The Cyberlaw Podcast

Our guest for episode 44 of the Steptoe Cyberlaw Podcast is Sal Stolfo, Professor at Columbia University’s Computer Science Department and CEO of Allure Software.  Stolfo brings an attacker’s sensibility to network security approaches usually dominated by defensive thinking.  His approach to computer security includes flooding the network with plausible fake documents wired to alarm when touched by a user.  The alarm, in turn, shuts down a user’s access and prompts for a second form of authentication.  Documents that are successfully exfiltrated persistently attempt to beacon back to the home network, betraying the attacker and his customers long after the hack.  He’s already deploying some of these concepts commercially.  It’s the kind of active defense even the Justice Department should love.

In our news roundup, This Week in NSA is dominated by speculation that the 215 program will never die.  Conventional wisdom says that the metadata program will ride into the sunset on June 1, 2015.  But a “transition” note could allow the program to last for years.   Meanwhile, the NSA director, Adm. Mike Rogers, is warning that China and one or two other countries have the ability to bring down the electric grid in the United States.

The FTC has gone to mediation with Wyndham, but no one is betting that the mediation will succeed.  And the FTC’s settlement with TRUSTe puts the privacy certification company under the FTC’s thumb for years.

Telephone companies have long been the most government-friendly of technology firms, but that may be changing.  Now even the heir of Ma Bell’s name, AT&T, has filed an amicus brief demanding clearer standards before the government could get access to location information.

One solution is for the government to cut out the middleman and get the location information directly from the consumer – by offering fake cell towers to connect to. But that tactic, and the secrecy surrounding “stingray” collection, has its costs.  Baltimore has abandoned a criminal case to keep from describing the technology and how it’s used.  And a North Carolina judge has unsealed hundreds of stingray orders.

In the words of the old country song, how can I forget you if you won’t go away?  Much as we wish the right to be forgotten would go away, that’s looking less and less likely. Google's Global Privacy Council, Peter Fleischer, has disclosed new details about how the search giant administers the right.  And Norway has (unsurprisingly) followed the rest of Europe in adopting the doctrine.  But most troubling is the news from France, where Google is facing fines of €1000 a day for refusing to apply a French defamation takedown order to its domain – or, more accurately, for not letting a French judge censor what Americans can read. 

Finally, in our first item derived from a listener request (h/t Lee Baumgardner), we look at the regulatorily challenged transport company, Uber, and its potential liability for a steady stream of privacy flaps, including its unwisely but appropriately named “God Mode.”  

Tune in next week when our guest will be Troels Oerting the Assistant Director, Head of European Cyercrime Centre (EC3). 

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates or topics to  If you’d like to leave a message by phone, contact us at +1 202 862 5785.



Direct download: Podcast_44.mp3
Category:general -- posted at: 3:35pm EST

Our guest this week is Amb. Daniel Sepulveda, the man charged with managing the U.S. relationship with the International Telecommunications Union.  The ambassador helps us make sense of the recent ITU meeting in Busan, South Korea, where efforts to validate a greater government role in internet affairs seem to have been turned back for another four years.  Markham Erickson, a Steptoe partner specializing in internet law, also joins regulars Jason Weinstein, Michael Vatis, and me.

This week in NSA:  The USA Freedom Act is showing signs of life, as Sen. Reid promises Sen. Leahy floor time in the lame duck session.  But with Sen. Feinstein opposed to the Judiciary-written bill, and the House having passed a different one, it’s still a long haul to get a bill to the President before the lame duck limps into history.  After a year-and-a-half-long Snowden-induced cringe, the U.S. is again raising Chinese espionage more aggressively.  But that’s the only thing that has changed in the U.S.-China dialogue on cyberespionage.  Just ask the Postal Service and the NOAA weather network.

We try out a new feature:  The Law Behind the Headlines, where we provide the legal background behind tech stories in the news: 

•           Remember that Insecam website that streams video from thousands of video surveillance cameras that are still using the manufacturers’ default login credentials?  To Jason, it looks like the world’s most public confession to thousands of criminal violations. 

•           And according to the press, law enforcement uses flying DRT Boxes (not to mention ground-based stingrays) to imitate cell towers and thus locate particular phones very accurately.  But to do so, the machines have to accept and then drop thousands of connections from the phones of ordinary Americans who aren’t suspects.  Is that legal?  How is it different from the NSA’s program of collecting data but not looking at it?  And can we get the U.S. Marshal’s service to actually connect some of the calls they get from dead spots out in Great Falls? Answers to all these questions in the podcast!

This week in bad law:  the Ninth Circuit will be revisiting the too-creative Kozinski opinion that based a takedown order on the dubious copyright claim of an actress who appeared in in “The Innocence of Muslims.” 

This week in data breaches:  Anthem Blue Cross puts a bunch of medical advice and data in the subject line of its emails to patients.  That doesn’t inspire confidence in its data security, but is HIPAA violated?  Maybe not, Jason explains.

Argentina’s Supreme Court joins the great debate over search engine liability, spurring Michael and Markham to a debate of their own.  A Justice Department advocate admits to a mistake in oral argument on how forthcoming companies can be in NSL disclosures.  We debunk left/lib claims that the mistake is a government “misrepresentation.”

Google has weighed in on another privacy issue, essentially taking Europe’s side in a long-running debate over whether and how non-Americans should be covered by the Privacy Act.  I argue that changing the Act would simply enable European unilateralism in the long privacy debate with the United States.  Amb. Sepulveda and I tangle over whether the demand is a legitimate part of negotiations over the data protection U.S.-EU Safe Harbor Agreement.


The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Direct download: Podcast_43.mp3
Category:general -- posted at: 10:16am EST

We share the program this week with Orin Kerr, a regular guest who knows at least as much as we do about most of these topics and who jumps in on many of them.  Orin, of course, is a professor of law at George Washington University and well-known scholar in computer crime law and Internet surveillance.

This week in NSA:  With NSA Director playing good cop in Silicon Valley, new GCHQ director Robert Hannigan seemed happy to play bad cop, releasing an op-ed saying that US tech companies were providing the “command-and-control networks of choice for terrorists and criminals” and would need to do a better job of cooperating with governments to combat terror and crime.  If nothing else, the speech is a hint to Silicon Valley that its clout in the Obama administration does not foretell success in fighting other governments’ surveillance goals. 

And, with the election over, and it looks more likely than not that the GOP will end up with a 54-46 majority next year.  We surmise that this means no action on the USA Freedom Act (or Sen. Grassley’s substitute) until Spring 2015.

Finally, the DC Circuit heard argument in the appeal of Judge Leon’s famously exclamatory invalidation of NSA’s 215 metadata program.  As expected, Larry Klayman did nothing to help his case, and the panel was considerably more skeptical about the challenge than the Second Circuit panel that heard many of the same issues.  Our best guess from the arguments:  The Second Circuit decides that the program is inconsistent with section 215, the DC Circuit finds that the program is constitutional and that statutory issue has been waived, so there’s no split in the circuits until the Ninth Circuit rules, at which point the whole issue is cert-proof anyway because the statute has expired or been revised.

Talk about opening a can of worms.  The Supreme Court’s decision in Riley that cell phones can’t be searched without a warrant has now spawned fights about what the warrant should say, and how many limits it should set on what the police can look at.  The Nebraska Supreme Court has weighed in – but leaves the police more or less in limbo.

Whether the contents of a webmail account are protected from government search depends on the webmail provider’s terms of use.  Or so says the Southern District of New York, in a decision none of us can understand or really get behind.  

Speaking of the Southern District of New York, prosecutors there may singlehandedly make more tech surveillance law than the rest of the country.  They’re fighting with a phone manufacturer to get help unlocking a suspect’s phone. 

And a Virginia court has ruled – to our utter lack of surprise -- that suspects may be forced to apply their fingers to cellphones protected by fingerprint readers.  More interesting is whether they can be forced to enter “patterns” or tell the police which finger unlocks their phone (our view: no and no).

Google has finished its “right to be forgotten” road trip, and Americans’ freedom to read accurate information is on the block in Europe.  An official of the European Commission made clear that the Commission would not rest until it had imposed its link censorship regime on and Google’s American users.  The administration’s response?  Crickets.

Data retention is making a comeback in Europe, as Sweden joins the UK in demanding continued retention despite a European Court of Justice ruling against the directive that originally led to retention requirements.

Is the financial industry worried enough about cybersecurity that it’s actually calling for more activist government action?  SIFMA’s latest call comes close.

We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email ( or voicemail (+1 202 862 5785).

Direct download: Podcast_42.mp3
Category:general -- posted at: 2:09pm EST

Our guest is one of the most highly regarded cybercrime prosecutors in the country - John Lynch, the Chief of the Computer Crime and Intellectual Property Section (CCIPS) in DOJ's Criminal Division.  Among other things, John talks about how DOJ is organized to investigate and prosecute cybercrime and about its efforts to strengthen partnerships with and build capacity among foreign law enforcement partners in what is increasingly a global fight.  John also reflects on the impact of the Snowden leaks on domestic law enforcement and on the challenges the courts and prosecutors are facing dealing with electronic evidence issues in a time of rapidly changing technology.  And we talk about the role of the private sector in cyber defense. 

This Week in NSA: “Second leaker” identified by the FBI – does Snowden have a spare bedroom? GCHQ says it can access data provided by the NSA without a warrant.  That bothers privacy groups, who apparently are unfazed by the fact that GCHQ can also access data on its own citizens without a warrant, and can get a warrant without seeing a judge.  On a related front, former FBI Director Bob Mueller calls the Snowden leaks “devastating” to efforts to investigate and disrupt national security threats, in the process noting that the US is unique in terms of the level of judicial review required for electronic surveillance.  

The ITU continues to try to take control of the Internet. Law firms become a focus of hacking concern, as NYDFS letter puts spotlight on vendor management. A Private sector coalition engages in what you might call active defense against “Axiom” group of Chinese hackers.  The FCC becomes America’s latest de facto data protection authority.

Move over China, as FireEye identifies a Russian cyberweapon.  Meanwhile, a DARPA official basically says that since we use the same popular software, we’re making it too easy for hackers.

And we bring you another candidate for Dumbest Privacy Case of the Year, involving both privacy and cleavage.


We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email ( or voicemail ( +1 202 862 5785).

Direct download: Podcast_41.mp3
Category:general -- posted at: 1:10pm EST