protection that they can't finish before elections; the legal claims in the SSCI-CIA brouhaha; the Silverpop case and how it may be harder to win a hacker-breach negligence case than some of us thought; this week in the Target breach case: Did Target miss a chance to stop the exploit?; privacy groups want to block the Whatsapp deal on privacy grounds; additional stories: the public's first good look at Russia's cyberespionage tools; Google starts encrypting search in China; Leon Panetta invokes "cyber Pearl Harbor;" and it turns out we could lose power for 18 months if a handful of substations are successfully attacked. In our second half we have an interview with Dan Novack, a former big-firm litigator now serving as legal analyst at First Look, the Greenwald/Omidyar news service.

Direct download: podcast_11.mp3
Category:general -- posted at: 5:22pm EST

In our tenth episode of the Steptoe Cyberlaw Podcast, Stewart Baker and Jason Weinstein discuss NSA/Snowden: Keith Alexander hints about a possible end to the broad collection of metadata---and the FISA court's refusal to extend the 5-year retention deadline for NSA's store of metadata. Was that ruling a defeat for NSA or the result of a clever litigation strategy? Roundup of Bitcoin news: What is going on here? Taking a second look at the copyright fight over "Innocence of Muslims", in wiretap news, the $21 million Justice Department claim against Sprint for overcharging on wiretaps, this week in cybersecurity policy: the Obama administration's approach is getting the most sincere form of flattery from other nations; China and Europe are once again living out the fantasies of American officials; except for the FTC, which as far as we can tell is already living in its own fantasy, riding a 50-plus streak of wins to a couple more victories, though one was closer than expected. In our second half we have an interview with Mark Weatherford, a Principal at the Chertoff Group.

Direct download: podcast_10.mp3
Category:general -- posted at: 10:32am EST

In our ninth episode of the Steptoe Cyberlaw Podcast, Stewart Baker, Michael Vatis, and Jason Weinstein discuss NSA/Snowden: NSA weighs options for 215 data and the Office of the Director of National Intelligence will not disclose the study of storage options; GCHQ's webcam captures; Canadian extradition flap; ABA President sends letter to NSA, LabMD falters, Cellphone unlocking - the long withdrawing roar of copyright maximalism begins, Holder calls for a national breach notice law - so why don't we have one?, Julie Brill's Princeton speech - big data and consumer privacy, Report from NSA: Trustycon and the boycott; What's hot - bot catchers and intelligence driven security, and this week in weird copyright law - what the Google/Islam/takedown decision means. In our second half we have an interview with Adam Sedgewick, Senior Information Technology Policy Advisor at the National Institute of Standards and Technology.

Direct download: SteptoeCyberlawPodcast-009.mp3
Category:general -- posted at: 7:16am EST