Thu, 19 December 2019
For this special edition of the Cyberlaw Podcast, we’ve convened a panel of experts on intelligence and surveillance legal matters. We take a look at the Department of Justice Inspector General’s report on the FBI’s use of FISA applications – and the many errors in those applications. We also touch on FBI Director Wray’s response, as well as a public order issued by the Foreign Intelligence Surveillance Court. We wrap up with thoughts on how to resolve some of the issues identified by the IG’s report and suggestions for improving the FISA process.
Joining me on the panel:
The Cyberlaw Podcast is going on hiatus for the holidays. We’ll be back in January with more insights into the latest events in technology, security, privacy, and government.
As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.
Mon, 16 December 2019
This week Maury Shenk guest hosts the podcast.
Even with a "phase one" trade deal with China apparently agreed upon, there's, of course, plenty still at stake between China and the US in the tech space. Nate Jones reports on the Chinese government order for government offices to purge foreign software and equipment within three years and the plans of Arm China to develop chips using “state-approved” cryptography. Nick Weaver and I agree that, while there are some technical challenges on this road, there's a clear Chinese agenda to lose dependency on US suppliers.
In the Department of Hacking, the aptly-named Plundervolt allows hackers to steal data using the power supply of Intel chips. The immediate hole has been closed, but Nick thinks the hack suggests bigger problems for Intel down the road. We also discuss Apple's flirtation with the using DMCA to get Twitter to de-tweet an encryption key compromising a less-than-critical aspect of iPhone 11 security, and I report on an 11th Circuit decision on insurance coverage for losses from spear-phishing.
With Stewart Baker away, I point out that it's not just the EU that is going after Big Tech. Amazon's new-ish Ring subsidiary seems to have scored a couple of own-goals with privacy and security practices for its smart doorbells – Nick explains in detail. And I relate the Wall Street Journal report that the FTC is considering seeking an injunction of Facebook app integration, and the big 7.5% tax that Turkey will levy on digital services beginning in March.
Finishing up in the Gulf, we look at a “very big” cyberattack on Iranian banks that the Iranian government claims is state-sponsored. Nate doubts intimations that the US is involved, and we agree that political and commercial motives are difficult to disentangle in this type of attack. Across the Strait of Hormuz, we explore the involvement of former counterterrorism czar Richard Clarke in helping the United Arab Emirates build its DREAD (who thought that was a good name?) counterterrorism unit and the policy implications and slippery slope of allowing US expertise to be used for such efforts.
As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.
Tue, 10 December 2019
The apparent terror attack at Naval Air Station Pensacola spurs a debate among our panelists about whether the FISA Section 215 metadata program deserves to be killed, as Congress has increasingly signaled it intends to do. If the Pensacola attack involved multiple parties acting across US borders, still a live possibility as we talked, then it would be just about the first such attacks since 9/11 – and exactly the kind of attack the metadata program was designed to identify in advance.
Nick Weaver tells us that China has resurrected the Great Cannon to attack a popular Hong Kong forum for protesters. I ask why Google hasn’t started issuing warnings to Web browsers who cross the Great Firewall into China without enabling HTTPS to foil the Great Cannon. Meanwhile, Microsoft is working hard to make GitHub, an early Great Cannon victim, an essential part of China’s IT infrastructure. GitHub was attacked because it hosted some content that China hated, including the New York Times, and we verify in real-time that, despite the lure of the Chinese market, Microsoft has not told GitHub to dump the offending content.
In more China news, the trial lawyers are circling TikTok like a wounded wildebeest on the veldt. A California class action alleges that TikTok harvested and sent data to China, and an Illinois class action charges the company with violating COPPA by marketing to children without sufficient privacy safeguards.
Paul Rosenzweig and I dig deep into the 20-year history behind the now-abandoned proposal to conduct airport facial scans on US citizens leaving the country. We reach broad agreement that this is one of the rare privacy versus national security debates in which there’s precious little privacy or national security at stake.
Matthew Heiman provides an overview of the remarkable international food fight over taxes on digital business. USTR is threatening big tariffs on French wine to counter France’s digital tax. Spain is apparently eager to join France in the fight. And the effort to work everything out at the OECD, where the EU has a 20-1 voting advantage over the US, has predictably not worked out well from the US point of view.
Cue the white cat: The United States has actually imposed sanctions on “Evil Corp.” Nick explains that this is part of criminal charges against two highly effective Russian bank hackers – and arguably a confession of weakness on the US government’s part.
Meanwhile, Amazon’s efforts to avoid tort liability for third-party sales on its site look to be suffering a long strategic defeat in the courts. The latest example is a Sixth Circuit ruling allowing plaintiffs to pursue product tort claims against the Internet giant.
I offer a quick update and some kind words for Nancy Pelosi, who is calling for modification of the North American free trade deal to drop the provision turning Section 230 of the Communications Decency Act into international law. This is a genuinely bipartisan complaint, so perhaps she’ll prevail.
Paul gets stuck explaining two dog-bites-man stories. The FBI says any Russian app could be a counterintelligence threat. What else could they say? And the European Commission, when asked what US regulation of encryption would mean for Europe, says more or less that it may have to move from eyebrow-lifting to throat-clearing.
And Nick closes the program with advice about the new Android exploit that works (in the right circumstances) to compromise apps running on a fully patched and up-to-date Android phone.
As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
Fri, 6 December 2019
Algorithms are at the heart of the Big Data/machine learning/AI changes that are propelling computerized decision-making. In their book, The Ethical Algorithm, Michael Kearns and Aaron Roth, two Computer Science professors at Penn, flag some of the social and ethical choices these changes are forcing upon us. My interview with them touches on many of the hot-button issues surrounding algorithmic decision-making. Michael and Aaron may not agree with my formulation, but the conversation provides a framework for testing it – and leaves me more skeptical about “bias hacking” of algorithmic outputs.
Less controversial, but equally fun, is a dive into the ways in which Big Data and algorithms defeat old-school anonymization – and the ways in which that problem can be solved. Our guests from Philadelphia help me understand the value of differential privacy. And if you wondered why, say, much of the social science and nutrition research of the last 50 years doesn’t hold up to scrutiny, blame Big Data and algorithms that reliably generate significant correlations once in every 20 tries.
Michael and Aaron also take us deep into the unexpected social costs of algorithmic optimization. It turns out that a recommendation engine that produces exactly what we want, even when we didn’t know we wanted it, is great in the moment but maybe not so great for society. Creating markets in areas once governed by social norms can optimize individual choice but at a considerable social cost, and it turns out that algorithms can do the same – optimize individual gratification in the moment while roiling our social and political order in unpredictable ways. We would react badly to a proposal that dating choices become microeconomic transactions (otherwise known as prostitution) but we don’t feel the same way about reducing them to algorithms. Maybe we should.
Wed, 4 December 2019
This Week in the Great Decoupling: The Commerce Department has rolled out proposed telecom and supply chain security rules that never once mention China. More accurately, the Department has rolled out a sketch of its preliminary thinking about proposed rules. Brian Egan and I tackle the substance and history of the proposal and conclude that the government is still fighting about the content of a policy it’s already announced. And to show that decoupling can go both ways, a U.S.-based chip-tech group is moving to Switzerland to reassure its Chinese participants. Nick Weaver and I conclude that there’s a little less here than Reuters seems to think.
Mark MacCarthy tells us that reports of the University of Chicago’s weather turning sunny and warm for hipster antitrust plaintiffs are probably overdone. Even so, Silicon Valley should be at least a little nervous that even Chicago School enforcers are taking a hard look at personal data and free services as sources of anti-competitive conduct.
Mark also highlights my favorite story of the week, as the Right to be Forgotten discredits itself in, where else, Germany. Turns out that you can kill two people and wound a third on a yacht in the Atlantic, get convicted, serve 20 years, and then demand that everybody just forget it happened. The doctrine hasn’t just jumped the shark. It’s doubled back and put a couple of bullets in the fish for good measure.
Nick explains why NSA is so worried about TLS inspection. And delivers a rant on bad cybersecurity software along the way.
It’s been a bad week for TikTok, which was caught blocking an American Muslim teen who posted about Uighurs in China and offered an explanation that was believable only because US social media companies have offered explanations that were even less credible. I suggest that all the criticism will just lead to more and sneakier ways to block disfavored content without getting caught. And Brian tells us how the flap might affect TikTok’s pending CFIUS negotiation.
Nick ladles out abuse for the bozo who thought it was a good idea to offer cryptocurrency advice on avoiding sanctions to Kim Jong Un’s cyber bank robbers. And Brian explains that the government’s prosecution of the bozo might have to tiptoe past the First Amendment.
Senate Democrats have introduced the Consumer Online Privacy Rights Act, an online privacy bill with an unfortunate acronym (think fossilized dinosaur poop). Mark and I conclude that the bill is more a sign that Washington isn’t going to do privacy before 2021.
Who can resist GPS crop circle spoofing by sand pirates? Not Nick. Or me. Arrr.
I update our story on DHS’s CISA, which has now issued in draft a binding operational directive on vulnerability disclosure policies for federal agencies. It’s now taking comments on GitHub.
And in quick hits: The death of the Hippie Internet, part 734: Apple changes its map to show Crimea as Russian, but only for Russians; Facebook accepts correction notice from the Singapore government; our own Paul Rosenzweig will be an expert witness in the government’s prosecution of the Vault 7 leaker; and Apple’s bad IT cost it $467,000 for sanctions violations. I ask whether we should be blaming Scooby-Doo for the error.
Join Steptoe for a complimentary webinar on Tuesday, December 10. We’ll be talking about the impacts on retailers of the newly implemented California Consumer Privacy Act and the EU’s General Data Protection Regulation. This is a fast-moving area of the law; we can keep you up to date. You can find out more and register here.
Tue, 26 November 2019
Brad Smith is President of Microsoft and author (with Carol Ann Browne) of Tools and Weapons: The Promise and Peril of the Digital Age.” The book is a collection of vignettes of the tech policy battles in the last decade or so. Smith had a ringside seat for most of them, and he recounts what he learned in a compelling and good-natured way in the book—and in this episode’s interview. Starting with the Snowden disclosures and the emotional reaction of Silicon Valley, through the CLOUD Act, Brad Smith and Microsoft displayed a relatively even keel while trying to reflect the interests of its many stakeholders. In that effort, Smith makes the case for more international cooperation in regulating digital technology. Along the way, he discloses how the Cyberlaw Podcast’s own Nate Jones and Amy Hogan-Burney became “Namy,” achieving a fame and moniker inside Microsoft that only Brangelina has achieved in the wider world. Finally, he sums up Microsoft’s own journey in the last quarter century as a recognition that humility is a better long-term strategy than hubris.
Turning to the news, it looks like the surveillance renewal debate will be pushed to March 15 instead of Dec. 15. That’s thanks to impeachment, David Kris assesses. We summarize what’s up for renewal before turning to the hottest of FISA topics: The Justice Department’s inspector general report on bias in the FBI’s investigation of the Trump-Russia connection in 2016. All we’re getting at this point is self-serving leaks, but it sounds as though the report is finding real misbehavior only in the lower rungs of the Bureau. The IG finds no political bias at the top, but criminal charges against one lawyer look possible.
David sums up China’s Vulnerability Equities Process: “You can disclose the vulns when MSS is done using them.”
Nick Weaver, meanwhile, tells us that China’s dependence on U.S.-origin AI frameworks is more a matter of bragging rights rather than real disadvantage—unless you think that being unable to deny access to GitHub is a real disadvantage. And if you’re Xi Jinping, you might.
Nate Jones, already immortalized as the quiet half of Namy, reveals that Iran’s APT33 is targeting industrial control systems—and that Iran has shut down its Internet for several days in the face of civil unrest. I suggest that we keep track of the regime-essential links that stay up—so we can take them down if Iran decides to use its new upstream access to industrial control systems.
Nate and I ask why a majority of the UN General Assembly bought into a Russian proposal for a “cybercrime” resolution. Hint: Many of the governments that support it couldn’t survive a democratic election and a free press.
Speaking of Russians, Nick flags a Brian Krebs explainer on why the Russians really, really didn’t want their accused cybercriminal extradited from Israel to the US.
David and I gape in wonder at the chutzpah of the Indiana police force that accused a suspected drug dealer of theft for removing a police GPS tracker from his car—and then used that theft to justify a search of his home.
And in quick hits, Nick covers the new Russian law that prohibits sale of devices without preinstalled “alternative” software. And Nick and I debate the value and legality of Uber’s plan to introduce audio recordings during rides.
Join Steptoe for a complimentary webinar on Tuesday, Dec. 10. We’ll be talking about the impacts on retailers of the newly implemented California Consumer Privacy Act and the EU’s General Data Protection Regulation. This is a fast-moving area of the law; we can keep you up to date. You can find out more and register here.
Wed, 20 November 2019
This Week in Mistrusting Google: Klon Kitchen points to a Wall Street Journal story about all the ways Google tweaks its search engine to yield results that look machine-made but aren’t. He and I agree that most of these tweaks have understandable justifications – but you have to trust Google not to misuse them. And increasingly no one does. The same goes for Google’s foray into amassing and organizing health data on millions of Americans. It’s a nothingburger with mayo, unless you mistrust Google. Since mistrusting Google is a growth industry, it’s getting a lot of attention, including from HHS investigators. Matthew Heiman explains, and when he’s done, my money is on Google surviving that investigation comfortably. The capital of mistrusting Google is Brussels, and not surprisingly, Maury Shenk tells us that the EU has forced Google to modify its advertising protocols to exclude data on health-related sites visited by its customers.
A Massachusetts federal district court says suspicionless device searches at borders are not okay. Matthew and I dig into the details. Bottom line: Requiring reasonable suspicion for electronics searches isn’t a tough standard, but reason to believe the phone contains contraband is likely to stop a lot of searches. But that’s only good news for US citizens. Foreign travelers’ phones can also be searched if there’s reason to believe they contain evidence relevant to whether they should be admitted to the country, and reasonable suspicion that such evidence will be found is not hard to come by.
The US Supreme Court will be deciding whether APIs can be copyrighted (or whether copying them is fair use). I put my Supreme Court maven cred on the line, predicting that the Court is going to reverse the federal circuit and reject Oracle’s claim that it can extract hefty rent payments from Google for Android’s use of Oracle APIs.
Klon unpacks the story of the Chinese hackers who’ve been spying on the US National Association of Manufacturers.
Maury and I throw shade at the federal court’s claim that it’s arbitrary and capricious for the Trump Administration to conclude that it couldn’t really administer an export control ban on the release of 3D gun plans.
In a lightning round, no one should be surprised that Microsoft is making CCPA the law of the land. Nor that Amazon sells a lot of stuff directly from China. Or, frankly, that the hullabaloo over “sophisticated” DDoS attacks on British political parties is just campaign grist.
Fri, 15 November 2019
The Foreign Agent Registration Act is having a moment – in fact its best year since 1939, as the Justice Department charges three people with spying on Twitter users for Saudi Arabia. Since they were clearly acting like spies but not stealing government secrets or company intellectual property, FARA seems to be the only law that they could be charged with violating. Nate Jones and I debate whether the Justice Department can make the charges stick.
Nick Weaver goes off on NSO Group for its failure to supervise the way its customers intrude on cell phone contents. I’m less sure that NSO deserves its bad rap, and I wonder whether WhatsApp should have compromised what looks like 1100 legitimate law enforcement investigations because it questions 100 other uses of NSO malware.
Speaking of Facebook’s judgment, Paul Rosenzweig and I turn out to be surprisingly sympathetic to the company’s stand on political ads and whether “Mama Facebook” should decide their truthfulness. Twitter, darling of the press, has gotten away with a no-political-ads stance that is at least as problematical.
Nate, Paul, and I go pretty far down the rabbit hole arguing whether search warrants should give police access to DNA databases.
The National Security Commission on Artificial intelligence has published its interim report, and Nick, Nate, and I can’t really quarrel with its contents, except to complain that it doesn’t break a lot of new ground.
And maybe all this AI is still a little overrated. Remember that AI fake news text generator that OpenAI claimed was “too dangerous to release”? Well it’s been released, and it turns out to be bone stupid. We test it live, and the results would have to have been a lot better to scratch their way up to “underwhelming.”
Nick tells us why nobody who ever worked with the US government should even change planes in Russia these days.
And in a lightning round, Paul and I ask when blowing off Congress became a thing anybody could do. Nick dumps on both sides in the Great DOH debate. Ted Cruz has called out USTR for sticking Section 230 into trade deals.
And This Week in Pew! Pew! Pew! It really is the 21st Century now that we’re using lasers to attack computers. Nick explains how to order fifty copies of Skating on Stilts using your neighbor’s Amazon account and a laser.
Fri, 15 November 2019
This episode is a wide-ranging interview with Andy Greenberg, author of Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. The book contains plenty of original reporting, served up with journalistic flair. It digs deep into some of the most startling and destructive cyberattacks of recent years, from two dangerous attacks on Ukraine’s power grid, to the multibillion-dollar NotPetya, and then to a sophisticated but largely failed effort to bring down the Seoul Olympics and pin the blame on North Korea. Apart from sophisticated coding and irresponsibly indiscriminate targeting, all these episodes have one thing in common. They are all the work of Russia's GRU.
Andy persuasively sets out the attribution and then asks what kind of corporate culture supports such adventurism – and whether there is a strategic vision behind the GRU’s attacks. The interview convinced me at least that the GRU is pursuing a strategy of muscular nihilism – "our system doesn't work, but yours too is based on fragile illusions." It's a kind of global cyber intifada, with all the dangers and all the self-defeating tactics of the original intifadas. Don't disagree until you've listened!
Tue, 5 November 2019
We open the episode with David Kris’s thoughts on the two-years-late CFIUS investigation of TikTok, its Chinese owner, ByteDance, and ByteDance’s US acquisition of the lip-syncing company Musical.ly. Our best guess is that this unprecedented reach-back investigation will end in a more or less precedented mitigation agreement.
I cover the WhatsApp suit against NSO Group over the use of spyware on WhatsApp’s network. I predict that this is going to be a highwire act given the applicable precedents on whether violating terms of service also violates the Computer Fraud and Abuse Act. I also muse on whether NSO will find ways to make this a much less comfortable lawsuit for WhatsApp to pursue.
I award the ACLU the prize for making a PR and fundraising mountain out of a molehill of a lawsuit. Matthew Heiman and I try to decide which took less effort – cutting and pasting the ACLU’s generic FOIA complaint or cutting and pasting the ACLU’s generic “Oh my God, it’s a surveillance dystopia” press release.
I comment on a heart-warming story about a geek in Normal, Illinois, who runs the most successful ransomware-rescue site in the world – and is going broke doing it. Advice to DHS’s CISA: Why not sponsor prizes for people who post ransomware decryptors with real impact?
Matthew tells us that Israel is creating its own CFIUS-like panel, and we note the longstanding tension between the US and Israel over Chinese access to Israeli technology.
David notes more decoupling: The Interior Department has grounded its entire drone fleet, citing the risk from Chinese manufacturers.
Mark and I find common ground in thinking the Facebook got the political ad censorship question more right than wrong. Twitter rises to the challenge, naturally.
In updates of past stories, I cover Coalfire’s persuasive critique of the sheriff who arrested the company’s pentesters in an Iowa courthouse. In another even longer-running story, the latest and perhaps the last word on the LabMD-Tiversa-FTC imbroglio can be found in an excellent New Yorker story that leaves LabMD looking good, the FTC looking bad, and Tiversa looking like a candidate for criminal prosecution. Finally, David updates the story of the 2016 Uber hack that cost the company’s chief security officer his job. It’s also going to cost the hackers their freedom, as they plead guilty to CFAA violations.
Thu, 31 October 2019
I talk about the photographs of Congresswoman Katie Hill and whether the rush to portray her as a victim of revenge porn raises questions about revenge porn laws themselves. Paul Rosenzweig, emboldened by twin tweets – from President Trump calling Never-Trumpers like him “human scum” and from Mark Hamill welcoming him to the Rebel Scum Alliance – takes issue with me.
Paul explains a Georgia Supreme Court ruling that cops need a warrant to access automobile data after an accident.
Brian and I talk about why DHS might issue a binding operational directive requiring federal agencies to adopt vulnerability disclosure programs.
Paul unpacks the thinking behind a finding of bias in a widely used algorithm found in a healthcare system.
Maury tells us that “going dark is not going dark.” India’s Supreme Court is consolidating the legal fights over WhatsApp’s end-to-end encryption. In Afghanistan, meanwhile, the New York Times says that WhatsApp has become a key tool for communication by the government.
I note a well-written study that contradicts the media narrative that YouTube’s recommendation engine is what’s radicalizing Americans. According to the authors, the problem isn’t YouTube’s recommendations but an audience that is looking for the kinds of alternative content that conservatives (not to mention the Alt-Right and the Alt-Lite) are offering.
In shorter takes, Paul and I cover Microsoft beating AWS for an enormous Pentagon cloud contract, and Brian takes on the question of lies in political ads on Facebook. I ask whether we would be wise to follow Russia’s example and disconnect from the Internet from time to time.
Finally, Maury and I explore the challenge that TikTok poses not just to the US government but also to the Chinese government. Short take: TikTok can get away with more pro-Hong-Kong-protest speech in the US than the NBA can.
Tue, 22 October 2019
Our interview is with Alex Joel, former Chief of the Office of Civil Liberties, Privacy, and Transparency at the Office of the Director of National Intelligence. Alex is now at the American University law school’s Tech, Law, and Security Program. We share stories about the difficulties of government startups and how the ODNI carved out a role for itself in the Intelligence Community (hint: It involved good lawyering). We dive pretty deep on recent FISA court opinions and the changes they forced in FBI procedures. In the course of that discussion, I realize that every “reform” of intelligence dreamed up by Congress in the last decade has turned out to be a self-licking compliance trap, and I take back some of my praise for the DNI’s lawyering.
In the News Roundup, we’re inundated by serious new reports on cyberattacks. Dave Aitel admits that the hacking group he envies most is Turla, which was recently discovered to have totally pwned and stolen the entire attack infrastructure of an Iranian government team. Dave notes that Avast has succumbed to a second, far-reaching intrusion into its network, reminiscent of the last attack, which led to the company sending out a compromised CCleaner application: We may never know whether Avast got the intruder out, Dave suggests, but his hat is off to the company’s PR team. In still more pwnage news, Dave praises two new detailed reports from security companies: FireEye’s report on APT41’s combination of espionage and cybercrime and Crowdstrike’s report on amazingly successful Chinese efforts to steal aircraft intellectual property. And one more: Cyber Command has leaked the bare minimum of information designed to show that Iran’s strike against Saudi oil facilities did not go unpunished. Dave and I take our hats off to Iran’s PR team, which responded to the vague leak by claiming that Cyber Command “must have dreamt it.”
In other news, Gus Hurwitz breaks down a recent Ninth Circuit decision construing the Section 230 immunity for tools that filter content on the Internet. Remarkably, two judges thought that the immunity for preventing access to “objectionable” content would allow a company to cut off consumers’ access to its competitor’s products. Luckily, the two judges were a district court judge and the Ninth Circuit dissenter. But the close call shows how broadly the “objectionable” immunity sweeps. Which raises the question whether our trade agreements should broaden the immunity and turn it into international law that can’t be amended easily, or at all. That was a point of rare bipartisan agreement at a recent House hearing. But there’s no sign yet that Congress is going to reject the trade deals that do this. Gus and I also touch on the latest flaps over social media content monitoring.
Poor Equifax: Just when they were hoping the worst had passed, the plaintiff’s bar doxxed even more embarrassing security failings. Dave offers this cold comfort: All the mistakes that were offered to show that Equifax security was bad could be found in pretty much any network in the country. More cold than comfort, Dave!
And, finally, we close with This Week in Puerile Jokes: All inspired, of course, by the UK Government’s decision to drop its plan to require ID to watch sex videos online.
Tue, 15 October 2019
Our interview is with Sultan Meghji, CEO of Neocova. We cover the large Chinese investment in quantum technology and what it means for the United States. It’s possible that Chinese physicists are even better than American physicists at extracting funding from their government. Indeed, it looks as though some quantum tech, such as the use of entangled particles to identify eavesdropping, may turn out to have dubious military value. But not all. Sultan thinks the threat of special purpose quantum computing to break encryption poses a real, near-term threat to U.S. financial institutions’ security.
In the News Roundup, we cover the new California Consumer Privacy Act regulations, which devote a surprising amount of their 24 pages to fixing problems caused by the Act’s feel-good promise that consumers can access and delete the information companies have on them. Speaking of feel-good laws that are full of liability land mines for companies, the Supreme Court has let stand a Ninth Circuit ruling that allows blind people to sue under the Americans with Disabilities Act if websites don’t accommodate their needs. Nick Weaver and I explore the risks of making law by retroactively imposing liability.
Weirdly for a populist administration that says it hates the big social platforms for restricting speech, the Trump trade negotiators are actually expanding Section 230 immunities for Silicon Valley that both left and right have begun to question. The expansion is buried in hard-to-amend and even-harder-to-repeal trade agreements. By way of explanation, I explain the Realpolitik of trade deals. As if to prove my point, the U.S. and Japan have signed a Digital Trade Agreement that has much the same provision.
Nick and I muse on the rise of Commerce Department sanctions on individual companies. In a way, such sanctions are a less harsh alternative to OFAC boycotts, but like antibiotics, they either destroy the target or teach it to develop better resistance for the future.
Does TLS stand for “Tough Luck, Sucker?” That’s the message of a new and clever form of malware, softly attributed to the Russian FSB.
Apple, having banned, then unbanned an app that locates police activity in Hong Kong, has re-banned it. Tim Cook’s explanation triggers Nick’s bovine excrement detection system. In a Final Four of Hypocritical Surrender, LeBron and the NBA give ESPN a run for its money. South Park fails to qualify.
Nick and I consider DHS’s request for the power to subpoena ISPs to identify owners of compromised systems. I critique Herb Lin’s suggestion that the ISPs can solve the problem without giving data to DHS.
As Matthew notes, it was just last month that the French government gave the world a stiff-necked little lecture on respecting sovereignty in cyberspace. So why are French police helping reprogram computers in Latin America? Because it’s different when the French are doing it than when it’s done to them, I surmise.
A recent “good guy with a keyboard” story offers me one more chance to ask why someone who’s rescued hundreds from ransomware should have to worry for one minute about liability for the compromised C2 machines he re-compromised in the rescue.
Matthew and I try to simplify a complex ruling from two FISA courts. Among the takeaways: The FBI has been running a lot of searches against 702 databases (3.1 million a year!), and the FISA courts are overusing the Fourth Amendment, which in FISA minimization cases is like trying to do brain surgery with a chainsaw.
Argh! That embarrassing Bloomberg Supermicro story is back. Sort of. Wired has shown that something like this could really be done. Which, Nick points out, we already knew.
I give a shoutout to Jennifer Daskal and Peter Swire for their useful overview of the U.K.-U.S. CLOUD Act, but I wonder if mutual “no targeting of the other country’s nationals” assurances are a scalable solution.
Finally, Matthew reviews the second volume of the Senate Intelligence Committee’s investigation into Russian election interference. The TL;DR? The Russians did what you think they did. Mildly surprising: After starting out just trying to hurt Hillary, by the end the Russians seem to have been trying to help Trump too.
Tue, 8 October 2019
Today’s episode opens with a truly disturbing bit of neocolonial judicial lawmaking from the Court of Justice of the European Union. The CJEU ruled that an Austrian court can order Facebook to take down statements about an Austrian politician. Called an “oaf” and a “fascist,” the politician more or less proved the truth of the accusations by suing to keep that and similar statements off Facebook worldwide. Trying to find allies for my proposal to adopt blocking legislation to protect the First Amendment from foreign government interference, I argue that President Trump should support such a law. After all, if he were ever to insult a European politician on Twitter, this ruling could lead to litigation that takes his Twitter account offline. True, he could criticize the judges responsible for the judgment as “French” or “German” without upsetting CNN, but that would be cold comfort. At last, a legislative and international agenda for the Age of Trump!
I try my hand at explaining the D.C. Circuit’s Net Neutrality ruling in Mozilla v. FCC. There are still some rounds to be played, but Net Neutrality, if not dead, may at least be pining for the fjords.
Introducing a new feature: This Week in Elizabeth Warren. She has a plan to revive the Congressional Office of Technology Assessment. Nick likes the idea. I’m less enthusiastic, perhaps because I actually did some work for OTA before it disappeared.
Nick also helps unpack the flap over Google’s proposal to do DNS-over-HTTPS, and why ISPs aren’t happy about it. Bottom line: If you haven’t been paying much attention to the issue, you’ve made the right choice. Just think of how much time you saved by listening to the podcast!
Nick explains how Uzbekistan managed to give cyberattacks an aura, not of menace or invincibility, but of clownish incompetence.
David Kris explains the objections from privacy advocates and NGOs to the French government’s use of nationwide facial recognition for its ID program. I suggest that this may be the dumbest face recognition privacy “scandal” in history.
The cops shut down a Dark Web data center operating from… a NATO bunker? Nick reveals that the main reason to operate from a NATO bunker is, well, marketing.
Apparently channeling Stewart Baker, Attorney General Bill Barr is all-in on discouraging mass-market warrant-proof encryption. Nick thinks he’s picked the wrong fight. And maybe Nick’s right, since the civil-liberties shine on Apple is looking a little scuffed these days.
David tells us that NSA has launched a new defense directorate with Anne Neuberger at its helm. I promise to have her on the podcast early next year.
David talks about the California man charged with delivering classified information to China’s Ministry of State Security.
A Yahoo engineer pleads guilty to hacking emails for pornographic images. I’m surprised this doesn’t happen every month.
And in a sign that Congress can reach bipartisan agreement on bills that do more or less nothing, both the House and the Senate have adopted bills authorizing (but not funding) DHS “cyber hunt” teams to help local governments suffering from cyber ransom and other attacks.
Bringing back an old favorite, I cover the hacking of an electronic billboard to play porn.
Fri, 4 October 2019
In this episode I cross swords with John Samples of the Cato Institute on Silicon Valley’s efforts to disadvantage conservative speech and what to do about it. I accuse him of Panglossian libertarianism; he challenges me to identify any way in which bringing government into the dispute will make things better. I say government is already in it, citing TikTok’s People’s Republic of China-friendly “community standards” and Silicon Valley’s obeisance to European standards on hate speech and terror incitement. Disagreeing on how deep the Valley’s bias runs, we agree to put our money where our mouths are: I bet John $50 that Donald J. Trump will be suspended or banned from Twitter by the end of the year in which he leaves office.
This Week in Counterattacks in the War on Terror: David and I recount the origins and ironies of Congress’s willingness to end the NSA 215 phone surveillance program. We also take time to critique the New York Times’s wide-eyed hook-line-and-sinker ingestion of an EFF attack on the FBI’s use of National Security Letters.
Edward Snowden’s got a new book out, and the Justice Department wants to make sure he never collects his royalties. Nate explains. I’m just relieved that I will be able to read it without having to shoplift it. And it seems to be an episode for challenges, as I offer Snowden a chance to be interviewed on the podcast—anytime, anywhere, Ed!
I credit David for inspiring my piece questioning how long end-to-end commercial encryption is going to last, and we note that even the New York Times seems to be questioning whether Silicon Valley’s latest enthusiasm is actually good for the world.
Matthew tells us that China may have a new tool in the trade war—or at least to keep companies toeing the party line: The government is assigning social credit scores to businesses.
Finally, Matthew outlines France’s OG take on international law and cyber conflict. France opens up some distance between its views and those of the United States, but everyone will get a chance to talk at even greater length on the topic, as the U.N. gears up two different bodies to engage in yet another round of cyber-norm-building.
Tue, 1 October 2019
Mon, 16 September 2019
Will International Trade Law Prevent the U.S. from Regulating the Security of the Internet of Things?
Joel Trachtman thinks it’s a near certainty that the World Trade Organization agreements will complicate U.S. efforts to head off an Internet of Things cybersecurity meltdown, and there’s a real possibility that a U.S. cybersecurity regime could be held to violate our international trade obligations. Claire Schachter and I dig into the details of the looming disaster and how to avoid it.
The California legislature has adjourned, leaving behind a smoking ruin where Silicon Valley’s business models used to be. Mark MacCarthy elaborates: One new law would force companies like Uber and Lyft (and a boatload more) to treat workers as employees, not contractors. Another set of votes has left the California Consumer Privacy Act more or less unscathed as its 2020 effective date looms. Really, it’s beginning to look as though even California hates Silicon Valley.
Klon Kitchen and I discuss the latest round of U.S. sanctions on North Korean hacking groups. The sanctions won’t hit anyone in North Korea, but they might affect a few of their enablers on the Internet. The real question, though, is this: Since sanctions violations are punishable even when they aren’t intentional, will U.S. companies whose money is stolen by the Lazarus Group be penalized for having engaged in a prohibited transaction with a sanctioned party? Maybe the Lazarus Group should steal a license too, just to be sure.
Klon also lays out in chilling detail what the Russians were really trying to do to Ukraine’s grid—and the growing risk that someone is going to launch a destructive cyberattack that leads to a cycle of serious real-world violence. The drone attack on Saudi oil facilities shows how big that risk can be.
Paul examines reports that Israel planted spy devices near the White House. He thinks it says more about the White House than about Israel.
Paul also reports on one of the unlikelier escapades of students from his alma mater: Trading 15 minutes at the keyboard for a lifetime of trouble on their permanent records. The lesson? If you try to access the president’s tax data online, you’re going to jail, prank or not.
I walk back the deepfake voice scam story, but Klon points out that it reflects a future that is coming for U.S. soon, if not today.
Proving the old adage about a fool for a lawyer, the Mar-a-Lago trespasser has been found guilty after an ineffective pro se defense.
Klon digs into the long and thoughtful op-ed by NSA’s Glenn Gerstell about the effects of the “digital revolution” on national security.
Mon, 9 September 2019
Camille Stewart talks about a little-known national security risk: China’s propensity to acquire U.S. technology through the bankruptcy courts and the many ways in which the bankruptcy system isn’t set up to combat improper tech transfers. Published by the Journal of National Security Law & Policy, Camille’s paper is available here. Camille has enjoyed great success in her young career working with the Transformative Cyber Innovation Lab at the Foundation for Defense of Democracies, as a Cybersecurity Policy Fellow at New America, and as a 2019 Cyber Security Woman of the Year, among other achievements. We talk at the end of the session about life and advancement as an African American woman in cybersecurity.
Want to hear more from Camille on this topic? She’ll be speaking Friday, Sept. 13, at a lunch event hosted by the Foundation for Defense of Democracies (FDD). She’ll be joined by fellow panelists Giovanna Cinelli, Jamil Jaffer and Harvey Rishikof, along with moderator Dr. Samantha Ravich. The event will be livestreamed at www.fdd.org/events. If you would like to learn more about the event, please contact Abigail Barnes at FDD. If you are a member of the press, please direct your inquiries to email@example.com.
In the News Roundup, Maury Shenk tells us that UK courts have so far resisted a sustained media narrative that all facial recognition tech is inherently evil. Americans seem to agree, Matthew Heiman notes, since a majority trust law enforcement to use it responsibly. Which is more than you can say for Silicon Valley, which only 36 percent of Americans trust with the technology.
Mieke Eoyang and I talk about the Department of Homeland Security’s plan to use fake identities to view publicly available social media postings and the conflict with social media sites’ terms of service. I am unsympathetic, given the need for operational security in conducting such reviews, but we agree that DHS is biting off more than it can chew, especially in languages other than English. But really, DHS, how clueless can you be when your list of social media to be scrutinized includes three-years-dead Vine but not TikTok, which Mieke notes ironically is “what all the kids are using these days.”
Maury brings us up to speed on EU plans for the tech sector, which will be familiar to Brits contemplating the EU’s plan for them. And speaking of EU hypocrisy and incoherence (we were, weren’t we?), Erin Egan of Facebook has written a paper on data portability that deserves more attention, since it’s impossible to square the EU’s snit over Cambridge Analytica with its sanctifying of the principle of “data portability.” The paper also calls out the Federal Trade Commission for slamming Facebook for Cambridge Analytica while Commissioner Noah Phillips is warning that restrictions on data transfers can be anticompetitive. I promise to invite the commissioner on the podcast again to explore that issue.
Well, that was quick: Fraudsters used AI to mimic a CEO’s voice—accent, “melody” and all—in an unusual cybercrime case. Anyone can do this now, Maury explains. I tell listeners how to tell whether my voice has been AI-napped in future episodes.
In short hits, Mieke and I mock Denmark’s appointment of an “ambassador” to Silicon Valley. Way to cut the Valley down to size, Denmark! Maury notes that FinFisher is under investigation for violating EU export control law by selling spyware. Mieke does her best to rebut my suggestion that Silicon Valley’s bias is showing in the latest actuarial stat: It turns out that 10 percent of the accounts that President Trump has retweeted have been deplatformed. Matthew and I note that China has been caught hacking several Asian telecomm companies to spy on Uighurs. Of course, if the U.S. had 5,000 citizens fighting for the Islamic State and al-Qaeda, as China claims to have, we’d probably be hacking all the same companies. State attorneys general will launch sweeping and apparently bipartisan antitrust probes into Facebook and Google this week. Good to see Silicon Valley bringing Rs and Ds together at last; who says its business model is social division? Finally, Mieke leaves us uneasy about the online security of our pensions, as hackers steal $4.2 million from one fund via compromised email.
Thu, 5 September 2019
In this bonus episode of the Cyberlaw Podcast, Alex Stamos of Stanford’s Freeman Spogli Institute talks about the Institute’s recent paper on the risk of Chinese social media interference with Taiwan’s upcoming presidential election. It’s a wide-ranging discussion of everything from a century of Chinese history to the reasons why WeChat lost a social media competition in Taiwan to a Japanese company. Along the way, Alex notes that efforts to identify foreign government election interference have been seriously degraded by (what else?) privacy law, mixed with fear of commercial consequences when China is the attacker. If companies make data about foreign government and “inauthentic” users public, the risk of liability under GDPR as well as Chinese retaliation is real, and the benefits go more to the nation as a whole rather than to the companies taking the risk.
During the interview, Alex references a paper co-authored by his colleague, Jennifer Pan, regarding the “50c party.” You can find that paper here. He also mentions his recent op-ed in Lawfare, which you can find here.
Wed, 4 September 2019
And we’re back with an episode that tries to pick out some of the events of August that will mean the most for technology law and policy this year. Dave Aitel opens, telling us that Cyber Command gave the world a hint of what “defending forward” looks like with an operation that is claimed to have knocked the Iranian Revolutionary Guard’s tanker attacks for a long-lasting loop.
Speaking of China, it looks as though that government’s determination to bring the Uighur population to heel led it to create a website devoted to compromising iPhones, in the process disclosing a few zero-days and compromising anybody who viewed the site. Dave Aitel teases out some of the less obvious lessons. He criticizes Apple for not giving security-minded users the tools they need to protect themselves. But he resists my suggestion that the FBI, which first flagged the site for Google’s Project Zero, went to Google because Apple wasn’t responsive to the Bureau’s concerns. (Alternative explanation: If you embarrass the FBI in court, don’t be surprised if they embarrass you a few years later.)
The lesson of the fight over Chinese disinformation about Hong Kong on Twitter and Facebook and the awkwardness of Apple’s situation when faced with Chinese hacking is that the U.S.-China trade war is a lot more than a trade war. It’s a grinding, continental decoupling drift that the trade war is driving but which the Trump Administration probably couldn’t stop now if the president wanted to. We puzzle over exactly what the president does want. Then I shift to mocking CNN for Trump derangement and inaccuracy (yes, it’s an easy target, but give me a break, I’ve been away for a month): Claims that the president couldn’t “hereby order” U.S. companies to speed their decoupling from China are just wrong as a matter of law. In fact, the relevant law, still in effect with modest changes, used to be called the Trading with the Enemy Act. And it’s been used to “hereby order” the decoupling of the U.S. economy from countries like Nazi Germany, among others. Whether such an order in the case of China would be “lawful but stupid” is another question.
August saw more flareups over alleged Silicon Valley censorship of conservative speech. Facebook has hired former Sen. Kyl to investigate claims of anti-conservative bias in its content moderation, and the White House is reportedly drafting an executive order to tackle Silicon Valley bias. I ask whether either the FTC or FCC will take up their regulatory cudgels on this issue and suggest that Bill Barr’s Justice Department might have enough tools to enforce strictures against political bias in platform censorship.
We close with the most mocked piece of tech-world litigation in recent weeks – Crown Sterling’s lawsuit against BlackHat for not enforcing its code of conduct while the company was delivering a widely disparaged sponsored talk about its new crypto system. Dave Aitel, who runs a cybersecurity conference of his own, lays out the difficulties of writing and enforcing a conference code of conduct. I play Devil’s Advocate on behalf of Crown Sterling, and by the end, Dave finds himself surprised to feel just a bit of Sympathy for the Devil.
Mon, 29 July 2019
Our guests this week are Paul Scharre from the Center for a New American Security and Greg Allen from the Defense Department’s newly formed Joint Artificial Intelligence Center. Paul and Greg have a lot to say about AI policy, especially with an eye toward national security and strategic competition. Greg sheds some light on the Defense Department’s activity, and Paul helps us understand how the military and policymakers are grappling with this emerging technology. But at the end of the day, I want to know: Are we at risk of losing the AI race with China? Paul and Greg tell me not all hope’s lost—and how we can retain technological leadership.
In what initially seemed like a dog-bites-man story, Attorney General Barr revived the “warrant-proof” encryption debate. He brings some thoughtful arguments to the table, including references to proposals by GCHQ, Ray Ozzie and Matt Tait. Nick Weaver is skeptical toward GCHQ’s proposal. But what really flew under the radar this week was Facebook’s apparent plan to drastically undermine end-to-end encryption by introducing content moderation to its messaging services. I argue that Silicon Valley is so intent on censoring its users that it is willing to sacrifice confidentiality and security (at least for anyone to the right of George W. Bush). News Roundup newcomer Dave Aitel thinks I’m wrong, at least in my attribution of Facebook’s motivations.
Mieke Eoyang, another News Roundup newcomer, brings us up to date on all the happenings in election security. Bob Mueller’s testimony brought Russian election meddling to the fore. His mistake, I argue, was testifying first to the hopelessly ideological House Judiciary Committee. Speaking of Congress, Mieke notes that the Senate Intel Committee released a redacted report finding that every state was targeted by Russian hackers in the 2016 election—and argues that we’re still not prepared to handle their ongoing efforts.
Congress is attempting to create a federal election security mandate through several different election security bills, but they likely will continue to languish in the Senate, despite what Mieke sees as a bipartisan consensus. Not all hope is lost, though. Director of National Intelligence Dan Coats, now on his way out, has established a new office to oversee and coordinate election security intelligence. Nick adds an extra reason to double down on election security: How else will we be able to convince the loser that he is indeed the loser?
In other news, NSA is going back to the future by establishing a new Cybersecurity Directorate. Dave tries to shed some light on the NSA’s history of reorganizations and what this new effort means for the Agency. Dave and I think there’s hope that this move will help NSA better reach the private sector—and even give the Department of Homeland Security a run for its money.
I also offer Dave the opportunity to respond to critics who argued that his firm, Immunity Inc., was wrong to include a version of the BlueKeep exploit in its commercial pentesting software. The long and the short of it: If a vulnerability has been patched, then that patch gives an adversary everything they need to know to exploit that vulnerability. It only makes sense, then, to make sure your clients are able to protect themselves by testing exploits against that vulnerability.
Mieke brings us up to speed on the cybercrime blotter. Marcus Hutchins, one of Dave’s critics, pleaded guilty to distributing the Kronos malware but was sentenced to time served thanks in part to his work to stop the spread of the WannaCry ransomware. Mieke says that Hutchins’s case is a good example that not all black hat hackers are irredeemable. I note that it was good for him that he made his transition before he was arrested. Dave and Nick support the verdict while lamenting how badly hackers are treated by U.S. law.
We round out the News Roundup with quick hits: Facebook had a very bad week, not least because of the multibillion dollar fine imposed by the FTC; the Department of Justice is going to launch a sweeping antitrust investigation into Big Tech; there was a wild hacking conspiracy in Brazil involving cell phones and carwashes; Equifax reached a settlement with the FTC regarding its epic data breach. Speaking of which, we make a special offer to loyal listeners who can learn whether they are eligible to claim a $125 check (or free credit monitoring, if you really prefer). Just go here, and be sure to tell them the Cyberlaw Podcast sent you. Oh, and an anti-robocall bill finally made it through both houses of Congress.
Tue, 23 July 2019
Today, I interview Frank Blake, who as CEO brought Home Depot through a massive data breach. Frank is a former co-clerk of mine; a former deputy secretary of energy; and the current host of Crazy Good Turns, a podcast about people who have found remarkable, even crazy, ways to help others. In addition to his insights on what it takes to lead an organization, Frank offers his views on how technology can transform nonprofit charitable initiatives. Along the way, he displays his characteristic sense of humor, especially about himself.
In the News Roundup, I ask Matthew Heiman if Google could have had a worse week in Washington. First Peter Thiel raised the question of whether it’s treasonous for the company to work on AI with Chinese scientists, not the U.S. Defense Department, and then Richard Clarke, hardly a conservative, says he agrees with the criticism. Inevitably, President Trump weighed in with a Thiel-supporting tweet. Meanwhile, on the Hill, Google’s VP says the company has “terminated” Project Dragonfly, an effort to build a search engine that the Chinese government would approve. But that doesn’t prevent conservatives from lambasting the company for bias against conservatives and an unfair subsidy in the form of Section 230 of the Communications Decency Act. The only good news for Google is that, despite all the thunder, no lightning has yet struck. Or so we thought for about five minutes, at which time Gus Hurwitz noted that Google is likely to face multimillion-dollar fines in a Federal Trade Commission investigation of child Internet privacy violations, not to mention a rule-making designed to increase the probability of future fines.
Speaking of which, European lightning struck Amazon this week in the form of new competition law scrutiny. Gus offers skepticism about the EU’s theory, over my counter-skepticism.
Nick also predicts that Kazakhstan will lose its war with Silicon Valley browser makers over a man-in-the-middle certificate the Kazakh government is forcing on its citizens in order to monitor their Internet browsing.
And in short hits, Gus questions whether $650 million is a harsh settlement of Equifax’s data breach liability; Nick closes the books on NSA hoarder Hal Martin’s 9-year prison sentence; and Nick explains the latest doxing of an intelligence agency—this time a contractor for the Russian FSB.
Tue, 16 July 2019
What is the federal government doing to get compromised hardware and software out of its supply chain? That’s what we ask Harvey Rishikof, coauthor of “Deliver Uncompromised,” and Joyce Corell, who heads the Supply Chain and Cyber Directorate at the National Counterintelligence and Security Center. There’s no doubt the problem is being admired to a fare-thee-well, and some evidence it’s also being addressed. Listen and decide!
In the News Roundup, Nate Jones and I disagree about the Second Circuit ruling that President Trump can’t block his critics on Twitter. We don’t disagree about that ruling, but I’m a lot more skeptical than Nate that it will be applied to that other famous Washington tweeter, Rep. Alexandria Ocasio-Cortez.
Talk about hard supply chain issues. Congress banned Chinese surveillance cameras from the federal supply chain, but that turns out to be a lot different from, you know, actually getting rid of them.
For a change of pace, Gus and I rag on the U.S. Patent and Trademark Office (USPTO) for its petition that the Supreme Court overturn a Fourth Circuit ruling that adding “.com” to a generic term makes it trademarkable. You tell ‘em, USPTO! It’s not like adding “.com” to a word has the same creativity and distinctiveness as adding “i” in front of “phone” or “pod.”
Matthew tells us that the Trump administration isn’t sharing details on classified cyberattack rules with Congress, and after a modicum of mockery, we actually find ourselves agreeing with Congress’s demand to be briefed on the rules.
Finally, in quick hits, I flag the hypocrisy of those who claim to love the idea of privacy until it gets in the way of boycotting people they disagree with and the surprising ways that GDPR has enabled personal data breaches on an industrial scale.
Tue, 9 July 2019
This week I interview Glenn Reynolds, of Instapundit and the University of Tennessee at Knoxville law school, about his new book, “The Social Media Upheaval.” In a crisp 64 pages, Glenn analogizes social media to a primeval city, where new proximity produces periodic outbreaks of diseases that more isolated people never experienced; traces social media’s toxicity to the desperate pursuit of engagement; and proposes remedies both for individual users and for society whole. All that plus thoughtful advice on dietary supplements and deadlifts!
In the news roundup, Matthew Heiman dissects a recent Third Circuit ruling that Amazon can be held strictly liable for products it markets for third parties. Unlike Matthew, I am largely persuaded by the court’s ruling on products liability—but Matthew and I both have doubts about its use of Section 230 of the Communications Decency Act to protect Amazon from failure to warn liability.
Maury Shenk and Nick Weaver review the progress of the War on Facial Recognition. Opponents have rolled out the ultimate weapon in modern left ideology—ICE is using it! But facial recognition is still winning, mostly because its opponents are peddling undifferentiated fear of a technology that’s already being used for many very different purposes, from anonymously tracking shoppers moving through a store (where the store doesn’t need to know the shoppers’ identities) to boarding planes (where the airline damn well better know the passengers’ identities, and the tech only has a couple of hundred faces to match).
Matthew and Nick consider China’s seizing and installing spyware on travelers’ devices. Turns out, China’s practice isn’t all that different from most government efforts to extract data from phones, except that the Chinese leave the code on Android devices so that security researchers can reverse engineer China’s deepest fears. And what do they fear most? Japanese heavy metal, apparently. Almost makes you feel a bit of empathy for Beijing…
Maury also highlights Big Tech’s concerns about the UK’s particularly aggressive proposal for an online “duty of care.”
Nick and I follow the problem of fake cancer cures being advertised on Facebook and YouTube down the usual ratholes—who should be responsible in the first place, and why does Silicon Valley think that algorithms will ever be able to discipline such content?
This Week in the U.S.-China trade war: No one seems to know exactly what President Trump’s concessions at the G-20 meeting amount to, but more and more U.S. tech companies have decided that moving 30% of their tech sourcing out of China is a good idea no matter how the trade war ends. This war isn’t good for U.S. companies, but it’s really not good for China’s. Which, come to think of it, is what President Trump has said right from the start.
Finally, if you’re looking for tough government action against contractors with bad cybersecurity, Customs and Border Patrol is your agency. It has cut ties with Perceptics, the firm that was breached by Boris the Bullet-Dodger, and seems to be readying a debarment proceeding that will cut the firm off from future contracts. Matthew and I speculate that there may be something more behind this harsh remedy—perhaps a lack of prompt contractor candor about the breach. Whatever the context, this proceeding is likely to set a precedent that haunts other contractors long into future.
Mon, 1 July 2019
The theme this week is China’s growing confidence in using cyberweapons in new and sophisticated ways, as the U.S. struggles to find an answer to China’s growing ambition to dominate technology. Our interview guest, Chris Bing of Reuters, talks about his deep dive story on Chinese penetration of managed service providers like HP Enterprise—penetration that allowed them access to hundreds of other companies that rely on managed service providers for most of their IT. Most chilling for the customers are strong suggestions that the providers often didn’t provide notice of the intrusions to their customers—or that the providers’ contracts may have prevented their customers from launching quick and thorough investigations when their own security systems detected anomalous behavior originating with the providers. Chris also tells the story of an apparent Five Eyes intrusion into Yandex, the big Russian search engine.
Returning to China, in our News Roundup Nate Jones covers the latest in the U.S.-China trade war before diving into a Wall Street Journal article (by Kate O’Keeffe) that I call the Rosetta Stone for the last two years of cyber policymaking. Looking for the unifying theme in the lobbying fight over FIRRMA, the president’s executive orders on cyber and sanctions on companies like Sugon? Look no further than AMD, its aggressive accommodation of China’s ambitions in chip manufacture, and the Pentagon’s desperate effort to thwart the company’s plans. Nate and I also consider a possible new U.S. requirement that domestic 5G equipment be made outside China.
What is China planning to do with all that cyber power? Jordan Cannon lays out one little-followed story in which China seems to have taken an election-tilting page straight out of Vladimir Putin’s textbook. And Nate covers a newly patient Chinese hacking cadre willing to compromise a dozen telecomm companies for years just to collect metadata on as few as twenty telecomm customers.
Speaking of metadata, David Kris explains why Congress is more exercised over National Security Agency’s (NSA) access to American phone metadata than China’s. Congress took the view that NSA should not collect the metadata of innocent Americans, even if it only searched the data when it had a legal basis for doing so. Instead, Congress constructed a new Section 215 program that depended on each telecomm company to do searches of data that remained in their hands. Unsurprisingly, the companies have done that badly, sending the wrong data to NSA on more than one occasion. Naturally, Congress now blames NSA for “overcollecting.”
Are you a conservative comforting yourself with the idea that Silicon Valley censorship is just a creature of platform monopoly that can be cured by more competition? Better stop reading the newspaper, as of last week. Two more conservative-hostile moves by Silicon Valley show that competition isn’t likely to end virtue signaling in the Valley. After Google banned Project Veritas’s video exposé of YouTube for, uh, privacy—that’s it, privacy—violations, its distant No. 2 competitor Vimeo responded to the competitive opportunity by also banning the video for, uh, defamation or something. And when Twitter competitor Parler offered a home to conservatives, Apple reportedly threatened (at least briefly) not to distribute the app unless it kicked some unspecified bad actors off the service.
Meanwhile, two Silicon Valley platforms that really do need at least a few conservatives were singing that famous C&W song, “I hate you. I need you. I hate that I need you.” And just to show their contempt for people they’re afraid to shut down completely, Reddit “quarantined” their wildly popular subreddit r/the_donald over posts the moderators said they’d never seen or had reported to them. And Twitter announced that it planned to salve its SJW conscience while still profiting from Trump’s tweets by attaching disapproving labels to them. Nate tries to hose me down, but it’s too late.
Finally, in breaking news from 1993, David reports that the Trump Administration is considering an encryption crackdown but can’t choose between a toothless statement of principles and a feckless proposal of legislation that will not pass. I offer the suggestion that the statement of principles will be enough to undercut Silicon Valley’s campaign to stop encryption controls in countries like Australia, the UK and Germany. That’s where controls will eventually come from, David and I agree. I’m looking forward to all those folks who told us that GDPR was just the voice of civilization calling across the Atlantic saying the same about European encryption mandates.
Tue, 25 June 2019
Our interview guests are Dick Clarke and Rob Knake, who have just finished their second joint book on cybersecurity, The Fifth Domain. We talk about what they got right and wrong in their original book. There are surprising flashes of optimism from Clarke and Knake about the state of cybersecurity, and the book itself is an up-to-date survey of the policy environment. Best of all, they have the courage to propose actual policy solutions to problems that many others just admire. I disagree with about half of their proposals, so much light and some heat are shed in the interview, which I end by bringing back the McLaughlin Group tradition of rapid-fire questions and an opinionated “you’re wrong” whenever the moderator disagrees. C’mon, you know the arguments are really why you listen, so enjoy this one!
In the news roundup, Gus Hurwitz covers the Supreme Court’s ruling on when a forum is subject to First Amendment limits. Short version: There is no Justice who thinks Silicon Valley’s platforms are public fora subject to the First Amendment. Sen. Hawley (R.-Mo.) is mocked, which prompts me to invite him to defend himself on a future episode (not because the First Amendment applies to the podcast but because it would be fun).
Matthew Heiman spells out the thinking behind Facebook’s proposed cryptocurrency. He thinks it’s all about the data; I think it’s all about WeChat. Whatever the motive, every regulatory body in Europe and the U.S. has descended on the company to extract concessions—or perhaps to kill it outright, as our own Nick Weaver has proposed.
Maury Shenk reports on the U.S. government’s threat to limit Indian H-1B visas if India persists in its extreme data localization policies. I suggest that the fight may be as much about terrorism finance as protectionism.
This week behind the Silicon Curtain: Apple is considering moving 15-30% of its production capacity out of China. Matthew and I agree that it’s easier said than done, but that the move is inevitable.
Gus lays out the difficulties that YouTube has had meeting the child protection requirements of the Child Online Privacy Protection Rule and the Federal Trade Commission’s growing interest in changing YouTube’s approach to videos aimed at kids.
Is China’s social credit rating system a Potemkin village? Bloomberg seems to think so, but Maury has his doubts. So, if you thought you could stop fearing the system and start laughing at it, better think again.
Finally, this week in karma: The medical billing firm whose cybersecurity failings resulted in multiple medical data breaches has filed for bankruptcy, evidently the result of liabilities arising from the breach.
Mon, 10 June 2019
We kick off Episode 267 with Gus Hurwitz reading the runes to see whether a 50-year Chicago winter for antitrust plaintiffs is finally thawing in Silicon Valley. Gus thinks the predictions of global antitrust warming are overhyped. But he recognizes we’re seeing an awful lot of robins on the lawn: The rise of Margrethe Vestager in the EU, the enthusiasm of state AGs for suing Big Tech, and the piling on of Dem presidential candidates and the House of Representatives. Judge Koh’s Qualcomm decision is another straw in the wind, triggering criticism from Gus (“an undue extension of Aspen Skiing”) and me (“the FTC needs a national security minder in privacy and competition law”). Matthew Heiman tells me I’m on the wrong page in suggesting that Silicon Valley’s suppression of conservative speech is a detriment to consumer welfare that the antitrust laws should take it into account, even in a Borkian world.
I mock Austrian Greens for suing to censor speech calling it a “fascist party”—and not just in Austria but around the world. That’ll show ‘em, guys. Less funny is the European Court of Justice’s advocate general, who more or less buys the Greens’ argument. And thereby reminds us why we miss Tom Wolfe, who famously said, “The dark night of fascism is always descending in the United States and yet lands only in Europe.”
Nate Jones answers the question, “Were the Russians much better at social media than we thought?” All the adjustments to that story, he notes, have increased the sophistication we’ve seen in Russia’s social media attacks.
This Week in Host Self-Promotion: I take advantage of the topic to urge my solution to the utterly unsolved problem of hack-and-dox attacks by foreign governments on U.S. candidates they don’t like: Ban the distribution of data troves stolen from candidates and officials. Nate agrees that the First Amendment doctrine here is a lot friendlier to my proposal than most people think, but he cautions that the details get messy fast.
Matthew comments on Baltimore’s tragedy of errors in handling its ransomware attack. The New York Times’ effort to pin the blame on NSA, which always looked tendentious and agenda-driven, now has another problem: It’s almost certainly dead wrong. EternalBlue doesn’t seem to have been used in the ransomware attack. Baltimore’s best case now is that its cybersecurity sucked so bad that other, completely unrelated hackers were using EternalBlue to wander the city’s system.
Speaking of cybersecurity, Matthew reminds us of two increasingly common and dangerous hacker tactics: (1) putting the “P” in APT by hanging around the system so long that you’ve downloaded all the manuals, taken all the online training, and know exactly when and how to scam the system; and (2) finding someone with lousy network security who’s connected to a harder target and breaking in through the third party.
Finally, Gary Goldsholle helps us make sense of the litigation between the SEC and Kik, which launched a cryptotoken that it insisted wasn’t a security offering and then crowdfunded its lawsuit against the SEC. So, good news for lawyers if nothing else, and perhaps for future Initial Popcorn Offerings.
Mon, 3 June 2019
If you’ve lost the Germans on privacy, you’ve lost Europe, and maybe the world. That’s the lesson that emerges from my conversation with David Kris and Paul Rosenzweig about the latest declaration that the German interior minister wants to force messaging apps to decrypt chats. This comes at the same time that industry and civil society groups are claiming that GCHQ’s “ghost proposal” for breaking end-to-end encryption should be rejected. The paper, signed by all the social media giants, says that GCHQ’s proposal will erode the trust that users place in Silicon Valley. I argue that that argument is well past its sell-by date.
Speaking of trust, Paul outlines the latest tit-for-tat in the growing Silicon Curtain between the US and China, as that country announces plans to publish an “unreliable entities” list. I note that the same spirit seems to be animating the announcement that China and Russia are transitioning their militaries from Microsoft Windows to other operating systems. Talk about a bonanza for the NSA: Just the coding errors will sustain its hackers for a generation – even in the unlikely event that the Chinese and Russians resist the temptation to seed the system with backdoors aimed at their erstwhile coding partners.
Maury Shenk highlights the latest German effort to regulate “broadcasting” of content on the Internet, which the German authority says will mandate transparency and diversity. I think it’s transparently about locking in the German establishment, a view hardly contradicted by the ham-handed way CDU leader Annegret Kramp-Karrenbauer responded to the CDU’s drubbing in the EU elections. The losses were widely attributed to YouTube influencers who urged young voters to reject the main parties. The solution, AKK suggested, was more regulation of YouTube influencers. Ja, natürlich.
Alicia Loh parses a D.C. Circuit ruling that all the White House has to do to comply with laws on keeping records of official communications is send out a memo. That obligation was satisfied, the court ruled, by a memo telling White House staff who use “vanishing” messaging apps to take screenshots of any official communications and preserve the messages. Alicia is practically the only member of our panel who even knows how to take a screenshot on a phone, which suggests that White House staff compliance might be, well, underwhelming.
Maury gives us a quick update on US states imitating GDPR. Short version: Watch California and then New York.
And in a lightning round, I am struck by the sight of an FTC commissioner begging the Ninth Circuit not to uphold the FTC’s position in the Qualcomm case on appeal. Maury and I note the growing demand for mass contract labor spurred by the need to train AI. And Paul and I speculate on the probability of antitrust cases against Google and Amazon. It’s been a long cold Chicago winter for antitrust plaintiffs, we conclude, but a change in the climate may be coming.
Tue, 28 May 2019
Paul Rosenzweig leads off with an enduring and fecund feature in Washington these days: China Tech Fear. We cover the Trump administration’s plan to blacklist up to five Chinese surveillance companies, including Hikvision, for contributing to human rights violations against Uighurs in the Xinjiang province in China, the Department of Homeland Security’s rather bland warning that commercial Chinese drones pose a data risk for U.S. users, and the difficulty U.S. chipmakers are facing in getting “deemed export” licenses for Chinese nationals.
We delve deeper into a remarkably shallow and agenda-driven New York Times article by Nicole Perlroth and Scott Shane blaming the National Security Agency for Baltimore’s ransomware problem without ever asking why the city failed for two years to patch its systems. David Kris uses the story to talk about the vulnerabilities equities process and its flaws.
There may be a lot—or nothing—to the Navy email “spyware” story, but David points out just how many modern cyber issues it touches. With the added fillip of a “Go Air Force, Beat Navy” theme not usually sounded in cybersecurity stories.
Paul expands on what I have called “Cheap Fakes” (as opposed to “Deep Fakes”): the Pelosi video manipulated to make her sound impaired. And he manages to find something approaching good news in the advance of faked video—it may mean the end of (video) blackmail.
But not the end of “revenge porn” and revenge porn laws. I ask Gus Hurwitz whether those laws are actually protected by the Constitution, and the answer turns out to be highly qualified. But, surprisingly, media lawyers aren’t objecting that revenge porn laws that criminalize the dissemination of true facts are on a slippery slope to criminalizing news media. That is the argument they’re making about the expanded charges of espionage against WikiLeaks founder Julian Assange. David offers his view of the pros and cons of the indictment.
And Gus closes us out with some almost unalloyed good news. Despite my suspicion of any bipartisan bill in the current climate, he insists that the Senate-passed anti-robocalling bill is a straight victory for the Forces of Good. But, he warns, the House could still screw things up by adding a private right of action along the lines of the Telephone Consumer Protection Act, which has provided the plaintiffs bar with an endless supply of cases without actually benefiting consumers.
Tue, 21 May 2019
We begin this episode with a quick tour of the Apple antitrust decision that pitted two Trump appointees against each other in a 5-4 decision. Matthew Heiman and I consider the differences in judging styles that produced the split and the role that 25 years of “platform billionaires” may have played in the decision.
Eric Emerson joins us for the first time to talk about the legal fallout from the latest tariff increases on Chinese products. Short version: Companies have some short-term tactics to explore (country of origin, drawback, valuation), but large importers and resellers have to grapple with larger and costlier strategies of supply chain diversification and localization.
Meanwhile, China has not been taking the trade war lying down. In addition to its own tariff increases, it seems to be enforcing its demanding cybersecurity law more aggressively against foreign firms. I ask whether we are also seeing retaliation in Chinese courts as well.
Maury Shenk explains the UK Supreme Court ruling that expands the court’s authority over the UK’s intelligence agencies despite clear Parliamentary language to the contrary. Bottom line: Bad news for UK intelligence. Hidden good news for the U.S.: Turns out that there is something worse than activist judges interpreting a written constitution—activist judges who can more or less make up the constitution they want.
It was a cybersecurity disaster week for some of the biggest names in tech. Nick helps me understand which bugs were worst, Cisco’s, Intel’s or Microsoft’s. Then we review the equally bad week that the NSO Group and its WhatsApp exploit had.
Cleaning up in a lightning round, we cover the order requiring the Chinese owner of Grindr to sell by mid-2020. We also cover Canada’s approach to social media, which spurs me to praise France’s Macron (!) for his moderation. The EU has a plan for sanctions on cyberattackers; Matthew and I doubt it will get much use. I think too much fuss is being made over leak investigators using Web bugs to see if defense counsel at Guantanamo have been leaking; Nick disagrees, at least a bit. And I close with yet another item in the long-running feature, “This Week in Internet Sex Toy Law.” Suffice it to say that the latest case can’t be understood without consulting both Orin Kerr and Jerry Seinfeld.
Tue, 21 May 2019
With apologies for the late post, Episode 263 of The Cyberlaw Podcast tells the sad tale of another U.S. government leaker who unwisely trusted The Intercept not to compromise its source. As Nick Weaver points out, The Intercept also took forever to actually report on some of the material it received.
The first overt cyberattack on the U.S. electric grid was a bust, I note, but that’s not much comfort.
How many years of being told “I’m washing my hair that night” should tell you you’re not getting anywhere? The FCC probably thought China Mobile should have gotten the hint after eight years of no action on its application to provide US service, but just in case the message didn’t get through, it finally pulled the plug last week.
Delegating to Big Social the policing of terrorist content has a surprising downside, as Nate points out. Sometimes the government or civil society need that data to make a court case.
We touch briefly on Facebook’s FTC woes and whether Sen. Hawley (R.-Mo.) should be using the privacy stick to beat a company he’s mad at for other reasons. I reprise my longstanding view that privacy law is almost entirely about beating companies that you’re mad at for other reasons.
Mon, 6 May 2019
Has the Chinese government hired American lawyers to vet their cyberespionage tactics—or just someone who cares about opsec? Probably the latter, and if you’re wondering why China would suddenly care about opsec, look no further than Supermicro’s announcement that it will be leaving China after a Bloomberg story claiming that the company’s supply chain was compromised by Chinese actors. Nick Weaver, Joel Brenner and I doubt the Bloomberg story, but it has cost Supermicro a lot of sales—and even if it isn’t true this time, the scale and insouciance of past Chinese cyberespionage make it inherently believable. Hence the company’s shift to other sources (and, maybe, a new caution on the part of Chinese government hackers).
GDPR and the California Consumer Privacy Act (CCPA) may be the Dumb and Dumber of privacy law, but neither is going away. And for the next six months, California’s legislature will be struggling against a deadline to make sense of the CCPA. Meegan Brooks gives us an overview.
But we in Washington can’t get too smug about California’s deadline-driven dysfunction. Congress also faces a year-end deadline to renew the Section 215 program, and even the executive branch hasn’t decided what it wants. Joel takes us through the program’s history, its snake-bitten implementation, and the possible outcomes in Congress.
This week in Silicon Valley content control: Facebook dropped the link-ban hammer on Louis Farrakhan, Alex Jones and Milo Yiannopoulos for being “dangerous.” But did it really? Once again, I volunteer to put my Facebook access at risk by testing Facebook’s censorship engine—posting a different Infowars story there every day. Not because I love the conspiracy-mongering Alex Jones but because banning links is a bad idea. (Among other things, you can’t really pile links up and burn them in cinematic pyres at rallies.) But both Facebook and Jones may have a codependent interest in overstating the ban, because as of Day 4 of my experiment, my Facebook account is still alive and well, as are the Infowars links.
The FBI has accused U.S. scientists of sending intellectual property to China, running shadow labs and (this part really appalls Nick) corrupting the peer review process at NIH. Science magazine suggests that the flap is born of racial bias.
We close the episode with the latest and most shocking facial recognition scandal. It turns out face recognition researchers are chasing down unwilling subjects and restraining them to get the subjects’ pictures—all in service to untried and udderly unreliable technology. All we need to turn this into a major scandal is a public policy entrepreneur willing to work the intersection between the EFF and PETA.
Mon, 29 April 2019
On Episode 261, blockchain takes over the podcast again. We dive right into the recent activity from the SEC, namely, the Framework for “Investment Contract” Analysis of Digital Assets and the No-Action Letter issued to TurnKey Jet, Inc. (TurnKey) for a digital token. Gary Goldsholle noted this guidance has been eagerly anticipated since July 2017 when the SEC first applied the Howey Test to a digital token with the DAO report. The current framework focuses primarily on the reasonable expectation of profits and efforts of others prongs of the Howey Test. While the framework lays out a number of factors to consider when determining whether a token is a security, the practicality of those factors is still up for debate.
Will Turner explained that the TurnKey No-Action Letter was most useful for parties interested in structuring a private, permissioned, centralized blockchain, but believes the guidance in the Framework would allow for alternative structures. The key from the SEC’s perspective is that there is no expectation of profits for token holders, since the token is a stablecoin pegged to the value of USD and there is no use of the token outside of TurnKey’s network. Jeff Bandman noted the irony that the first No-Action Letter related to blockchain and cryptocurrency involves private jets, particularly since “Mr. and Ms. 401(k)”—the retail investors SEC Chairman Jay Clayton is focused on protecting—are not likely to become private jet users anytime soon.
Jeff emphasized the importance of network functionality and observed that the network for private jet use was already established. Alan Cohn highlighted this tension between the need for centralization to achieve functionality, and need for decentralization as a means to avoid meeting the “derived from the efforts of others” prong of the Howey Test.
Gary then turned to Blockstack’s Regulation A filing, the most comprehensive effort to register a token under Reg. A that we have seen to date. Blockstack is seeking to be a Tier 2 issuer, meaning they can raise up to $50 million in 12 months, which comes with heightened disclosure obligations and requires audited financials. While they seek to raise capital as a security today, their ultimate goal – and a central risk factor in their offering circular – is to achieve the requisite level of decentralization such that they no longer would meet the definition of a security.
Meanwhile, in Congress, the recently reintroduced Token Taxonomy Act of 2019 would exempt a newly defined category of digital tokens from the definition of a security, as well as provide some clarity on tax issues for cryptocurrency users and exchanges. Jeff observed that these amendments might contribute further to a gap in federal regulation over spot trading markets. While the CFTC has enforcement authority, they do not have the authority to directly supervise the bitcoin trading market.
Turning to the interview, Jeff describes how he co-founded Global Digital Finance (GDF), along with other co-founders in Europe, Asia and the United States, in order to address the lack of international standards surrounding the blockchain industry—or even a general consensus of terminology. Jeff describes how GDF has a number of working groups focused on developing high-level principles and standards on a range of topics, including stablecoins, custody, tax and security tokens. GDF is trying to fill in some of the gaps that appear when jurisdictions regulate cryptocurrencies and crypto-assets differently. As an example of its work, GDF’s KYC/AML/CTF group recently commented on FATF’s standards, issuing two comments in October 2018 and April 2019.
For our listeners in the D.C. area, Steptoe is hosting a half-day complimentary regulatory symposium this Thursday, May 2, in our D.C. office. Our plenary speakers include current and former commissioners and high-level officials with agencies such as the Federal Energy Regulatory Commission, the Surface Transportation Board, and the Environmental Protection Agency. We will also have breakout panels focused on four separate topics: Deference, Globalization, Regulatory/Legislative Approach and Preemption. To register, click here.
Mon, 22 April 2019
In this episode, Nick Weaver and I discuss new Internet regulations proposed in the UK. He’s mostly okay with its anti-nudge code for kids, but not with requiring proof of age to access adult material. I don’t see the problem; after all, who wouldn’t want to store their passport information with Pornhub?
Sri Lanka’s government has suspended social media access in the wake of the Easter attack. As Matthew Heiman notes, the reaction in the West is more or less a shrug—far different from the universal contempt and rejection displayed toward governments who did much the same during the 2011 Arab Spring rebellions. What made the difference? I argue that it’s Putin’s remarkably successful 2016 social media counterattack on Hilary Clinton as payback for her social media campaign against him in 2011.
Paul Rosenzweig, back from hiatus and feisty as ever, mocks the EU Commission for its on-again, off-again criticism of Kaspersky’s security. Short version: The Commission wants badly to play in cybersecurity because it’s the Hot New Thing, but it has no institutional competence there, in either sense of the word. Speaking of Kaspersky, someone is doing a bad job of trying to compromise its critics with ham-handed private investigator-imposters.
Naked Kitten? Nick and I have a good laugh at the doxxing of Iranian government hackers.
Man bites dog: The Trump Administration is taking interagency processes seriously, and doing a better job than Obama’s team—at least when it comes to use of Cyber Command. Matthew dives into the repeal of PPD-20.
Paul brings us up to date on the Mar-a-Lago Thumb Drive Affair. Maybe it wasn’t malware after all.
Remember that face recognition software that the NGOs said was so crappy it had to be banned? Now, the New York Times reports that it’s so good it has to be banned. Not so fast, says Microsoft: Our face recognition software is still so crappy that it can’t be sold to law enforcement, and it ought to be export controlled so that China can sell—and keep improving—its face recognition tools.
Bet you thought we forgot the Mueller Report. Nope! In fact, I offer the one conclusion about the report that everyone across the political spectrum can agree on. Anti-climactically, Paul and I point out that the report throws sidelights on the "Going Dark" debate and Bitcoin anonymity. Nick points out that we already knew everything the Mueller Report tells us on those topics.
Finally, Nick and I wrangle over the lessons to be drawn from Facebook’s privacy travails.
Mon, 15 April 2019
Our News Roundup is hip deep in China stories. The inconclusive EU-China summit gives Matthew Heiman and me a chance to explain why France understands—and hates—China’s geopolitical trade strategy more than most.
Maury Shenk notes that the Pentagon’s reported plan to put a bunch of Chinese suppliers on a blacklist is a bit of a tribute to China’s own list of sectors not open to Western companies. In other China news, Matthew discloses that there’s reason to believe that China has finally begun to use all the U.S. personnel data it stole from OPM. I’m so worried it may yet turn my hair pink, at least for SF-86 purposes.
And in a sign that it really is better to be lucky than to be good, Matthew and I muse on how the Trump Administration’s China policy is coinciding with broader economic trends to force U.S. companies to reconsider their reliance on Chinese manufacturing.
It’s not all China, though. To kick things off, Nick Weaver and I schadenfreude our way through an otherwise serious take on the Julian Assange story and its strikingly narrow Computer Fraud and Abuse Act charge—and why extradition is likely to be a pain.
We also delve into the Google Sensorvault story. Nick and I agree that law enforcement access to location data, especially under the conditions set by Google, isn’t much of a privacy scandal, at least compared to private access to the same data. But that doesn’t mean it won’t raise endless legal problems for all concerned, partly because asking for a warrant out of the box isn’t quite the right legal or privacy framework.
Pete Jeydel notes two examples of CFIUS’s new toughness: It’s forcing a Russia-linked firm to sell stake in a cybersecurity company, and it has handed out a $1 million fine to a company that blew off its obligations under a mitigation agreement.
Maury covers the German data protection commissioner’s refusal to let German police store data in the Amazon cloud. The commissioner blames the CLOUD Act and the risk that US authorities may get cross-border access to the data. I flag the commissioner for hypocrisy and ignoring international law. Turns out that the Justice Department has a good new whitepaper out on the CLOUD Act, and it points out that remote access to offshore data has been an implicit part of the Budapest Convention since the ‘90s.
Returning once more to China, Maury and I touch on the Chinese government’s use of AI to find Uighurs in crowds of Han Chinese. In my view, the only thing surprising about this story is that the New York Times thinks we should be surprised by it.
Mon, 8 April 2019
Our News Roundup leads with the long, slow death of Section 230 immunity. Nick Weaver explains why he thinks social media’s pursuit of engagement has led to a poisonous online environment, and Matthew Heiman replays the astonishing international consensus that Silicon Valley deserves the blame—and the regulation—for all that ails the Internet. The UK is considering holding social media execs liable for “harmful” content on their platforms. Australia has already passed a law to punish social media companies for failure to remove “abhorrent violent material.” And Singapore is not far behind. Even Mark Zuckerberg is reading the writing on the wall and asking for regulation. I note that lost in the hate directed at social media is any notion that other countries shouldn’t be able to tell Americans what they can and can’t read. I also wonder whether the consensus that platforms should be editors will add to conservative doubts about maintaining Section 230 at all—and in the process endanger the U.S.-Mexico-Canada Agreement that would enshrine Section 230 in U.S. treaty obligations.
Nate Jones and I summarize the latest Reuters piece on American hackers working for the UAE. The short version? This is more a victory lap combined with journalists’ special pleading than a major new story.
Nate also briefs us on the latest tale of woe from Silicon Valley, where taking Chinese money and tech means you’re likely to get burned—in a government-ordered fire sale.
Nate gives Kaspersky’s lawyers high grades for imagination and effort but not for credibility in their claim that we can trust the company’s software because Russian law doesn’t authorize Putin to intercept its data feeds.
And, with a hat tip to Gus Coldebella for the story, Matthew and I dig into the Washington attorney general’s $12 million settlement with Motel 6 for its cooperation with ICE. We think Motel 6 could have defended on federal preemption grounds and maybe gotten help from the Justice Department. But if the problem was bad publicity, that defense would have just made things worse.
Our interview is with Adam Segal, the Council on Foreign Relations’ expert on all things digital and China. Adam prognosticates on the likely fate of US-China trade talks, data localization in China, and on the future of China’s commercial cyberespionage plans.
Mon, 1 April 2019
In today’s News Roundup, Klon Kitchen adds to the North Korean Embassy invasion by an unknown group. Turns out some of the participants fled to the U.S. and lawyered up, but the real tipoff about attribution is that they’ve given some of the data they stole to the FBI. That rules out CIA involvement right there.
Nick Weaver talks about Hal Martin pleading guilty to unlawfully retaining massive amounts of classified NSA hacking data. It’s looking more and more as though Martin was just a packrat, making his sentence of nine years in prison about right. But as Nick points out, that leaves unexplained how the Russians got hold of so much NSA data themselves.
Nick explains the deeply troubling compromise of update certs at ASUS and the company’s equally troubling response. I ask why the only agency with clear authority over an incident with important national security implications is the FTC.
Nick and I comment on the Federal Trade Commission’s pending investigation of the privacy practices of seven Internet service providers.
Speaking of sensitive data practices, Klon talks about the Committee on Foreign Investment in the United States’ belated recognition that maybe the Chinese government shouldn’t have access to the most intimate desires of a portion of the U.S. LGBTQ community. I try to explain the difference between Tik Tok and Yik Yak and mostly fail.
Meanwhile, in splinternet news, the EU Parliament has approved the controversial Copyright Directive. A bunch of MEPs, soon to be running for reelection, claim they meant to vote against it, really, but somehow ended up voting for it.
The Department of Housing and Urban Development is suing Facebook for violating the Fair Housing Act. I ask listeners for help in finding guests who can talk about whether it’s a good idea to bar ad targeting that lets companies look for more customers like the ones they already have, even if their customers already skew toward particular genders and ethnicities.
Finally, Nick and I break down Gavin de Becker’s claim that the real killer in the Bezos sexting flap was Saudi Arabia. Plenty of smoke there, but the lack of a reference to any forensic evidence raises doubts about de Becker’s version of events.
Tue, 19 March 2019
In our interview, Elsa Kania and Sam Bendett explain what China and Russia have learned from the American way of warfighting—and from Russia’s success in Syria. The short answer: everything. But instead of leaving us smug, I argue it ought to leave us worried about surprise. Elsa and Sam both try to predict where the surprises might come from. Yogi Berra makes an appearance.
And in other litigation, a Trump-appointed judge dismisses a lawsuit against Silicon Valley’s censorship of the right. Nate Jones and I agree that, while the decision is broadly consistent with law, it may spell trouble for Silicon Valley in the long run. That’s because it depends on an idiosyncratic U.S. Court of Appeals for the D.C. Circuit interpretation of the District’s public accommodation law. I speculate that Alabama or Texas or Mississippi could easily draft a law prohibiting discrimination on the basis of viewpoint in public accommodations like the Internet.
Nick Weaver and I note the UN report that North Korea has stolen $571 million, much of it in cryptocurrency. I ask whether the US Treasury could seize those ill-gotten bits. Maybe, says Nick, but it would really bollix up the world of cryptocurrency (not that he minds).
I explain why DHS will be rolling out facial scanning technology to a boatload of US airports—and why there’s no hidden privacy scandal in the initiative.
It kind of makes you wonder about their banks and their chocolate: Nick gloats as Switzerland’s proposed Internet voting system follows his predicted path from questionable to deep, smoking crater.
Elsa Kania and I touch on the Navy Secretary’s willingness to accept scathing criticism of the Navy’s cybersecurity. And Nick and I close with an effort to draw lessons from the disastrous software and human factor interactions at the heart of the Boeing 737 MAX crashes.
Tue, 12 March 2019
Maury interviews James Griffiths, a journalist based in Hong Kong and the author of the new book, “The Great Firewall of China: How to Build and Control an Alternative Version of the Internet.”
In the news, David and Brian discuss last week’s revelation that the NSA is considering whether it will continue to seek renewal of the of the Section 215 “call detail record” program authority when it expires in December. We plug last week’s Lawfare Podcast in which the national security advisor to House Minority Leader McCarthy made news when he reported that the NSA hasn’t been using this program for several months. David waxes poetic on the little-known and little-used “lone wolf” authority, which is also up for renewal this year.
We explore the long lineup of politicians and government officials who are lining up with new proposals to “get tough” on large technology companies. Leading the charge is Sen. Warren, who promises to roll out a plan to break up “platform utilities”—basically, large Internet companies that run their own marketplaces—if she is elected president. Not to be outdone, the current chair of the Federal Trade Commission has urged that Congress provide new authorities for the FTC to impose civil enforcement penalties on tech (and presumably other) companies that violate their data privacy commitments. And last—but never least—the French finance minister announced that he will propose a 3 percent tax on the revenue of the 30 largest Internet businesses in France, most of which are U.S. companies.
In the “motherhood and apple pie” category, Maury explains French President Macron’s call for the creation of a “European Agency for the Protection of Democracies” to protect elections against cyberattacks. And Brian covers a recently re-introduced bill, the Cyber Deterrence and Response Act, which would impose sanctions on “all entities and persons responsible or complicit in malicious cyber activities aimed against the United States.”
If you are in London this week, you can see James Griffiths during his book tour. On March 13, he will be at the Frontline Club, and on March 14, he will be at Chatham House. You can also see him later this month at the Hong Kong Foreign Correspondents Club.
Mon, 4 March 2019
Our interview is with two men who overcame careers as lawyers and journalists to become serial entrepreneurs now trying to solve the “fake news” problem. Gordon Crovitz and Steve Brill co-founded NewsGuard to rate news sites on nine journalistic criteria—using, of all things, real people instead of algorithms. By the end of the interview, I’ve confessed myself a reluctant convert to the effort. This is despite NewsGuard’s treatment of Instapundit, which Gordon Crovitz and I both read regularly but which has not received a green check.
In the news, Klon Kitchen talks about the latest on cyberconflict with Russia: CyberCom’s takedown of the Russian troll farm during 2018 midterms. The Russians are certainly feeling abused. They are using U.S. attacks to justify pursuing “autonomous Internet,” and they’ve sentenced two Kaspersky Lab experts to long jail terms for treason.
Gus Hurwitz, Klon, and Nick Weaver muse on the latest evidence that information intermediaries still haven’t settled on a business model. Amazon marketplace sellers will now have the ability to remove what they deem counterfeit listings. Amazon has let the FTC discipline fake paid Amazon reviews. And The Verge has a disturbing article on the human costs of using human beings to enforce Facebook’s content rules. (The failure of Silicon Valley to get a handle on this problem is, of course, the key to NewsGuard’s business model.)
Wed, 27 February 2019
We interview Dmitri Alperovitch of CrowdStrike on the company’s 2019 Global Threat Report, which features a ranking of Western cyber adversaries based on how long it takes each of them to turn a modest foothold into code execution on a compromised network. The Russians put up truly frightening numbers—from foothold to execution in less than twenty minutes—but the real surprise is the North Koreans, who clock in at 2:20. The Chinese take the bronze at just over 4 hours. Dmitri also gives props to a newcomer—South Korea—whose skills are substantial.
In the News Roundup, I cheer the police for using “reverse location search warrants” to compel Google to hand over data on anyone near a crime scene. Nick Weaver agrees and puts the blame on Google and others who collect the data rather than the police who use it to solve crimes.
A committee of the U.K. House of Commons has issued a blistering final report on disinformation and fake news. I offer this TL;DR: that all right-thinking Brits must condemn Facebook because Leave won, just as all right-thinking Americans must condemn Facebook because Trump won. Maury Shenk takes a more nuanced view.
Nick and Dmitri explain just how scary the growth of DNSpionage has become. The only thing as scary seems to be the continuing effort to put voting systems on the Internet. Nick reacts to this in the typical way of his people.
The mysterious Facebook Title III case won’t be unsealed, so we really don’t know what the Justice Department was trying to get from Facebook.
The New York Times claims that India is proposing Internet censorship along China’s model. I think that’s just the New York Times’s bias showing and that India is mainly imitating Europe. Maury rides to the New York Times’s rescue.
In breaking news, The Cyberlaw Podcast has developed AI podcasting so good we don’t dare tell you about it.
This Week in Chutzpah: Alleged hacker Lauri Love has lost his bid to recover the data he stole. I want to know why we didn’t give it back to him with a couple of keyloggers installed. The temptation to decrypt—and give prosecutors new evidence—would be irresistible.
In closing, Nick and I dwell on YouTube’s pedophile comment problem and whether recommendation engines are more to blame than human nature.
Our colleagues Nate Jones and David Kris have launched the Culper Partners Rule of Law Series. Be sure to listen as episodes are released through Lawfare.
Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here.
Tue, 19 February 2019
The backlash against Big Tech dominates this episode, with new regulatory initiatives in the U.S., EU, Israel, Russia and China. The misbegotten link tax and upload filter provisions of the EU copyright directive have survived the convoluted EU legislative gantlet. My prediction: The link tax will fail because Google wants it to fail, but the upload filter will succeed because Google wants YouTube’s competitors to fail.
Rumors are flying that the Federal Trade Commission and Facebook will agree on a $1+ billion fine on the company for failure to adhere to its consent decree. My guess? This is not so much about law as it is about the climate of hostility around the company since it took the blame for Trump’s election.
And, in yet another attack on Big Tech, the EU is targeting Google and Amazon for unfair practices as sales platforms.
Artificial intelligence is so overworked a tech theme that it has even attracted the attention of the White House and the Defense Department. We ask a new contributor, Jessica “Zhanna” Malekos Smith, to walk us through the president’s executive order on artificial intelligence. I complain that it’s a cookie-cutter order that could as easily be applied to alien abductions. The Pentagon’s AI strategy, in contrast, is somewhat more substantive.
If you can’t beat ‘em, ban ‘em. Instead of regulating Big Tech, Russia is looking to take its own internet offline in an emergency. The real question is whether Russia is planning to cause the emergency it’s protecting itself against. If so, we are profoundly unready.
China’s Ministry of Public Security is now authorized to conduct no-notice penetration testing of internet businesses operating in China. I must say, it was nice of them to offer the service in beta to the Office of Personnel Management, Anthem and Equifax. Speaking of which, could this spell more trouble for Western firms doing business in China?
Brian touches on the Treasury Department’s new sanctions against Iranian organizations for supporting intelligence and cyber operations targeting U.S. persons. It turns out that the hackers had help—and that there is no ideology so loathsome it can’t win converts among Americans.
This Week in Old Guys You Shouldn’t Mess With: Nate reveals how 94-year-old William H. Webster helped take down a Jamaican scam artist.
Our colleagues Nate Jones and David Kris have launched the Culper Partners Rule of Law Series. Be sure to listen as episodes are released through Lawfare.
Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here.
Tue, 12 February 2019
If you get SMS messages on your phone and think you have two-factor authentication, you’re kidding yourself. That’s the message Nick Weaver and David Kris extract from two stories we cover in this week’s episode of The Cyberlaw Podcast—the Justice Department’s indictment of a couple of kids whose hacker chops are modest but whose social engineering skills are remarkable. They used those skills to bribe or bamboozle phone companies into changing the phone numbers of their victims, allowing them to intercept all the two-factor authentication they needed to steal boatloads of cryptocurrency. For those with better hacking chops than social skills, there’s always exploitation of SS7 vulnerabilities, which allow interception of text messages without all the muss and fuss of changing SIM cards.
Okay, it ain’t “When Harry Met Sally,” but for a degraded age, “When Bezos Exposed Pecker” will have to do. David keeps us focused on the legal questions: Was the “Enquirer” letter really extortion? Would publication of the pics be actionable? And is there any way the “Enquirer” could get those text messages without someone committing a crime? And, of course, whether the best way to woo your new girlfriend is to send her brother to jail.
Social media—privacy law threat or competition law menace? That’s the question European (naturally) regulators are weighing. But Matthew Heiman and I have a pretty good idea what their answer will be: Both! We look at the Twitter-mobbing of Facebook by regulators and ask whether the competition charges make more sense than the privacy claims.
Looks like the net effect of the Obama-Xi agreement on not stealing commercial secrets is that a better class of Chinese officials is stealing our commercial secrets. President Xi kicked the People’s Liberation Army (PLA) to the curb and brought in the professionals from China’s Ministry of State Security (MSS). So now Chinese tradecraft is a little better, and the Justice Department is indicting MSS officials instead of PLA soldiers. David sums up.
NERC is proposing a $10 million fine for cybersecurity violations on a utility reported to be Duke Energy. Matthew and I are shocked. Not by the fine, which was negotiated, or by the violations, many of them self-reported, but by the cheese-paring, penny-ante nature of so-called cybersecurity enforcement at NERC and FERC. All this Sturm und Drang to make sure utilities use six-character passwords? When security guys complain about compliance trumping security, these NERC rules will be Exhibit A.
Finally, add another chapter to the Annals of Failed Civil Liberties Campaigns, as EFF and likeminded reporters try to get us outraged about the FBI using court orders to identify a North Korean botnet. Nick points out that academics have been conducting research that is more intrusive for years without unduly disturbing university lawyers.
Okay, one more: I celebrate HoyaSaxaSD for a podcast review that honors our own inimitable Nick Weaver:
“I got a fever, and the only cure is more Weaver. Love the show. I’m a lawyer but not in tech or security law, but it’s still fascinating. My teenage sons also like most episodes, especially the Nick Weaver segments. And I concur. There needs to be Weaver in every episode, and more of him. In fact, an hour of Weaver and Baker debating/discussing would be the perfect show.”
I am moved to channel Peggy Lee. And if more good reviews don’t pour in, I may make that performance a weekly feature. David Kris, I’m sure, would consider that extortion, on the ground that no one has a right to butcher Peggy Lee’s oeuvre like that.
Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here: https://www.thirdway.org/letter/2019-cyber-symposium-call-for-papers
Tue, 5 February 2019
In this episode, I interview Chris Bing and Joel Schectman about their remarkable stories covering the actions of what amount to U.S. cyber-mercenary hackers. We spare a moment of sympathy for one of those hackers, Lori Stroud, who managed to go from hiring Edward Snowden to hacking for the UAE in the space of a few years.
In the news, I ask my partner Phil Khinda whether the $29 million Yahoo breach settlement is a new front in breach derivative litigation or a black swan. He says it’s more of a red herring—and explains why.
This week in black ops: I ask Nate Jones to comment on the tradecraft used in an apparent effort to smear Citizen Lab for its reports on NSO. My take: This feels a lot like what BlackCube did for Harvey Weinstein, except that this was the budget version.
The Russians are so far from being shamed for their hacking that now they’re faking it. Dr. Megan Reiss notes Special Counsel Mueller’s recent claim that Russians are leaking discovery materials and pretending they came from a hack of the counsel’s office. We are reminded of the Russians’ recent unveiling of a remarkably adroit robot that turned out to be a man in a robot suit.
And in possibly related news, Apple went out of its way to publicly embarrass Facebook and Google over their use of corporate certificates to sideload apps that recorded the browsing habits of paid volunteers.
This week in dogs biting men: Ukraine says Russia is trying to disrupt its upcoming election, and the Pentagon is reportedly failing to stay ahead of cyber threats. Megan covers the first and Nate the second.
I offer one and a half cheers for Japan’s pioneering and mildly intrusive survey of bot-vulnerable IoT devices.
Finally, EPIC et al. are calling on FTC to impose a $2 billion fine, structural changes and more on Facebook, claiming that “the algorithmic bias of the [Facebook] news feed reflects a predominantly Anglo, male world view.” If you still need evidence that privacy law is the legal equivalent of a Twitter mob—an always-ready tool for punishing unpopular views—EPIC’s filing should be all you need.
As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
Tue, 29 January 2019
If the surgeon about to operate on you has been disciplined for neglecting patients, wouldn’t you like to know? Well, the mandarins of the European Union privacy lobby beg to differ. Google has been told by a Dutch court not to index that story, and there seems to have been a six-month lag in disclosing even the court ruling. That’s part of this week’s News Roundup. Gus Hurwitz and I are appalled. I tout my long-standing view that in the end, privacy law just protects the privileged. Gus agrees.
In other news, the Illinois Supreme Court has demonstrated how bad Illinois’ biometric privacy law is—by the simple expedient of applying it the way it’s written.
Dr. Megan Reiss and I air our ambivalence about the latest site hosting collections of doxed messages. We lack enthusiasm for indiscriminate doxing of the kind highlighted on Distributed Denial of Secrets, but if it’s got to happen, it couldn’t happen to a nicer Russian dictator.
Nick and I debate YouTube’s latest algorithmic tweak to avoid recommending “borderline” material. He notes that the algorithm used to push people to extremes. I note that this is a suspiciously good way for YouTube Social Justice Warriors to suppress videos they don’t like but can’t actually show to be violating YouTube’s terms of service.
Speaking of which, maybe the real singularity is when Silicon Valley joins forces with Beijing to produce new technology that will suppress the peasants once and for all. If so, the singularity is nigh, as a Chinese app allows you to identify people around you who deserve to be shamed.
Wed, 23 January 2019
So says the remarkable Jeff Jonas, CEO of Senzing. And he’s got a claim to be doing just that. A data scientist before data science was cool, Jeff has used his technical skills and an intuitive grasp of complex data problems to stop card counters in Las Vegas and terrorists targeting the U.S., and then to launch an initiative making voter registration more accurate and widespread. Most recently, in the course of an effort to improve maritime security around Singapore, he also found a key to identifying asteroids due to collide with each other so they can be watched. Because when this happens, who knows where their new course will take them?
The media has been hyping a strikingly bad magistrate judge’s opinion giving 5th Amendment protection to biometric phone security. This leads Gus Hurwitz and me to question why Congress ever promoted U.S. magistrates to “magistrate judges” in the first place. We suggest striking the word “judge” from the title given to these Article I judicial aides; call it the Truth in Judging Act.
Congress and the president can’t even agree on a compromise that would end the partial government shutdown. So what genius decided that our security from terrorist attacks should depend on Congress and the president agreeing every couple of years on yet another part of our counterterrorism legislation? Like it or not, though, 2019 will feature another cliffhanger, as several national security provisions of FISA come to an end unless renewed. Jamil Jaffer and David Kris talk about the provisions and possible outcomes. I plead for a compromise that takes seriously the Trumpist concern about partisan abuse of the law.
If the SEC didn't own EDGAR, I suspect the government would have imposed serious fines on the owner of EDGAR for enabling a new form of insider trading. Jamil and Gus debate the real question: How can hackers with access to guaranteed market moving info manage to make only $4 million in six months of trading?
The Department of Justice’s Office of Legal Counsel has reversed an Obama-era interpretation limiting the scope of federal criminal laws governing online gambling. David provides the background; I introduce our listeners to the Baptist-bootlegger coalition.
If you would like to hear more from Jeff Jonas and you’ll be in London on January 29, be sure to attend his talk, “AI for Entity Resolution,” at the SAGE Ocean speaker series. Event details can be found here.
Tue, 15 January 2019
Brazen Russian intrusions into the U.S. electricity grid lead our episode. I ask Matthew Heiman and Nick Weaver whether Russia intended for us to know about their intrusions (duh, yes!) and how we should respond to the implicit threat to leave Americans freezing in the dark. Their answers and mine show creativity if not exactly sobriety.
In what may be good news about emerging European sobriety, Google gets a favorable opinion from the advocate general to the European Court of Justice (ECJ) on the question of whether to extend Europe’s “right to be forgotten” censorship regime to benighted Americans, and Turks, and Russians and Chinese. Most of those countries would be glad to impose their censorship regime on Europeans, consideration of which may be enough to overcome the America Derangement Syndrome the ECJ has displayed in earlier tech privacy cases.
DHS was right, and EFF was wrong. That’s the lesson Maury Shenk, Nick and I derive from the latest drone crisis at Gatwick Airport. In response, the UK is seeking police powers that DHS recently obtained—over EFF’s bitter opposition.
Nick explains how the Hal Martin Saga keeps getting weirder—and we try on the full aluminum foil hat to explain how the whole thing could have been orchestrated by the GRU to turn Kaspersky Lab into a hero.
Ron Wyden and Motherboard combined to get mobile phone companies to stop selling location data to third parties. I wonder whether we’ll regret the result. Nobody else does.
Happy New Year from Big Brother: Vietnam takes a leaf from the EU and Chinese playbooks, threatening Facebook with fines for allowing prohibited posts and failing to localize data.
For comic relief, we cover the cybersecurity misadventures of “El Chapo.” Nick Weaver sums up the lesson: Bespoke security is almost always bad security. Oh, and never take a phone from a paranoid boss.
We close with a quick review of how China has misused the Great Firewall to launch cyberattacks and what Silicon Valley (or the rest of us) can do in response.
Wed, 9 January 2019
Nate Jones, David Kris and I kick off 2019 with a roundup of the month of news since we took our Christmas break. First, we break down the utterly predictable but undismissable Silicon Valley claim that the administration’s new export control strategy will hurt the emerging AI industry.
Then we draw on our guests’ expertise in counterintelligence prosecutions to review the APT10 indictment – and the claim by Jack Goldsmith and Robert Williams that the strategy is a failure. We conclude that it isn’t a magic bullet, but that’s not quite the same as a failure. I tease my plan to introduce two dozen more or less unthinkable retaliatory responses the U.S. could deploy if and when it decides to get more serious about deterring adversarial cyber operations.
We quickly cover three new hacks that once looked as though they might be government sponsored. Now it looks as though two were less strategic than that. The denial of service attack on newspaper printing may have been a profit-motivated ransomware attack, and the guy who doxxed the German political establishment may have been a lone hacker (hopefully not one weighing 400 pounds or we’ll never hear the end of it).
We quickly review the bidding on the U.S.-China “quantum arms race,” which may be a bit less critical than the press suggests.
David and Nate also review the mixed bag of rulings on three motions to suppress in Hal Martin’s NSA theft case, which just gets weirder and weirder. David and I are in surprising agreement (along with the judge) that the FBI overreached in using handcuffs, a flashbang and a SWAT team to conduct “noncustodial” questioning of Martin.
Today’s forecast: Windy with a high probability of litigation as Los Angeles sues The Weather Company for collecting and sharing location information in its apps. We suspect that, in claiming a lack of adequate disclosure about location collection, Los Angeles is relying on the ancient legal maxim, “Damned if you do and damned if you don’t.”
In other litigation news, Illinois’s biometric privacy law continues to encounter judicial skepticism. But the Illinois state courts, unburdened by federal standing law, may yet give teeth to this seriously dumb law as Rosenbach v. Six Flags lives on in the Illinois Supreme Court.
In Quick Hits, I am intrigued by the idea that a clever generative adversarial AI “cheated” at a mapping task. In fact, the lesson is both less exciting and more troubling: If you don’t understand how your AI is accomplishing the task you’ve set for it, you need to expect some rude surprises.
Despite all the talk of stasis and crisis in Washington, Congress is still passing modestly useful legislation on cyber issues. Nate describes the SECURE Technology Act, which sets vulnerability disclosure policy and calls for bug bounties at DHS.
And, finally, I recommend a fascinating and deeply ambivalating report on the many ways third-party sellers game Amazon’s Marketplace rules.