The Cyberlaw Podcast

Our guest, Ellen Nakashima, was coauthor of a Washington Post article that truly is a first draft of history, though not a chapter the Obama administration is likely to be proud of.  She and Greg Miller and Adam Entous chronicle the story of Russia’s information operations attack on the 2016 presidential election.

Want to know how it feels to have Donald Trump tweeting your article and taunting the last administration?  Don’t worry, we ask.  Also why was the NSA only moderately confident that Putin was trying to help Trump win, and how did the Obama administration manage to “choke” at every turn.  Jim Comey makes a cameo appearance, ironically refusing to go public with his agency’s assessment of the hack because it might look like he was trying to influence the election — whew! – that’s a bullet dodged!

We dwell on the Obama administration’s bad luck in announcing its judgment on Putin’s hack half an hour before the Access Hollywood story broke and an hour before Podesta’s emails were released.  Sometimes you win the news cycle; sometimes the news cycle wins you.

Finally, Ellen talks about the plan to implant cyberweapons in Russian infrastructure and where it stands.  What infrastructure, you ask?  Infrastructure so serious it was approved by a phalanx of Obama administration lawyers, of course.  It’s an echt-Obama moment, the kind of thing that is bound to be in history’s second draft as well.

We begin the news roundup, as our fans demand, with the latest in sex toy cybersecurity law.  On a more serious note, Jennifer Quinn-Barabanov asks whether the Seventh Circuit has stuck a fork in the data breach class action tactic of offering full damages to the named plaintiff.

Jon Sallet reviews the remarkable success of the Obama Justice Department in challenging mergers in court and argues that it’s likely to continue, if not with the same frequency.

Michael Vatis and I pan Justice Kennedy’s gassy ode to the “Cyber Age” in Packingham v. North Carolina, an opinion that is sure to be cited far more often for its overblown dicta than for its unsurprising holding.

Speaking of the Court, the Solicitor General is seeking review of the Microsoft Ireland case.  Michael and I assess the odds of an affirmance.

Meanwhile, Maury Shenk reports, European angst over the internet continues to force the pace of government action.  Despite a leak revealing its spying on the US Government, Germany is doubling down, expanding law enforcement’s authority to hack suspects’ phones.   And the European Council is calling on Member States to prepare to impose sanctions in response to cyberattacks.

And where will those attacks come from?  Ask the Western IT companies that have recently been forced to disclose their source code to Russian intelligence agencies.  Strictly for cybersecurity purposes, naturally.

And LabMD has at last had a judicial hearing for its objections to the FTC’s handling of its data security case.  Michael and I agree:  it was such a bad day for the FTC that the Commission’s decision to override its own ALJ opinion now looks like hubris of the first order.

And, finally, we cover the equally hubristic decision of some CIA staff to demonstrate their hacker cred by spoofing the Agency’s snack machines.  It may be some consolation to them in unemployment that their exploit was pretty clever.  Or, who knows, maybe they’ve been brought back to help the agency implant the Kremlin’s snack machines.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to or leave a message at +1 202 862 5785.


The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-171.mp3
Category:general -- posted at: 7:22pm EST

This week’s episode is a news roundup without interview.  We lead with the Senate’s overwhelming adoption of unexpectedly tough Russia sanctions along with the Iran sanctions bill.  The mainstream press has emphasized that the bill will lock the Obama sanctions into legislation, but Anthony Rapa explains that the bigger story is just how tough the bill will be on investors in Russia’s energy sector, including European and other third-country firms.  This is going to put heavy pressure on the House and its Republican majority, where enthusiasm for punishing Russia has been more tepid.

In other legislative news, the Freedom Caucus has announced that it doesn’t know what it wants from 702 renewal, but it wants something.  At least that’s how I read the Caucus’s two sentence press release on Section 702 renewal.  In its entirety, the release says, “Government surveillance activities under the FISA Amendments Act have violated Americans’ constitutionally protected rights.  We oppose any reauthorization of the FISA Amendments Act that does not include substantial reforms to the government’s collection and use of Americans’ data.” In a rare show of Cyberlaw podcast consensus, Michael Vatis agrees.

Meanwhile, NSA and GCHQ are now linking WannaCry to North Korea.  The bad news is that North Korea is bringing the same spirit to cyberattacks that it has brought to nukes and missiles.  The good news is that the North Koreans are still bad at cyberattacks.  But they were bad at nukes and missiles once as well.

And we circle back to put the boot in on Reality Winner – the self-proclaimed “pretty, white, and cute” dingbat who leaked an NSA memo on Russia’s election hacking to the Intercept, which then managed to match her opsec cluelessness with its own.  

The export of exploits for internal security purposes is getting plenty of press, as the BBC goes after exports from Denmark to the Arab world while the New York Times exposes misuse of exploits to compromise critics of the Mexican government

As always, the Cyberlaw Podcast welcomes feedback. Send an email to or leave a message at +1 202 862 5785.


The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-170.mp3
Category:general -- posted at: 4:47pm EST

In the news roundup, Benjamin Wittes makes a cameo appearance, defending Jim Comey (but not the FBI) from my suggestion that leaking has a long and unattractive history at the FBI.  Brian Egan takes us deep on federal records law.

Next, Ben actually finds himself to my right as we try to negotiate a quick resolution to the growing impasse over section 702.

I will never live it down. Nor will Ben.

Maury Shenk explains what the UK election means for tech.  Who knew?  The Unionists actually have a tech platform.

Maury and Brian muse on what the Qatar crisis tells us about cyberattacks – they may turn out to be much more effective as short-term one-offs than as sustained campaigns.

China has found a way to use its new cybersecurity law — to investigate Apple, naturally.  A better target would be the Chinese company Rafotech, which has installed something that looks a lot like spyware on 250 million machines.  I’ll be at the Irish government’s Data Protection Summit later this week, and I’ll be asking why the EU is wasting its human rights capital on fights with the US instead of China.

Finally, we cover Ukraine’s unusual new sanctions aimed at Russian social media companies, which are also Ukraine’s main social media companies?  No doubt there are censorship issues lurking in that program, but I can’t help wondering why human rights groups are riding the first amendment to the rescue of companies that dance to Vladimir Putin’s tune.

To close the episode, I interview Ben Buchanan, Fellow of the Cyber Security Project at the Harvard Kennedy School of Government.  I challenge the thesis of his book, The Cyber Security Dilemma: Hacking, Trust and Fear, and he holds up under the challenge pretty well.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to or leave a message at +1 202 862 5785.



The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-169.mp3
Category:general -- posted at: 6:05pm EST

Episode 168 features the Tinkers-to-Evers-to-Chance of global censorship, as Filipino contractors earning minimum wage delete posts in order to satisfy US tech companies who are trying to satisfy European governments.  In addition to Maury Shenk, our panel of interlocutors includes David Sanger, Chief Washington Correspondent for The New York Times, and Karen Eltis, Professor of Law at the University of Ottawa. Even if you think that reducing Islamic extremist proselytizing online is a good idea, I conclude, that’s not likely to be where the debate over online content ends up.  Indeed, even today, controls on hate speech are aimed more at tweets that sound like President Trump than at extremist recruiting.  Bottom line:  no matter how you slice it, the first amendment is in deep trouble.

In other news, I criticize the right half of the blogosphere for not reading the FISA court decision they cite to show that President Obama was spying illegally at the end of his term. Glenn Reynolds, I’m talking about you!

The EU, in a bow to diplomatic reality, will not bother trying to improve the Safe Harbor deal it got from President Obama.  Instead, it will try to get President Trump to honor President Obama’s privacy promises. Good luck with that, guys!

Wikimedia’s lawsuit over NSA surveillance has been revived by the court of appeals, and I find myself unable to criticize the ruling.  If standing means anything, it seems as though Wikimedia ought to have standing to sue over surveillance; whether Wikimedia should be wasting our contributions on such a misconceived cause is a different question.

China’s cybersecurity law has mostly taken effect Maury explains how little we know about what it means.

Finally, David Sanger, in his characteristic broad-gauge fashion, is able to illuminate a host of cyber statecraft topics: whether the North Koreans are getting better at stopping cyberattacks on their rocket program; how good a job did Macron really did in responding to Russian doxing attempt; and what North Korean hackers are up to in Thailand.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to or leave a message at +1 202 862 5785.


The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-168.mp3
Category:general -- posted at: 2:02pm EST


Episode 167 sees blockchain take over the podcast again.  With Stewart traveling, Alan Cohn hosts another of the podcast’s periodic deep dives into all things blockchain and digital currency.  Our guest is Meltem Demirors, Director of Development at Digital Currency Group.  Podcast regular Maury Shenk joins members of Steptoe’s Blockchain and Digital Currency Practice, including financial regulation practitioner Matt Kulkin, tax guru Cameron Arterton, and author of several recent smart contracts blog posts Jared Butcher, in breaking down the current state of affairs in the blockchain world.

Our episode begins by looking at the brewing controversy in the tax world.  Cameron skillfully takes us through IRS Notice 2014-21, which provided initial guidance for how virtual currencies would be treated for tax purposes, as well as the charmingly-named TIGTA Virtual Currency Report, released in September 2016, which told the IRS that it hadn’t done much beyond issuing this guidance to flesh out what it actually meant to consumers and businesses.  The IRS responded with the notorious Coinbase Summons, a John Doe summons that requested records of over 500,000 Coinbase subcribers.  Needless to say, this led to Coinbase users challenging the summons in court and moving to quash, while Congressional leaders question the wisdom of the IRS summons.  Cameron and Alan consider this an opportune moment for the IRS to work with the industry to develop additional guidance.

We then take on the emerging phenomenon of token sales, nicknamed Initial Coin Offerings or ICOs.  Matt and Alan tell us what in the world this is, how token sales work, and some of the legal challenges, including whether ICOs constitute sales of securities under the Howey test and the question of fiduciary duties.  Matt and Alan conclude that ICOs can vary significantly from each other and that ultimately virtual currencies and tokens may simply be a new asset class.

Steptoe has done a lot of writing lately on smart contracts, and Jared takes us through several recent Steptoe Blockchain Blog posts on reasons to put an arbitration clause in your company’s smart contracts, tips for drafting arbitration clauses in smart contracts, and best practices for limiting liability arising from smart contract vulnerabilities. Jared and Alan discuss the new approach companies need to take in considering issues like dispute resolution and liability limitations in the context of smart contracts.

We then go across the pond to Europe, where Maury gives us the status of the delayed EU proposal to extend AML regulation to virtual currencies.  Maury predicts that the legislation will pass this year forcing companies that provide virtual currency related services, such as exchanges and wallets, to comply with very burdensome requirements.

Finally, in the lightning round, Alan tells us about the recent surge in the price of bitcoin and other cryptocurrencies; Matt tell us about the future of leadership at the Commodity Futures Trading Commission and gives us an update on the Office of the Comptroller of the Currency’s proposed Fintech Charter, including a lawsuit by state regulators to head off this initiative.

In our interview, Meltem takes us through the current landscape of virtual currencies, including DCG’s recent launch of blockchain accelerator DCG Connect.  Meltem tells us about the current state of play for blockchain use cases and blockchain companies, and gives her thoughts on the ICO craze.  Meltem shares her thoughts on what she thinks are the most interesting things that she sees coming in the future, and she tells us what we should be looking for as signals that we’ve moved to the next stage of technical adoption of blockchain technology.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to or leave a message at +1 202 862 5785.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: SteptoeCyberlawPodcast-167.mp3
Category:general -- posted at: 11:37am EST