The Cyberlaw Podcast

John Yoo, Mark MacCarthy, and I kick off episode 329 of the Cyberlaw Podcast diving deep into what I call the cyberspace equivalent of a dumpster fire. There is probably a pretty good national security case for banning TikTok. In fact, China did a lot better than the Trump administration when it declared, “You know that algorithm that tells all your kids what to watch all day? That’s actually a secret national security asset of the People’s Republic.” But the administration’s process for addressing the national security issue was unable to keep up with President Trump’s eagerness to announce some kind of deal. The haphazard and easily stereotyped process probably also contributed to the casual decision of a magistrate in San Francisco to brush aside US national security interests in the WeChat case, postponing the order on dubious first amendment grounds that John Yoo rightly takes to task.

 

Megan Stifel tells us that the bill for decoupling from China is going to be high – up to $50 billion if you listen to the Semiconductor Industry Association. 

 

Speaking of big industry embracing big government, Pete Jeydel explains IBM’s slightly jarring suggestion that the government should slap export controls on a kind of face recognition technology that Big Blue doesn’t sell any more. Actually, when you put it like that, it kind of explains itself.

Megan tells us that the House has passed a bill on the security of IOT devices. The bill, which has also moved pretty far in the Senate, is pretty modest, setting only standards for what the federal government will buy, but Megan has hopes that it will prove to be the start of a broader movement to address IOT security.

I reprise three of the latest demonstrations of just how much Silicon Valley hates conservatives and how far it will go to suppress their speech.  My favorite is Facebook deciding that a political ad that criticizes transwomen competing in women’s sports must be taken down because it lacks context. Unlike every other political ad since the beginning of time. Although Twitter’s double standard for a “manipulated media” label is pretty rich too: Turns out that splicing Trump’s remarks to make him say what the Biden camp is sure he meant is fair comment, but splicing a Biden interview so he says what the Trump camp is sure he meant is Evil Incarnate. 

Finally, Megan rounds out the week with a host of hacker news. The North Koreans are in bed with Russian cybercrime gangs.  (I can’t help wondering who wakes up with fleas.) The Iranians are stealing 2FA codes and some of them were indicted, though not apparently for the 2FA exploit.  And a long-running Chinese cybergang is indicted too.  Not that that will actually stop them, but it could be hard on their Malaysian accomplices, who are in jail, contemplating the value of government top cover.

Our interview this week is with Michael Brown, a remarkably influential defense technologist. He’s been CEO of Symantec, cowrote the report that led to passage of FIRRMA and the transformation of CFIUS, and now runs the Defense Innovation Unit in Silicon Valley. He explains what DIU does and some of the technological successes it has already made possible.

And more!

Oh, and we have new theme music, courtesy of Ken Weissman of Weissman Sound Design.  Hope you like it!

Download the 329th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-329.mp3
Category:general -- posted at: 10:37pm EDT

In our 328th episode of the Cyberlaw Podcast, Stewart is joined by Bruce Schneier (@schneierblog), Sultan Meghji @sultanmeghji), and Nate Jones (@n8jones81). The Belfer Center has produced a distinctly idiosyncratic report ranking the world’s cyber powers – a kind of Jane’s Fighting Nerds report. Bruce Schneier and I puzzle over its oddities, but at least the authors provided the underlying assessments to led them to rank the Netherlands No. 5, and Israel nowhere in the top ten. The US is number one, but that’s partly due to the Center’s insistence that we’re a norms superpower. In my book, that would require a 20% discount off our offensive capabilities ranking.  Don’t agree? Download the report and pick your own fight!

 

Our interview today is with Cory Doctorow, diving deep on his pamphlet/book, “How to Destroy Surveillance Capitalism.” It’s a robust and entertaining three-cornered fight – me, Cory, and the absent Shoshana Zuboff, whose 700-page tome launched the surveillance capitalism meme. You’ll enjoy hearing me explain to Cory, a Red Diaper Baby born to Trotskyists, that his solution to tech’s overreach is surprisingly similar to Attorney General Bill Barr’s.

 

Elsewhere in the news roundup, Nate Jones and I unpack the Pandora’s Box of pain unleashed by the European Court of Justice in Schrems II

 

Facebook is fighting a multilevel rearguard action – in the courts, in two capitals, and in its terms of service -- to try to salvage its current business model.

 

I cover the latest Tok in the TikTok saga.  Oracle has won … something or other. Sultan Meghji and I puzzle over how the TikTok algorithm can stay in China while the dataset it’s training on remains in the United States. 

 

The Justice Department's antitrust lawsuit against Google is getting nearer and nearer, judging from the thrashing in the underbrush. But we still don’t have a good idea what part of Google’s business will be targeted. Sultan explains the state of play. 

 

In a news flash that I liken in shock value to the report that the weather in San Diego will be sunny and fair, Microsoft has confirmed that the Chinese, Iranians, and Russians have launched cyber-attacks on Biden and Trump campaigns. For reasons unknown, the press can’t get enough of this thin gruel.

 

Bruce and Sultan chart the reasons and tactics behind the rise of ransomware and the importance of being a reliable criminal if you want to make money in extortion. 

 

Nate unpacks China’s global data security initiative so you don’t have to waste your time. The tl;dr is that other countries shouldn’t do any of the things China is doing or aspiring to do. 

 

Speaking of things you don’t have to read because we took the hit, Bruce tells us what’s in the new White House cyber-security policy for space systems. Really, it’s all “shoulds” and puts nobody in charge of enforcement. It would be kind to call it the beta version of a space cybersecurity policy.

 

Sultan argues that there may after all be a limit to the EU’s ability to get every company on the internet to enforce its speech codes, and the domain name registries hope they’re on the other side of that line. 

 

You probably saw the “op-ed” that AI “wrote,” explaining why humans need not fear it.   Bruce, Sultan, and I have plenty of fun mocking Open AI’s penchant for Open Hype.  But Bruce reminds us that sooner or later the hype will be real, and more than half of Twitter will be machines talking to other machines.  Judging from my Twitter feed, that will be an improvement. 

 

Finally,  This Week in Sore Losing: In honor of Jeff Bezos’s AWS and its brief complaining that it should have beat Microsoft to the lucrative JEDI contract, I update an old lawyer’s motto: If you’ve got the law on your side, pound the law. If you’ve got the facts, pound the facts. And if you’ve got neither, pound the Orange Man.

 

And more!

                                                   

 

Download the 328th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-328.mp3
Category:general -- posted at: 12:27pm EDT

In our 327th episode of the Cyberlaw Podcast, Stewart is joined by Nick Weaver (@ncweaver), David Kris (@DavidKris), and Dave Aitel (@daveaitel). We are back from hiatus, with a one-hour news roundup to cover the big stories of the last month.  Pride of place goes to the WeChat/Tiktok mess, which just gets messier as the deadline for action draws near. TikTok is getting all the attention but WeChat is by far the thorniest policy and technical problem. I predict delays as Commerce wrestles with them. Nick Weaver predicts that TikTok’s lawsuit will push resolution of its situation into January.  I’ve got fifty bucks that says it won’t. Lawfare wins either way.

Dave Aitel digs into the attempted Tesla hack. Second best question in the segment: Who’s the insider that enabled an attack on his employer and is still working there three years later?  Best question: How many CSO’s can say with confidence that none of their employees would take $1 million to plug a USB stick into the company network? 

This Month in Overhyped Judicial Decisions about FISA: David Kris lays out the seven-years-late Ninth Circuit decision that has been billed as striking at the FISA warrantless surveillance law. Talk about overtaken by events. The opinion grumbles about the Fourth Amendment but doesn’t actually rule (and its analysis is so partial that it isn’t even persuasive dicta). It boldly finds that the collection violated a statute that has been repealed anyway. And then it says that doesn’t matter because suppression of the evidence isn’t a remedy and the violation didn’t taint the trial.  The only really good news for the civil liberties community is that Justice can’t appeal to the Supreme Court because, well, it won.

David also takes on the other overhyped FISA decision, a lengthy FISA court review of agencies’ minimization practices with respect to Americans’ data collected under section 702. The court approved practically everything but was predictably and not improperly upset at the FBI’s inability to design social and IT systems that prevent dumb violations of the rules. 

Speaking of FISA, important national security provisions remain unsettled, in large part because of Trump’s misguided opposition. Who, David asks, could possibly persuade GOP members that there’s a FISA reform that responds to their sense of grievance over the Russian collusion investigation?  I volunteer, with lengthy testimony to the PCLOB and a shorter piece in Lawfare.

Dave Aitel asks why we’re surprised that Iranian hackers are monetizing access to networks that don’t offer national security value to their government. Or that hackers are following their targets into specialized software markets. If you know your target is a law firm, he suggests, you’d be better off looking for flaws in Relativity than in Windows…. Excuse me, I just felt someone walk over my grave.

Nick and Dave are both critical of the Justice Department’s indictment of Joe Sullivan for obstruction of justice and misprision of felony. That is beginning to look like a case Sullivan can win, and he just might take it to trial. 

Nick thinks the Justice Department is playing a long game in pretending it can seize 280 cryptocurrency accounts used by hackers. It can’t get the funds, but it sure can make it hard for the hackers to get them. 

U.S. Agencies Must Adopt Vulnerability-Disclosure Policies by March 2021. 

And more!

Download the 327th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: 327-ill-take-hacking-tesla-for-one-million-dollars-alex.
Category:general -- posted at: 10:56am EDT

In our 326th episode of the Cyberlaw Podcast, Stewart Baker interviews Lauren Willard, who serves as Counsel to the Assistant Attorney General. Stewart is also joined Nick Weaver (@ncweaver), David Kris (@DavidKris), and Paul Rosenzweig (@RosenzweigP).

Our interview this week focuses on section 230 of the Communications Decency Act and features Lauren Willard, counsel to the Attorney General and a moving force behind the well-received Justice Department report on section 230 reform. Among the surprises: Just how strong the case is for FCC rule-making jurisdiction over section 230.

In the news, David Kris and Paul Rosenzweig talk through the fallout from Schrems II, the Court of Justice decision that may yet cut off all data flows across the Atlantic.

Paul and I speculate on the new election interference threat being raised by House Democrats. We also pause to praise the Masterpiece Theatre of intelligence reports on Russian cyber-attacks.

Nick Weaver draws our attention to a remarkable lawsuit against Apple. Actually, it’s not the lawsuit, it’s the conduct by Apple that is remarkable, and not in a good way. Apple gift cards are being used to cash out scams that defraud consumers in the US, and Apple’s position is that, gee, it sucks to be a scam victim but that’s not Apple’s problem, even though Apple is in the position to stop these scams and actually keeps 30% of the proceeds. I point out the Western Union–on better facts than that–ended up paying hundreds of millions of dollars in an FTC enforcement action–and still facing harsh criminal sanctions.

Paul and David talk us through the 2021 National Defense Authorization Act, which is shaping up to make a lot of cyber-security law, particularly law recommended by the Cyber Solarium Commission. On one of its recommendations – legislatively creating a White House cyber coordinator – we all end up lukewarm at best.

David analyzes the latest criminal indictment of Chinese hackers, and I try to popularize the concept of crony cyberespionage.

Paul does a post-mortem on the Twitter hack. And speaking only for myself, I can’t wait for Twitter to start charging for subscriptions to the service, for reasons you can probably guess.

David digs into the story that gives this episode its title – an academic study claiming that face recognition systems can be subverted by poisoning the training data with undetectable bits of cloaking data that wreck the AI model behind the system. How long, I wonder, before Facebook and Instagram start a “poisoned for your protection” service on their platforms?

In quick takes, I ask Nick to comment on the claim that US researchers will soon be building an “unhackable” quantum Internet. Remarkably his response is both pithy and printable.

And more!

Direct download: TheCyberlawPodcast-326.mp3
Category:general -- posted at: 12:01pm EDT

The big news of the week was the breathtakingly arrogant decision of the European Court of Justice, announcing that it would set the rules for how governments could use personal data in fighting crime and terrorism.

Even more gobsmacking, the court decided to impose those rules on every government on the planet – except the members of the European Union, which are beyond its reach. Oh, and along the way the court blew up the Privacy Shield, exposing every transatlantic business to massive liability, and put the EU on a collision course with China over China’s most sensitive domestic security operations. This won’t end well. Paul Hughes helps me make sense of the decision.

In the interview, I talk to Darrell West, co-author of Turning Point—Policymaking in the Era of Artificial Intelligence. We mostly agree on where AI is already making a difference, where it’s still hype, and how it will transform war. Where we disagree is over the policy prescriptions for avoiding the worst outcomes. I disagree with the relentless focus of the book (and every other book in recent years) on the questionable claim of AI bias, and Darrell and I have a spirited disagreement over my claim that his prescription will hide numerical racial and gender quotas in every aspect of life that AI touches.

Iranian cyberspies make pretty good training videos, Sultan Meghji tells us, but they’re not taking any bows after leaving the videos exposed online.

If you thought Twitter’s content resembled middle school, wait until you see their security measures in action. Nate Jones has the details, but my takeaway is that middle school science projects are usually handled a lot more responsibly than Twitter’s “god mode” dashboard.

BIPA, the Illinois biometric privacy act, has inspired lawsuits against users of a database assembled to reduce AI bias. Mark MacCarthy explains that the law prohibits the use of biometrics (like pictures of your face) without consent. I observe that this makes BIPA the COVID-19 of privacy law.  Anyone who touches this database will be infected with liability, at least if the plaintiff’s surprisingly plausible theory holds up.

Sultan reminds us that the PRC has now been caught twice requiring companies in China to use tax software with built-in malware. You know what they say: “Once is happenstance. Twice is coincidence. Three times is enemy action.”  I don’t think we’ll need to wait long to see number three.

Nate gives us a former government lawyer’s take on the CIA’s new authority to conduct cyber covert action. (YahooLawfare) Ordinarily he’d be skeptical of keeping those decisions away from the White House, but in this case, he’ll make an exception. My take: If unshackling the CIA has produced the APT34 and FSB hacks and data dumps, what’s not to like?

In short hits, I mock the Justice Department spokesperson who claimed that Ghislaine Maxwell was engaged in “a misguided effort to evade detection” when she wrapped her cellphone in tin foil. And Mark and I cross swords over Reddit’s capture by the Intolerant Left. You make the call: When Reddit declares that exposing fake hate crimes as hoaxes is a form of hate speech, is that anecdotal evidence of left-wing bias or stone-cold proof of epistemic closure?

Download the 325th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunesGoogle PlaySpotifyPocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-325.mp3
Category:general -- posted at: 2:06pm EDT

Our interview is with Bruce Schneier, who has co-authored a paper about how to push security back up the Internet-of-things supply chain: The reverse cascade: Enforcing security on the global IoT supply chain.  His solution is hard on IOT affordability and hard on big retailers and other middlemen, who will face new liabilities, but we conclude that it’s doable. In fact, the real question is who’ll get there first, a combination of DHS’s CISA and the FTC or the California Secretary of State.

In the News Roundup Megan Stifel (@MeganStifel), Nate Jones (@n8jones81), and David Kris (@DavidKris) and I discuss how it must feel to TikTok as though the shot clock is winding down.  Administration initiatives that could hurt or kill its US business are proliferating.  Nate Jones, Megan Stifel, and I explore the government’s options. The most surprising, and devastating, of them is a simple ban on TikTok as a threat to national security or the security of Americans. That’s the standard under Executive Order 13873, a brand-new (the regs aren’t yet final) implementation of the well-tested tools under IEEPA. A straightforward application of IEEPA remedies would cut TikTok off from the US market, I argue.

Meanwhile, another little-advertised but equally sweeping rule for government contractors is on its way to implementation. It will deny federal contracts, not just to certain Chinese products but to contractors who themselves use those products.

Not to be outdone by the contracting officers, the Federal Trade Commission and Justice Department are attacking TikTok from a different direction — investigating claims that the company failed to live up to last year’s consent decree on the privacy of children using the app. 

And, on top of everything, private sector CISOs are drawing a bead on the app, as Wells Fargo and (briefly) Amazon tell their employees to take the app off their work phones

It’s no surprise in the face of these developments that TikTok is working overtime to decouple itself in the public’s mind from China, including going so far as to join the rest of Silicon Valley in signaling discomfort with Hong Kong’s new security rules (and ruler). Megan and I question whether this strategy will succeed.

If Chief Justice Roberts were running for office, he couldn’t have produced a better result than the Court’s latest tech decision – upholding most of a law that makes robocalls illegal while striking down the one part of the law that authorizes robocalls.  David Kris explains.

Nate unpacks a new Florida DBA privacy law prohibiting life, disability and long-term care insurance companies from using genetic tests for coverage purposes. I express skepticism.

Nate also explains the mysteriously quiet launch of the UK-US Bilateral Data Access Agreement. Four years in the making, and neither side wanted to announce that it was in effect – what’s with that, I wonder? 

FBI Director Wray gives a compelling speech on the counterintelligence and economic espionage threat from China. 

He says the bureau opens a new such case every ten hours.  And right on schedule come charges against a professor charged with taking $4M in US grant money to conduct research — for China.

David and I puzzle over the surprisingly lenient sentence handed to a former Yahoo engineer for hacking the personal accounts of more than 6,000 Yahoo Mail users to search and collect sexually explicit images and videos. 

Direct download: TheCyberlawPodcast-324.mp3
Category:general -- posted at: 9:24pm EDT

In the News Roundup, Dave Aitel (@daveaitel), Mark MacCarthy (@Mark_MacCarthy), and Nick Weaver (@ncweaver) and I discuss how French and Dutch investigators pulled off the coup of the year this April, when they totally pwned a shady “secure phone” system used by massive numbers of European criminals. Nick Weaver explains that hacking the phones of Entrochat users gave them access to large troves of remarkably candid criminal text conversations. And, I argue, it shows the flaw in the argument of encryption defenders. They are right that restricting Silicon Valley encryption will send criminals to less savory companies, but those companies are inherently more prone to compromise, as happened here.

The EARN IT Act went from Washington-controversial to Washington consensus in the usual way.  It was amended into mush. Indeed, there’s an argument that, by guaranteeing nothing bad will happen to social platforms who adopt end-to-end encryption, the Leahy amendment has actually made e2e crypto more attractive than it is today. That’s my view, but Mark MacCarthy still thinks the twitching corpse of EARN IT might cause harm by allowing states to adopt stricter rules for liability in the context of child sex abuse material. He also thinks that it won’t pass.  I have ten bucks that says it will, and by the end of the year.    

Dave Aitel, new to the news roundup, discusses the bad week TikTok had in its second biggest market.  India has banned the app. And judging from some of the teardowns of the code, its days may be numbered elsewhere as well.   Dave points to reports that Angry Birds was used to collect user information as well when it was at the height of its popularity. We wax philosophic about why advertising and not national security agencies are breaking new ground in building our Brave New World.

Mark once worked for a credit card association, so he’s the perfect person to comment on claims that being labeled a “hate speech” platform won’t just get you boycotted in Silicon Valley but by the credit card associations as well. And once we’re in this vein, we mine it, covering Silicon Valley’s concerted campaign to make sure Donald Trump can’t repeat 2016 in 2020. He’s been deplatformed at Twitch this week for something he said in 2016.  And Reddit dumped his enormous subreddit for failure to observe its censorship rules – which I point out are designed to censor only the majority. I argue it’s time to go after the speech police.  

Nick takes us to a remarkable Washington story. He thinks it’s about a questionable Trump administration effort to redirect $10 million in “freedom tool” funding from cryptolibertarians to Falun Gong coders. I point out that US government funds going to the cryptolibertarians were paying the salary of the notorious Jake Applebaum and buying tools like TAILS that have protected appalling sextortionist criminals. Really, the money would be better spent if we burned it on cold days.

Returning to This Week in Hacked Phones, Nick explains the latest man in the middle attack that requires the phone user to do nothing but visit a website. Any website.  Dave sets out the strikingly sophisticated and massive international surveillance system now aimed by China at Uighers all around the world.  And Nick warns of two bugs that, if you haven’t spent the weekend fixing, may already be exploited on your network.                       

Download the 323rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

Direct download: TheCyberlawPodcast-323.mp3
Category:general -- posted at: 10:14pm EDT

For the first time in twenty years, the Justice Department is finally free to campaign for the encryption access bill it has always wanted.  Sens. Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.), and Marsha Blackburn (R-Tenn.) introduced the Lawful Access To Encrypted Data Act. (Ars Technica, Press Release) As Nick Weaver points out in the news roundup, this bill is not a compromise. It’s exactly what the Justice Department wants – a mandate that every significant service provider or electronic device maker build in the ability to decrypt any data it has encrypted when served with a lawful warrant.

In our interview, Under Secretary Chris Krebs, head of the Cybersecurity and Infrastructure Security Agency, drops in for a chat on election security, cyber espionage aimed at coronavirus researchers, why CISA needs new administrative subpoena authority, the value of secure DNS, and how cybersecurity has changed in the three years since he took his job.

Germany’s highest court has ruled that the German competition authority can force Facebook to obtain user consent for internal data sharing, to prevent abuse of a dominant position in the social networking market. Maury Shenk and I are dubious about the use of competition law for privacy enforcement. Those doubts could also send the ruling to a still higher forum – the European Court of Justice.

You might think that NotPetya is three years in the rear-view mirror, but the idea of spreading malware via tax software, pioneered by the GRU with NotPetya, seems to have inspired a copycat in China. Maury reports that a Chinese bank is requiring foreign firms to install a tax app that, it turns out, has a covert backdoor. (Ars Technica, Report, NBC)

The Assange prosecution is looking less like a first amendment case and more like a garden variety hacking conspiracy thanks to the government’s amended indictment. (DOJ, Washington Post) And, as usual, the more information we have about Assange, the worse he looks.

Jim Carafano, new to the podcast, argues that face recognition is coming no matter how hard the press and NGOs work to demonize it. And working hard they are. The ACLU has filed a complaint against the Detroit police, faulting them for arresting the wrong man based on a faulty match provided by facial recognition software. (Ars Technica, Complaint)

The Facebook advertiser moral panic is gaining adherents, including Unilever and Verizon, but Nick and I wonder if the reason is politics or a collapse in ad budgets. Whatever the cause, it’s apparently led Mark Zuckerberg to promise more enforcement of Facebook’s policies.

In short hits, the U.S. Department of Homeland Security sent a letter to chief executives of five large tech companies asking them to ensure social media platforms are not used to incite violence. Twitter has permanently suspended the account of leak publisher DDoSecrets. (Ars Technica, Cyber Scoop). Rep. Devin Nunes (R-Calif.) was told what he must have known when he filed his case: he cannot sue Twitter for defamation over tweets posted by a parody account posing as his cow. (Ars Technica, Ruling) Nick explains why it’s good news all around as Comcast partners with Mozilla to deploy encrypted DNS lookups on the Firefox browser. And Burkov gets a nine-year sentence for his hacking.

Download the 322nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-322.mp3
Category:general -- posted at: 11:50am EDT

This is the week when the movement to reform Section 230 of the Communications Decency Act got serious. The Justice Department released a substantive report suggesting multiple reforms. I was positive about many of them (my views here). Meanwhile, Sen. Josh Hawley (R-MO) has proposed a somewhat similar set of changes in his bill, introduced this week. Nate Jones and I dig into the provisions, and both of us expect interest from Democrats as well as Republicans. 

The National Security Agency has launched a pilot program to provide secure domain name system (DNS) resolver services for US defense contractors. If that’s such a good idea, I ask, why doesn’t everybody do it, and Nick Weaver tells us they can. Phil Reitinger’s Global Cyberalliance offers Quad9 for this purpose. 

Gus Hurwitz brings us up to date on a host of European cyberlaw developments, from terror takedowns (Reuters, Tech Crunch) to competition law to the rise of a disturbingly unaccountable and self-confident judiciary. Microsoft’s Brad Smith, meanwhile, wins the prize for best marriage of business self-interest and Zeitgeist in the twenty-first century.

Hackers used LinkedIn’s private messaging feature to send documents containing malicious code which defense contractor employees were tricked into opening. Nick points out just what a boon LinkedIn is for cyberespionage (including his own), and I caution listeners not to display their tattoos on LinkedIn.

Speaking of fools who kind of have it coming, Nick tells the story of the now former eBay executives who have been charged with sustained and imaginatively-over-the-top harassment of the owners of a newsletter that had not been deferential to eBay. (Wired, DOJ)

It’s hard to like the defendants in that case, I argue, but the law they’ve been charged under is remarkably sweeping. Apparently it’s a felony to intentionally use the internet to cause substantial emotional distress. Who knew? Most of us who use Twitter thought that was its main purpose. I also discover that special protections under the law are extended not only to prevent internet threats and harassment of service animals but also horses of any kind. Other livestock are apparently left unprotected. PETA, call your office.

Child abusers cheered when Zoom buckled to criticism of its limits on end-to-end encryption, but Nick insists that the new policy offers safeguards for policing misuse of the platform. (Ars Technica, Zoom)

I take a minute to roast Republicans in Congress who have announced that no FISA reauthorization will be adopted until John Durham’s investigation of FISA abuses is done, which makes sense until you realize that the FISA provisions up for reauthorization have nothing to do with the abuses Durham is investigating. So we’re giving international terrorists a break from scrutiny simply because the President can’t keep the difference straight.

Nate notes that a story previewed in April has now been confirmed: Team Telecom is recommending the blocking of a Hong Kong-US undersea cable over national security concerns.

Gus reminds us that a bitter trade fight between the US and Europe over taxes on Silicon Valley services is coming. (Politico, Ars Technica)

Nick and I mourn the complete meltdown of mobile phone contact tracing. I argue that from here on out, some portion of coronavirus deaths should be classified as mechanogenic (caused by engineering malpractice). Nick proposes instead a naming convention built around the Therac-25

And we close with a quick look at the latest data dump from Distributed Denial of Secrets. Nick thinks it’s strikingly contemporaneous but also surprisingly unscandalizing.

Download the 321st Episode (mp3). 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-321.mp3
Category:general -- posted at: 3:58pm EDT

Our interview this week is with Chris Bing, a cybersecurity reporter with Reuters, and John Scott-Railton, Senior Researcher at Citizen Lab and PhD student at UCLA. John coauthored Citizen Lab’s report last week on BellTroX and Indian hackers for hire, and Chris reported for Reuters on the same organization’s activities – and criminal exposure – in the United States. The most remarkable aspect of the story is how thoroughly normalized hacking legal and lobbying opponents seems to have become, at least in parts of the US legal and investigative ecosystem. I suggest that instead of a long extradition battle, the US give the head of BellTroX a ticket to the US and a guaranteed income for the next few years as a witness against his customers. 

 

In the news roundup, Nick Weaver tells the remarkable story of how Facebook funded an exploit aimed at taking down a particularly vile online abuser of young girls who was nearly invulnerable because he was using TAILS, the secure, thumb drive-based communication system (Vice, Gizmodo). This is a great story because it really doesn’t fit into any of the stilted narratives into which most internet security stories are usually jammed.

 

Nick also notes Big Tech’s pledge to do more to stop child abuse online. I suggest that only Dr. Evil would be impressed by the amounts of money being invested in the campaign.

 

Well, another week, another Zoom bomb.  Now the company is taking heat because it terminated several Tiananmen Square commemorative Zoom sessions after China complained (NYT, Zoom). David Kris and I don’t think Zoom had much choice about cutting off the Chinese customers.  Terminating the US account holder who organized a session, however, was a bad move – and one that’s since been corrected by the company. 

 

Nate Jones and I square off again for Round 545 on content moderation, spurred this time by reports that Sen. Josh Hawley is drafting legislation inspired by the Trump Administration’s Section 230 EO. Meanwhile several Republican senators are pushing the FCC to act on the order. Nate and I find rare bipartisan common ground on the idea that Congress should require social media companies to take down foreign government online messaging – and maybe work with the US government to stop it at the source.

 

David reports on a fairly (and deservedly) obscure EU cloud independence project. It seems to have been embraced by Microsoft, which I accuse of going full AT&T – embracing government regulation as a competitive differentiator. As if to prove my point, Microsoft announces that it’s getting out of the business of doing facial recognition for the police – until it can persuade Congress to regulate its competitors.  

Why are spies targeting vaccine research? Nate highlights the excellent Risky Biz newsletter analysis of what drives COVID-19 cyberespionage. 

Nick flags the potential significance of ARM wrestling, as the UK chip designer ARM fights its JV partner for control of its Chinese joint venture. Nick also assigns a “moderate” threat label to the latest Universal Plug n Pwn exploit. It’s only moderate because there are so many pwned IOT devices already in a position to DDOS targets of opportunity.

 

In quick hits, I note that Israel has halted its controversial use of intelligence capabilities to monitor the spread of the coronavirus, but the government reserves the right to revive monitoring if a second wave shows up (JPost, Yahoo). Poor Brewster Kahle is looking like an internet hippie who fell asleep at Woodstock and woke up at Altamont. The Internet Archive is ending its program of offering free, unrestricted copies of e-books, but the publishers who sued over that program may decide to keep suing until they’ve broken his entire “digital library” model, and maybe the Internet Archive as well (NYT, Ars Technica). That would be a shame. Finally, you can have a thousand talents, but honesty may not be one of them. Charles Lieber, the Harvard University professor arrested for lying about his lucrative China contracts, has now been indicted on false statement charges. 

Download the 320th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-320.mp3
Category:general -- posted at: 10:03pm EDT

Our interview with Ben Buchanan begins with his report on how artificial intelligence may influence national and cybersecurity. Ben’s quick takes: better for defense than offense, and probably even better for propaganda. The best part, in my view, is Ben’s explanation of how to poison the AI that’s trying to hack you—and the scary possibility that China is already poisoning Silicon Valley’s AI.

By popular request, we’ve revisited a story we skipped last week to do a pretty deep dive on the decision (for now) that Capital One can’t claim attorney-client work product privilege in a Mandiant intrusion response report prepared after its breach. Steptoe litigator Charles Michael and I talk about how IR firms and CISOs should respond to the decision, assuming it stands up on appeal.

Maury Shenk notes the latest of about a hundred warnings, this time from Christopher Krebs, the director of DHS’s cybersecurity agency and the head of Britain’s GCHQ, that China’s intelligence service—and every other intelligence service on the planet—seem to be targeting COVID-19 research.

Maury takes us through the week in internet copyright fights. Ideological copyright enforcement meets the world’s dumbest takedown bots as Twitter removes a Trump campaign video tribute to George Floyd due to a copyright claim. The video is still available on Trump’s YouTube channel.

We puzzle over Instagram’s failure to provide a license to users of its embedding API. The announcement could come as an unwelcome surprise to users who believed that embedding images, rather than hosting them directly, provides insulation against copyright claims.

Finally, much as I love Brewster Kahle, I’m afraid that Kahle’s latest move marks his transition from internet hippie to “holy fool”—and maybe a broke one. His Internet Archive, the online library best known for maintaining the Internet Wayback Machine makes scanned copies of books available to the public on terms that resemble a library’s. The setup was arguably legal—and no one was suing—until Kahle decided to let people download more books than his company had paid for. Now he faces an ugly copyright lawsuit.

Speaking of ugly lawsuits, Mark MacCarthy and Paul Rosenzweig comment on the Center for Democracy and Technology’s complaint that Trump violated tech companies’ right to free speech with his executive order on section 230. (Reuters, NYT) I question whether this lawsuit will get far.

This Week in Working the Ref: Facebook and Mark Zuckerberg are facing criticism from users, competitors, civil rights organizations for failing to censor the people those groups hate. (Ars Technica, Politico). Meanwhile, Snap scores points by ending promotion of Trump’s account after concluding his tweets incited violence.

Where is Nate Jones when you need him? He would love this story: A Twitter user sacrificed a Twitter account to show that Trump is treated differently than others by the platform. Of course, the panel notes, that’s pretty much what Twitter says it does.

In quick hits, I serve notice that no one should be surprised if Justice brings an adtech antitrust suit against Google. The Israeli government announces an attack on its infrastructure so late that the press has already identified and attributed its retaliatory cyberattack on Iran’s ports. And somebody pretty good—probably not the Russians, I argue—is targeting industrial firms.

Download the 319th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

Direct download: TheCyberlawPodcast-319.mp3
Category:general -- posted at: 3:50pm EDT

This episode features an in-depth (and occasionally contentious) interview with Bart Gellman about his new book, Dark Mirror: Edward Snowden and the American Surveillance State, which can be found on his website and on Amazon. I’m tagged in the book as having been sharply critical of Gellman’s Snowden stories, and I live up to the billing in this interview. He responds to my critique in good part. Gellman offers detailed insights into Edward Snowden’s motives and relationships to foreign governments, as well as how journalism – and journalistic lawyering – is done in the Big Leagues.

Our news roundup focuses heavily on the Trump Administration’s executive order on section 230 of the Communications Decency Act (Wall Street Journal Washington Post). I end up debating all three of my co-panelists – Nate Jones, Nick Weaver, and Evelyn Douek, rejoining us on a particularly good day, given her expertise. We agree to disagree on whether Silicon Valley applies its rules in a fashion that discriminates against conservatives. More interesting is the rough consensus that Silicon Valley’s heavy influence over our speech is worth worrying about and that transparency is one of the better ways to discipline that influence. No one but me is willing to consider the possibility that the executive order represents a good step toward transparency. 

Nate and I find much room to agree, though, on the tragicomedy emerging from the reauthorization of three relatively straightforward FISA provisions. Stay tuned for a House-Senate conference, plus heavy lobbying of the President. 

Nick explains NSA’s outing of Russian military hackers targeting mail relay software (CyberScoop NSA). 

Nate and I cover the latest in US-China decoupling – the FCC and Justice Department enthusiasm for kicking Chinese telecom firms out of the country and, in a possible new front, heavy scrutiny being given to Chinese-built transformers

Evelyn tells us that, as a visa holder, she’s definitely hoping that the courts overturn US rules forcing visa applicants to disclose their social media handles. I predict that her hopes will be dashed.

Finally, Nick explains who needs a “quantum holographic catalyzer” to protect against 5G telecom emissions.  Quick answer: No one.  It’s a fake cure for fake malady

Download the 318th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-318.mp3
Category:general -- posted at: 10:51am EDT

Our interview is with Mara Hvistendahl, an investigative journalist at The Intercept and author of a new book, The Scientist and the Spy: A True Story of China, the FBI, and Industrial Espionage, as well as a deep WIRED article on the least known Chinese AI champion, iFlytek. Mara’s book raises questions about the expense and motivations of the FBI’s pursuit of commercial spying from China. 

In the News Roundup, Gus Hurwitz, Nick Weaver, and I wrestle with whether Apple’s lawsuit against Corellium is really aimed at the FBI. The answer looks to be affirmative since an Apple victory would make it harder for contractors to find hackable flaws in the iPhone.

Germany’s top court ruled that German intelligence can no longer freely spy on foreigners – or share intelligence with other western countries. The court seems to be trying to leave the door open to something that looks like intelligence collection, but the hurdles are many. Which reminds me that I somehow missed the 100th anniversary of the Weimar Republic.

There’s Trouble Right Here in Takedown City. Gus lays out all the screwy and maybe even dangerous takedown decisions that came to light last week. YouTube censored epidemiologist Knut Wittkowski for opposing lockdown. It suspended and then reinstated a popular Android podcast app for the crime of cataloging COVID-19 content. We learned that anyone can engage in a self-help right to be forgotten with a bit of backdating and a plagiarism claim. Classical musicians are taking it on the chin in their battle with aggressive copyright enforcement bots and a sluggish Silicon Valley response.

In that climate, who can blame the Supreme Court for ducking cases asking for a ruling on the scope of Section 230? They’ve dodged one already, and we predict the same outcome in the next one. 

Finally, Gus unpacks the recent report on the DMCA from the Copyright Lobbying Office – er, the Copyright Office.

With relief, we turn to Matthew Heiman for more cyber and less law. It sure looks like Israel launched a disruptive cyberattack on Iranian port facility. It was probably a response to Iranian cybe-rmeddling with Israeli water systems.

Nick covers Bizarro-world cybersecurity: It turns out malware authors now can hire their own black-market security pentesters

I ask about open-source security and am met with derisive laughter, which certainly seems fair after flaws were found in dozens of applications

I also cover new developments in AI. And the news from AI speech imitation is that Presidents Trump and Obama have fake-endorsed Lyrebird. 

Gus reminds us that most of privacy law is about unintended consequences, like telling Grandma she’s violating GDPR by posting her grandchildren's photos without their parents' consent.

Beerint at last makes its appearance, as it turns out that military and intelligence personnel can be tracked with a beer enthusiast app. 

Finally, in the wake of Joe Rogan’s deal with Spotify, I offer assurances that the Cyberlaw Podcast is not going to sell out for $100 million. 

Download the 317th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-317.mp3
Category:general -- posted at: 11:18am EDT

Peter Singer continues his excursion into what he calls “useful fiction” – thrillers that explore real-world implications of emerging technologies – with Burn-In: A Novel of the Real Robotic Revolution, to be released May 26, 2020. This interview explores a thoroughly researched (and footnoted!) host of new technologies, many already in production or on the horizon, all packed inside a plot-driven novel. The book is a painless way to understand what these technologies make possible and their impact on actual human beings. And the interview ranges widely over the policy implications, plus a few plot spoilers.

In the News Roundup, David Kris covers the latest Congressional FISA Follies, leading me into a rant on the utter irresponsibility of subjecting national security authorities to regular expiration – and regular ransom demands from the least responsible elements of Congress. Speaking of FISA, it turns out that the December Pensacola shootings were hatched by al-Qaeda’s Yemen franchise. Why are we only learning this in May? Because the evidence comes from an iPhone whose security Apple refused to find a way around. The FBI’s self-help solution worked in the end, but not until the trail had gone cold. 

Decoupling is in overdrive this week. Nick Weaver talks about the move by the Trump Administration to achieve semiconductor self-sufficiency – and the not-coincidental announcements that TSMC will build a chip factory in Arizona and that the Commerce Department has drafted a new export rule aimed at making it much harder for TSMC to build chips for Huawei. In response, China is preparing a list of unreliable US suppliers of technology. I wonder whether putting companies on the list for diversifying their supply chain out of China will have the long-term effect of making companies more reluctant to open new supply relationships with Chinese companies.

David and I note that recent U.S. accusations of Chinese and Iranian cyber intrusions on COVID-19 research may be more than just the usual imprecations. 

And Nick explains why so many US professors are going to jail for undisclosed China ties. The key word is “undisclosed.”

Mark MacCarthy previews France’s (and Germany’s and the EU’s and the UK’s) increasingly tough sanctions for US social media firms that fail to remove "hate speech" and other bad content within 24 hours (or sometimes one hour). More and more, it seems, Section 230 immunity is just a local U.S. ordinance.

Mark and Nick review the latest trial balloon from Europe’s technocrats: How about a Chinese firewall for Europe?  Some apparently respectable policy thinkers working for the European Parliament seem interested in such an idea. 

David and Nick find themselves agreeing with the latest release from DHS’s CISA pouring cold water on online voting

In quick hits, David notes the Trump administration’s now routine extension of the "telecom national security" Executive Order, Nick brings us This Week in NSO Bashing, I touch on a ransomware and doxing threat that has tripped up a celebrity law firm, and Nick and I muse on why cell phone contact tracing seems about to jump the shark.

We close with a surprising catfishing story.

Download the 316th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-316.mp3
Category:general -- posted at: 11:07am EDT

J.P. Morgan once responded to President Teddy Roosevelt’s charge that he’d violated federal antitrust law by saying, “If we have done anything wrong, send your man to see my man, and we’ll fix it up.” That used to be the gold standard for monopolist arrogance in dealing with government, but Google and Apple have put J.P. Morgan in the shade with their latest instruction to the governments of the world: You can’t use our app to trace COVID-19 infections unless you promise not to use it for quarantine or law enforcement purposes. They are only able to do this because the two companies have more or less 99 percent of the phone OS market. That’s more control than Morgan had of U.S. railways, and their dominance apparently allows them to say, “If you think we’ve done something wrong, don’t bother to send your man; ours is too busy to meet.” Nate Jones and I discuss the question of Silicon Valley overreach in this episode. (In that vein, I apologize unreservedly to John D. Rockefeller, to whom I mistakenly attributed the quote.) The sad result is that a promising technological adjunct to contact tracing has been delayed and muddled by ideological engineers to the point where it isn’t likely to be deployed and used in a timely way.

Another lesson we draw in today’s episode is for authoritarian governments: Worry less about Cyber Command and more about NGOs. Citizen Lab has released a great paper making the case that WeChat monitors its users outside China, not to suppress their speech but to flag documents and images for later suppression inside China. Ironically, Matthew Heiman notes, Western users of WeChat who circulate human rights material are giving China’s censors the ability to hash and block that material as soon as it crosses the Great Firewall.

Meanwhile, Nate points out, Bellingcat has done for Russia’s GRU what Citizen Lab did for China. Perhaps inspired by Germany’s indictment of Dmitry Badin for hacking the Bundestag, Bellingcat doxes him to a fare-thee-well, finding his phone number, car registration, GRU office address and preposterously bad password.

David Kris explains the intersection of export control law and the Law of Unintended Consequences, as the U.S. Commerce Department finds that its efforts to isolate Huawei may be excluding U.S. firms from some standards bodies.

Anthony Anscombe joins us from Steptoe’s class action practice to unpack the recent Seventh Circuit decision on Article III standing and Illinois’s Biometric Information Privacy Act.

Israel’s passive-aggressive Supreme Court, meanwhile, has found a second way to say, “Meh,” to the Israeli government’s use of intelligence tools to do contact tracing.

Matthew lays out what’s at stake as the Senate tries again to pass its FISA bill. That may happen as early as today.

In short hits, everybody’s government hackers are adding COVID-19 to their targets, going after everyone from the WHO to coronavirus researchers. I make an effort to explain why Apple has brought a DMCA copyright lawsuit against Corellium. It’s all about the “chilling effect” on security research. And maybe one particular Five Eyes researcher. I make the case for Justice Department intervention on Corellium’s behalf—or at least Azimuth’s. Banjo’s CEO steps down. And where is Jean-Paul Sartre when you need him? He’s the only one who can resolve the odd dispute over “authenticity” between Twitter and the U.S. State Department.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets.

Direct download: TheCyberlawPodcast-315.mp3
Category:general -- posted at: 4:47pm EDT

We begin with a new US measure to secure its supply chain for a critical infrastructure – the bulk power grid. David Kris unpacks a new Executive Order restricting purchases of foreign equipment for the grid.

Nick Weaver, meanwhile, explains the remarkable extent of surveillance built into Xiaomi phones and questions the company’s claim that it was merely acquiring pseudonymous ad-related data like others in the industry.

It wouldn’t be the Cyberlaw Podcast if we didn’t wrangle over mobile phones and the coronavirus. Mark MacCarthy says that several countries – Australia, the UK, and perhaps France – are deviating from the Gapple model for using phones for infection tracing. Several have bought in. India, meanwhile, is planning a much more government-driven approach to using phone apps to combat the pandemic.

Mark ventures into even more contested territory in response to an article in The Atlantic by Jack Goldsmith and Andrew Woods, who argue that China has won the debate with John Perry Barlow over whether the Internet will be a force for free speech. Mark and I more or less agree, which sends me off on a rant about the growing self-confidence and ham-handedness of Big Tech as they get comfortable in their role as Guardians of What You Can’t Say on the Internet. Things you can’t say include plausible arguments about the still highly unsettled question of how best to deal with COVID-19 and descriptions of treatment options that have been entertained by President Trump without establishment approval, not to mention “unverified” statements (not, notably, false ones) that could cause social unrest. Just reading such things, it turns out, will lead at least Facebook to track you down and tell you that it noticed and wants to correct your flirtation with thoughtcrime – a practice that earned it praise from Rep. Adam Schiff.

Nick and I note the difficulty Facebook is having getting out of FOSTA cases in Texas, and I ask why FOSTA hasn’t already spelled doom for end-to-end encryption since it basically does what the EARN IT Act does, and all right-thinking Americans have been told that EARN IT is The End of End-to-End Encryption.

David explains why Amazon is facing tough new scrutiny from both parties: A Wall Street Journal article that questioned the accuracy of Amazon testimony before Congress has turned into claims of perjury, a demand that Jeff Bezos testify, and suggestions that the administration open a criminal antitrust probe.

“You can’t decouple from me! I’m decoupling from you!” That’s the sentiment from China anyway as they push forward with their own remarkably familiar supply chain security regulations. David explains that while the rules are similar to those in the United States, they’re tougher and more likely to be implemented in a slow, inexorable way.

Download the 314th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

Direct download: TheCyberlawPodcast-314.mp3
Category:general -- posted at: 6:43pm EDT

In today’s interview, I spar with Harriet Moynihan over the application of international law to cyberattacks, a topic on which she has written with clarity and in detail. We disagree politely but profoundly. I make the case that international law is distinct from what works in cyberspace and is inconsistent with either clarity or effectiveness in deterring cyberattacks. Harriet argues that international law has been a central principle of the post-1945 international system and one that has helped to keep a kind of peace among nations. It’s a good exchange.

In the News Roundup, David Kris and I discuss the state of Team Telecom, which is taking unwonted (but probably welcome) fire for not being tough enough on state-owned Chinese telecom firms. Predictably, Team Telecom is going with the flow and reportedly seeking to knock four such firms out of the US market.

Maury Shenk reports that Vietnam is suspected of hacking Chinese health authorities. In response to the accusations, the Vietnamese released what looks to me like a word-for-word clone of Chinese cyber espionage boilerplate denials.

Gapple’s design for a COVID-19 tracing app isn’t the best way to track infections, I claim, but it’s all that Google and Apple are willing to let governments do because of their exquisitely refined and self-evidently superior sense of privacy. Nick Weaver disagrees, arguing that the Gapple system preserves privacy and allows health authorities all the information that they really need. Governments are mostly falling in line, either because they buy Nick’s argument or because they have decided that their Silicon Valley overlords have the ability to wreck any more centralized system. France is still fighting for its vision of contact tracing. But Australia seems to be adopting a lightly tweaked version of the Gapple model to add some centralization. And Germany seems to be surrendering as well.

Several senators want Cyber Command and the Cybersecurity and Infrastructure Security Agency (CISA) to do more to deter coronavirus hackers, David reports. More importantly, he points out that sending a military organization to attack a civilian criminal gang will raise a host of legal issues that should be sorted out before rather than after the attack begins.

Failure to protect your client from Chinese government hackers might be malpractice, a DC court rules. But as Maury points out, there’s a long road from winning a motion to dismiss and winning at trial, so the lesson to be drawn from this case won’t be certain for some time.

Three years later, the Shadow Brokers leak is making news, and still providing challenges for private security researchers. Nick reports on how a three-year-old leak led to the latest revelation of an unknown advanced persistent threat (APT) group.

Nick and I touch on the confused reporting about the latest filing in the mud fight between Facebook and NSO Group over NSO’s hacks of WhatsApp customers. NSO, Facebook says, has used a lot of US servers in those attacks. That matters for the technical question of whether NSO can be sued in the United States, but the volume (several hundred instances) also suggests to Nick that NSO did more than throw exploits over the wall to its customers – it was arguably offering espionage as a service.

David dings IBM for its handling of a researcher’s disclosure of four zero-days – and that leads to a dive into what a good bug bounty program can and can’t do.

Maury notes that Amazon is getting new scrutiny for its handling of third-party sales data, including suspicions on Congress’s part that it may have been lied to. This isn’t the last we’ll hear of this story.

In quick hits, I am nonplussed by Vimeo’s willingness to outsource its definition of “hate group” to the controversial Southern Poverty Law Center.

Nick celebrates the end to Crown Sterling’s “defamation” lawsuit against BlackHat, which has finally been settled.

And Nick and I mark the surprising ouster of Marc Rotenberg, EPIC’s long-time director, after Rotenberg continued to go to work and failed to notify staffers after he was diagnosed with COVID-19.

Download the 313th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-313.mp3
Category:general -- posted at: 9:06pm EDT

In this episode, I interview Thomas Rid about his illuminating study of Russian disinformation, Active Measures: The Secret History of Disinformation and Political Warfare. It lays out a century of Soviet, East European, and Russian disinformation, beginning with an elaborate and successful operation against the White Russian expatriate resistance to Bolshevik rule in the 1920s. Rid has dug into recently declassified material using digital tools that enable him to tell previously untold tales – the Soviets’ remarkable success in turning opposition to US nuclear missiles in Europe into a mass movement (and the potential shadow it casts on the legendary Adm. Hyman Rickover, father of the US nuclear navy), the unimpressive record of US disinformation compared to the ruthless Soviet version, and the fake American lobbyist (and real German agent) who persuaded a German conservative legislator to save Willy Brandt’s leftist government. We close with two very different predictions about the kind of disinformation we’ll see in the 2020 campaign.

In the news, David Kris, Nick Weaver, and I trade perspectives on the Supreme Court’s grant of certiorari on the question when it’s a crime to access a computer “in excess of authority.” I predict that the Justice Department’s reading of the Computer Fraud and Abuse Act will lose, but it’s far from clear what will replace the Justice Department’s interpretation.

Remember when the House left town without acting on FISA renewal? That’s looking like a worse and worse decision, as Congress goes weeks without returning and Justice is left unable to use utterly uncontroversial capabilities in more and more cases. Matthew Heiman explains.

In Justice Department briefs, all the most damaging admissions are down in the footnotes, and it looks like that’s true for the inspector general’s report on the Carter Page FISA. Recently declassified footnotes from the report make the FBI’s pursuit of the FISA order look even worse, in my view. But at the end of the day, the footnotes don’t add much to suspicions of a partisan motivation in the imbroglio.

Speaking of IG reports, the DOD inspector general manages to raise the possibility of political skullduggery in the big DOD cloud computing award and then to offer a way to stick it to Amazon anyway. Meanwhile, the judge overseeing the bid protest gives the Pentagon a chance for a do-over

Matthew covers intel warnings about China-linked ‘Electric Panda’ hackers and that the Syrian government is spreading surveillance malware via coronavirus apps. And David notes that a Zoom zero-day is being offered for $500,000.Nick and I mix it up, first over the Gapple infection tracing plan and their fight with the UK National Health Service and then over Facebook’s decision to suppress posts about demonstrations that protest the lockdown by violating the lockdown.

Download the 312th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: 201782.mp3
Category:general -- posted at: 9:18pm EDT

The Cyberspace Solarium Commission’s report was released into the teeth of the COVID-19 crisis and hasn’t attracted the press it probably deserved. But the commissioners included four sitting Congressmen who plan to push for the adoption of its recommendations. And the Commission is going to be producing more material – and probably more press attention – over the coming weeks. In this episode, I interview Sen. Angus King, co-chair of the Commission, and Dr. Samantha Ravich, one of the commissioners.

We focus almost exclusively on what the Commission’s recommendations mean for the private sector. The Commission has proposed a remarkably broad range of cybersecurity measures for business. The Commission recommends a new products liability regime for assemblers of final goods (including software) who don’t promptly patch vulnerabilities. It proposes two new laws requiring notice not only of personal data breaches but also of other significant cyber incidents. It calls for a federal privacy and security law – without preemption. It updates Sarbanes-Oxley to include cybersecurity principles. And lest you think the Commission is in love with liability, it also proposed liability immunities for critical infrastructure owners operating under government supervision during a crisis. We cover all these proposals, plus the Commission’s recommendation of a new role for the Intelligence Community in providing support to critical US companies.

In the news, Nick Weaver and I dig deep into the Google and Apple proposals for tracking COVID-19 infections. I’ve got a separate post in the works on the topic, but the short version is that I think Google and Apple have dramatically overvalued privacy interests and downgraded, you know, actually tracking infections. Nick and I agree that the app should operate on an opt-out basis, not opt-in.

The Great Decoupling, part 278: It looks as though China Telecom will be getting the boot from US telecom markets, at least if Team Telecom has anything to say about it. And speaking of Team Telecom, Brian Egan tells us that it has a new charter and a new, catchy acronym: CAFPUSTTSS!

Nick and I dig into a Ninth Circuit decision that may be bound for the Supreme Court. It holds that Facebook can be held liable for wiretapping when it gets information from its widely deployed “like” buttons on third-party sites.

Fish gotta swim, birds gotta fly, and the EU has to regulate tech, coronavirus or not. Maury Shenk reports, bemusedly.

Matching him bemusement for bemusement, Nick tries to explain a French ruling that Google must pay news outlets for content (and can’t stop linking to the outlets).

Maury explains the 5G-coronavirus conspiracy that has Brits burning cellular masts.

Nick explains how to make a “smart” lock spill its secrets, and how to fall foul of the FTC.

And in quick takes, the COVID-19 cyber threat has the US and UK authorities joining hands against cyberattacks, the Australian government is hacking criminals who are exploiting coronavirus, and it turns out that IoT devices may defect to work for foreign intelligence agencies.

Download the 311th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-311.mp3
Category:general -- posted at: 11:29am EDT

Nate Jones and I dig deep into Twitter’s decision to delete Rudy Giuliani’s tweet (quoting Charlie Kirk of Turning Point) to the effect that hydroxychloroquine had been shown to be 100% effective against the coronavirus and that Gov. Whitmer (D-MI) had threatened doctors prescribing it out of anti-Trump animus. Twitter claimed that it was deleting tweets that “go directly against guidance from authoritative sources” and separately implied that the tweet was an improper attack on Gov. Whitmer. 

So where did Twitter find the “authoritative guidance” that Giuliani was supposed to be “going directly against”? Of course, Twitter isn’t explaining itself, which raises questions about the basis for its action. (I offered two of its representatives a chance to come on the podcast to offer a defense; they didn’t respond.)

In short, all the people who’ve been telling us our freedoms are at risk as a result of the health emergency might be right, but the source of the danger isn’t government. It’s Silicon Valley.

Nate thinks (probably correctly) that Kirk and Giuliani were wrong about the “100% effective” claim, and that people like them and the president are going to get people to take dangerous drugs without medical advice if they aren’t policed. It’s a spirited exchange.

In contrast, Paul Rosenzweig and I find a fair amount of common ground outside this week’s media consensus that Zoom is either evil or stupid, maybe both, for its handling of privacy and security of users. No doubt there are a staggering number of privacy and security holes in the product, and the company will get sued for several of them. But we suspect that many of the problems would have been exposed and fixed over the course of the three years it would have taken Zoom to reach the levels of use it’s instead reached in three weeks. One error, exposing LinkedIn data to unrelated users with the same Internet domain, seems to have hit Dutch users especially hard

The DOJ inspector general has found widespread gaps in the FBI’s compliance with its now-famous Woods procedures. Matthew Heiman and I try to put the damaging report in perspective. It’s hard to know at this point how serious the gaps are, though the numbers suggest that some will be serious. Meanwhile, the FISA court has ordered a rush evaluation from Justice of more or less exactly the same questions the IG is asking. We manage to agree that the court’s June 15 deadline is not realistic given everything else the same group of lawyers will be doing between now and November. 

Matthew tells us that the Saudis are suspected of a phone spying campaign in the United States. I point out that foreign location collection is pretty much built into the SS7 phone system, so the worst that can be said about the event is that the Saudis were caught doing “too much” spying in the US.

Paul comes down agreeing with a new court ruling that violating a site’s terms of service isn’t criminal hacking. And now that that’s settled, I have a research proposal for the Hewlett Foundation.

Washington State has adopted a facial recognition law that Microsoft likes, Nate tells us. No surprise, I suggest, since the law will only regulate governments, not the private sector. I’m not a fan; it looks like a law that virtually guarantees that any facial recognition system will be forced to “correct” empirical results in favor of quotas for “protected subpopulations.” This leads, in light of Zoom’s problems, to the question of whether that includes the Dutch.

Who is hacking the WHO? Who isn’t? Matthew notes that Iran has joined what must be a crowd of eavesdroppers in WHO networks.

Nostalgic for the days before the coronavirus? How about this blast from the past: Marriott has revealed a data breach exposing (some) personal data for up to 5.2 million customers.

I close the episode with the good news that some coders seem to be taking up the challenge I offered in the last episode and on Lawfare to construct an infection tracing system using mobile phones that will work in the US.

Download the 310th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll. You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-310.mp3
Category:general -- posted at: 10:32am EDT

In this bonus episode, we present a lightly edited interview about Israel’s technology- and surveillance-heavy approach to the COVID-19 pandemic. In it, Matthew Waxman, Liviu Librescu Professor of Law at Columbia University, and I talk to Yuval Shany, a noted Israeli human rights expert and professor at Hebrew University. We cover the particularly fraught political crisis that the virus exacerbated, the Israeli government’s use of counterterrorism tools to trace contacts of infected individuals, and the significance of locational privacy in the face of a deadly contagion. Our thanks to both Nachum Braverman of Academic Exchange and Benjamin Wittes of Lawfare for making the interview possible.

Download the 309th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-309.mp3
Category:general -- posted at: 10:00am EDT

David Kris, Paul Rosenzweig and I dive deep on the big tech issue of the COVID-19 contagion: Whether (but mostly how) to use mobile phone location services to fight the virus. We cover the Israeli approach, as well as a host of solutions adopted in Singapore, Taiwan, South Korea and elsewhere. I’m a big fan of Singapore, which produced in a week an app that Nick Weaver thought would take a year.

In our interview, evelyn douek, currently at the Berkman Klein Center and an SJD candidate at Harvard, takes us deep into content moderation. Displaying a talent for complexifying an issue we all want to simplify, she explains why we can’t get live with social platform censorship and why we can’t live without it. She walks us through the growth of content moderation, from spam, through child pornography and on to terrorism and “coordinated inauthentic behavior”—the identification of which, evelyn assures me, does not require an existentialist dance instructor. Instead, it’s the latest and least easily defined category of speech to be suppressed by Big Tech.

Returning to the News Roundup, Nate Jones and evelyn mull the head-spinning change the virus has made in the public reputation of Big Tech, but Nate wonders if Silicon Valley's PR glow will last.

Meanwhile, China is celebrating its self-proclaimed victory over COVID-19 by borrowing Russian tactics to spread coronavirus disinformation. I argue that any country adopting Russia’s patented “Who knows what’s true?” tactics probably has something to hide.

We take advantage of evelyn’s Aussie ties to get a translation (and an apology) for Australia’s latest venture into the business of blocking graphic violent content.

David and Paul review the White House’s National Strategy for 5G Security. They talk for two minutes, but they say more than the strategy.

The House of Representative has irresponsibly bolted for home without even a temporary reauthorization of expiring FISA authorities. Paul and David explain why that isn’t quite the disaster it sounds like. Quite.

David says the Justice Department has brought the first fraud case stemming from the coronavirus crisis, and I suggest that case itself has a whiff of false advertising about it.

Amazon is complaining that the Pentagon is trying to fix some of the contract award problems in the big Defense Department cloud procurement. Paul is more sympathetic than I am.

And Paul questions the wisdom of failing to delay CCPA enforcement while the coronavirus rages across California.

Download the 308th Episode (mp3).

 

Take our listener poll at steptoe.com/podcastpoll. You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-308.mp3
Category:general -- posted at: 5:42pm EDT

That’s the question I debate with David Kris and Nick Weaver as we explore the ways in which governments are using location data to fight the spread of COVID-19. Phone location data is being used to enforce quarantines and to track contacts with infected people. It’s useful for both, but Nick thinks the second application may not really be ready for a year – too late for this outbreak.

 

Our interview subject is Jason Healey, who has a long history with Cyber Command and a deep recent oeuvre of academic commentary on cyber conflict. Jay explains Cyber Command’s doctrine of “persistent engagement” and “defending forward” in words that I finally understand. It makes sense in terms of Cyber Command’s aspirations as well as the limitations it labored under in the Obama Administration, but I end up wondering whether it’s going to be different from “deterrence through having the best offense.” Nothing wrong with that, in my view – as long as you have the best offense by a long shot, something that is by no means proven.

 

We return to the news to discover the whole idea of national security sunsets looking dumber than it did when it first saw the light of day (which is saying something). Several important FISA authorities have fallen to the floor, Matthew Heiman reports. Thanks to Sens. Rand Paul and Mike Lee, I might add (Nick blames President Trump, who certainly stepped in at a bad time). Both the House and the Senate passed measures to keep FISA authorities alive, but the measures were completely different and out of sync. Maybe the House will fix that this week, but only for a couple months. Because of course we’ll be rested and ready in the middle of a contagion and a presidential campaign for a debate over Sen. Paul’s proposal to make it harder to wiretap and prosecute Americans who spy for foreign governments. 

Maybe some aiming should have come before naming and shaming? The US has dropped the Mueller team’s charges against a sponsor of Russian electoral interference, Matthew tells us.

There’s another major leak about government skullduggery in cyberspace, David tells us, and WikiLeaks is, uh, nowhere to be seen. That’s because the skulldugging government in question is Vladimir Putin’s, and WikiLeaks is looking more and more like it is in cahoots with Putin. So it falls to a group called Digital Revolution to publish internal FSB documents showing Russia’s determination to acquire a huge DDOS network, maybe enough to take whole nations offline. 

 

Alan Cohn makes a guest appearance to discuss the role that DHS’s CISA is playing in the COVID-19 crisis. And it has nothing to do with cybersecurity. Instead, CISA is ensuring the security of critical infrastructure around the country by identifying facilities that need to keep operating, notwithstanding state lockdown orders. We talk about the federalism crisis that could come from the proliferation of critical infrastructure designations, but neither of us expects it soon. 

 

Here’s a surprise: Russia is deploying coronavirus disinformation, claiming that it is a US bioweapon. Uncharacteristically, I find myself praising the European Union for flagging the campaign.

Nick talks about the ambiguity of the cyberattack on Norsk Hydro, and I raise the risk that companies may stop releasing attribution information pointing to nation states because doing so may undercut their insurance claims. 

Finally, we wrap up the story of ex-Uber autonomous driving executive Anthony Levandowski, who has pled guilty to trade-secret theft and is likely headed to prison for a year or three. 

Direct download: TheCyberlawPodcast-307.mp3
Category:general -- posted at: 5:36pm EDT

If your podcast feed has suddenly become a steady diet of more or less the same COVID-19 stories, here’s a chance to listen to cyber experts talk about what they know about – cyberlaw. Our interview is with Elsa Kania, adjunct senior fellow at the Center for a New American Security and one of the most prolific researchers of China, technology, and national security. We talk about the relative strengths and weaknesses of the artificial intelligence ecosystems in the two countries.

In the news, Maury Shenk and Mark MacCarthy describe the growing field of censorship-as-a-service and the competition between US and Chinese vendors. 

Elsa and I unpack the report of the Cyberspace Solarium Commission. Bottom line: The report is ambitious but constrained by political reality. And the most striking political reality is that there hasn’t been a better time in 25 years to propose cybersecurity regulation and liability for the tech sector. Seizing the Zeitgeist, the report offers at least a dozen such proposals.

Nick Weaver explains the joys of trojanizing the trojanizers, and we debate whether that is fourth-party or fifth-party intelligence collection.

In a shameful dereliction, Congress has let important FISA authorities lapse, but perhaps only for a day or two (depending on the president’s temperature when the reauthorization bill reaches his desk). The bill isn’t good for our security, but it mostly consists of new ornaments hung on the existing FISA Christmas tree. 

Mark covers a Swedish ruling that deserves to be forgotten a lot more than the crimes and embarrassments protected by the “right to be forgotten.” This one fines Google for failing to cover up Sweden’s censorship with sufficient zeal.

Nick explains how Microsoft finds itself taking down an international botnet instead of leaving the job to the world’s governments.

Maury reports that a federal trial is exposing the seamy ties between the FSB and criminal Russian hackers. Now we know why Russia fought extradition of the singing hacker to the U.S.

Elsa helps me through recent claims that US chipmakers face long-term damage from the U.S.-China trade fight. That much is obvious to all; less obvious is what the U.S. can do to avoid it.

Nick and I talk about Facebook’s suit against NSO Group. I claim that NSO won this round in court but lost in the media, which has finally found a company it hates more than Facebook. Nick thinks Facebook is quite happy to swap a default judgment for a chance at discovery.

In other quick hits, the Department of Defense is wisely seeking a quick do-over in the cloud computing litigation involving Amazon Web Services and Microsoft. House and Senate committees have now okayed a bill to give the Cybersecurity and Infrastructure Security Agency much-needed and uncontroversial subpoena authority to identify at-risk Internet users. Rebooting my "Privacy Kills" series, I break the injunction against COVID-19 news to point out that dumb privacy laws likely delayed for weeks discovery of how widespread COVID-19 was in Seattle. And Joshua Schulte’s trial ends in a hung jury; I want to know where the post-trial jury interview stories are.

Download the 306th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-306.mp3
Category:general -- posted at: 6:08pm EDT

The NSA’s use of call detail records to spot cross-border terror plots has a long history. It began life in deepest secrecy, became public (and controversial) after Edward Snowden’s leaks and was then reformed in the USA Freedom Act. Now it’s up for renewal, and the Privacy and Civil Liberties Oversight Board, or PCLOB, has weighed in with a deep report on how the program has functioned – and why NSA has suspended it. In this episode, I interview Travis LeBlanc, a PCLOB Member, about the report and the program. Travis is a highly effective advocate, bringing me around on several issues, including whether the program should be continued and even whether the authority to revive it would be useful. It’s a superb guide to a program whose renewal is currently being debated (against a March 15 deadline!) in Congress.

Direct download: TheCyberlawPodcast-305.mp3
Category:general -- posted at: 12:31pm EDT

Our interview in this episode is with Glenn Gerstell, freed at last from some of the constraints that come with government service. We cover the Snowden leaks, how private and public legal work differs (hint: it’s the turf battles), Cyber Command, Russian election interference, reauthorization of FISA, and the daunting challenges the US (and its Intelligence Community) will face as China’s economy begins to reinforce its global security ambitions. 

In the news, Nate Jones and Nick Weaver talk through the new legal and technical ground broken by the United States in identifying two Chinese nationals and the $100 million in cryptocurrency they laundered for North Korean hackers.

Paul Rosenzweig lays out the challenge posed for the Supreme Court’s Carpenter decision by LocateX, which provides detailed location data commercially. This is exactly the quagmire I expected the Court to find itself in when it abandoned the third-party doctrine on a one-off basis. Nick points out that the data is only pseudonymized and tries with mixed success to teach me to say “de-pseudonymized.” 

Nate and I conclude that facial recognition has achieved a new level of infamy. Kashmir Hill at the New York Times adds a new drop of poison in a story that could just as well have repeated “I hate Clearview AI” 50 times for all it told us about the company. And Anna Merlan of Vice published a story about Clearview’s practices.

Direct download: TheCyberlawPodcast-304.mp3
Category:general -- posted at: 7:27pm EDT

This is a bonus episode of the Cyberlaw Podcast – a freestanding interview of Noah Phillips, a Commissioner of the Federal Trade Commission. The topic of the interview is whether privacy and antitrust analysis should be merged, especially in the context of Silicon Valley and its social media platforms. Commissioner Phillips, who has devoted considerable attention to the privacy side of the FTC’s jurisdiction, recently delivered a speech on the topic and telegraphed his doubts in the title: “Should We Block This Merger? Some Thoughts on Converging Antitrust and Privacy.” Subject to the usual Cyberlaw Podcast injunction that he speaks only for himself and not his institution or relatives, Commissioner Phillips lays out the very real connections between personal data and industry dominance as well as the complexities that come from trying to use antitrust to solve privacy problems. Among the complexities: the key to more competition among social media giants could well be more sharing between companies of the personal data that fuels their network effects, and corporate sharing of personal data is what privacy advocates have spent a decade crusading against. It’s a wide-ranging interview, touching on, among other things, whether antitrust can be used to solve Silicon Valley’s censorship problem (he’s skeptical) and what he thinks of suggestions in Europe that perhaps the Schrems problem can be solved by declaring that post-CCPA California meets EU data privacy standards. Commissioner Phillips is bemused; I conclude that this is just Europe seeking revenge for President Trump’s Brexit support by promoting “Calexit.”

Download the 303rd Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-303.mp3
Category:general -- posted at: 9:58am EDT

This episode features a lively (and—fair warning—long) interview with Daphne Keller, Director of the Program on Platform Regulation at Stanford University’s Cyber Policy Center. We explore themes from her recent paper on regulation of online speech. It turns out that more or less everyone has an ability to restrict users’ speech online, and pretty much no one has both authority and an interest in fostering free-speech values. Conservatives may be discriminated against, but so are Black Lives Matter activists. I serve up one solution to biased moderation after another, and Daphne methodically shoots them down. Transparency? None of the companies is willing, and the government may have a constitutional problem forcing them to disclose how they make their moderation decisions. Competition law? A long haul, and besides, most users like a moderated Internet experience. Regulation? Only if we take the First Amendment back to the heyday of broadcast regulation. As a particularly egregious example of foreign governments and platforms ganging up to censor Americans, we touch on the Europe Court of Justice’s insufferable decision encouraging the export of European defamation law to the U.S.—with an extra margin of censorship to keep the platform from any risk of liability. I offer to risk my Facebook account to see if that’s already happening.

In the news, the FISA follies take center stage, as the March 15 deadline for reauthorizing important counterterrorism authorities draws near. No one has a good solution. Matthew Heiman explains that another kick-the-can scenario remains a live option. And Nick Weaver summarizes the problems that the PCLOB found with the FISA call detail record program. My take: The program failed because it was imposed on NSA by libertarian ideologues who had no idea how it would work in practice and who now want to blame NSA for their own shortsightedness.

Another week, another couple of artificial intelligence ethics codes: The two most recent ones come from DOD and … the Pope? Mark MacCarthy sees a lot to like. I offer my quick and dirty CTRL-F “bias” test for whether the codes are serious or flaky, and both fail.

In China news, Matthew covers China’s ever-spreading censorship regime—now reaching Twitter users whose accounts are blocked by the Great Firewall. We also ask whether and how much the U.S. “name and shame” campaign has actually reduced Chinese cyberespionage. And whether China is stealing tech from universities for the same reason Willie Sutton robbed banks—that’s where the IP is.

Nick recounts with undisguised glee the latest tribulations suffered by Clearview and its facial recognition system: Its app has been banned from Android and Apple, and both its customers and its data collection methods have been doxed.

Mark notes the success of threats to boycott Pakistan on the part of Facebook, Google and Twitter. I wonder if that will simply incentivize Pakistan to drive its social media ecosystem toward the Chinese giants. Nick gives drug dealers a lesson in how not to store the codes for €53.6 million in Bitcoin; or is he offering a lesson in what to say to the police if you want that €53.6 million waiting for you when you get out of prison?

Finally, in a few quick hits, we cover new developments in past stories: It turns out, to the surprise of no one, that removing a GPS tracking device from your car isn’t theft. West Virginia has apparently recovered from a fit of insanity and now does not plan to allow voting by insecure app. And the FCC is taking it slow in its investigation of mobile carriers for selling customer location data; now we know who’ll be charged (pretty much everyone) and how much it will cost them ($200 million), but we still don’t know the theory or whether the whole inquiry is going to kill off legitimate uses of location data.

 

Download the 302nd Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll!

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-302.mp3
Category:general -- posted at: 5:02pm EDT

We interview Ben Buchanan about his new book, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. This is Ben’s second book and second interview on the podcast about international conflict and cyber weapons. It’s safe to say that America’s strategic posture hasn’t improved since his first appearance. We face more adversaries with more tools and a considerably greater appetite for cyber adventurism. Ben recaps some of the stories that were undercovered in the US press when they occurred. The second large attack on Ukraine’s grid, for example, was little noticed during the US election of 2016, but it appears more ominous after a recent analysis of the tools used, and perhaps most importantly, those available to the GRU but not used. 

In the news, Nick Weaver, Gus Hurwitz, and I take a quick pass at the Internet content regulation problem and Section 230 of the Communications Decency Act. I’ve written that Section 230 needs to be reconsidered, and I predict that the Justice Department, which held a workshop on Section 230 last week, will propose reforms. Gus and I offer two different takes on Facebook’s recent white paper about content moderation. Gus is more a fan of Twitter’s approach. And Nick reminds us that there are some communities on the Internet whose content causes real harm, including to innocent children.

The debate in the US is taking a distinctly European turn, I suggest, which makes Europe’s determination to regulate its way to digital innovation a little less implausible than usual. Maury Shenk outlines the very tentative (and almost certainly out of date before it’s launched) plan for building a European data lake to foster a European AI and digital economy.

Speaking of AI regulation, Elon Musk hasn’t given up on his concerns about the technology’s risks. But the real action in media circles is attacking fairly simple machine learning tools as used by law enforcement and the justice system. I think the attack is wrongheaded and will either result in abandoning tools that can discipline true outliers. Nick thinks the institutionalization of bias is bad enough that giving up such tools may be the better course.

In quick hits, Nick explains how Google’s effort to stamp out ad click fraud can generate a secondary form of criminal extortion. Maury explains the latest flap over Australia’s encryption law; the tl;dr is that nothing is likely to change soon. Gus makes a down payment on an emerging issue: Whether ISPs can defeat Internet privacy laws that affect them by pleading their First Amendment rights. Nick calls BS on the simplest forms of “anonymization” for credit card data now being sold. I highlight a ransomware attack on a US natural gas operator that actually affected operations and is thus a forerunner of future attacks. Nick reminds us that Julian Assange is in court to stop a US extradition bid. And Europe’s data protection advisor is questioning Google’s acquisition of Fitbit.

Download the 301st Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-301.mp3
Category:general -- posted at: 6:28pm EDT

In breaking news from 1995, the Washington Post takes advantage of a leaked CIA history paper to retell the remarkable tale of Crypto AG, a purveyor of encryption products to dozens of governments – and allegedly a wholly controlled subsidiary of US and German intelligence. Nick Weaver, Paul Rosenzweig, and I are astonished at the derring-do and unapologetic enthusiasm for intelligence collection. I mean, really: The Pope?

This week’s interview is with Jonathan Reiber, a writer and strategist in Oakland, California, and former Chief Strategy Officer for Cyber Policy and Speechwriter at the Department of Defense, currently senior advisor at Technology for Global Security and visiting scholar at the UC Berkeley Center for Long-Term Cybersecurity. His recent report offers a candid view of strained relations between Silicon Valley and the Pentagon. The interview explores the reasons for that strain, the importance of bridging the gap and how that can best be done.

Nick reports that four PLA members have been indicted over the Equifax breach. He speculates that the US government is sending a message by disclosing a photo of one soldier that appears to have been taken by his own webcam. Paul and I note that China’s motivation for the hack was very likely the assembly of records on Americans not dissimilar to the records we know the Chinese keep on Uighurs – which are extraordinarily detailed and surprisingly artisanal

The arrest of a Bitcoin mixer allows Nick to explain how Bitcoin mixing services work and why they’re illegal.

Paul lays out the potentially serious impact of Amazon’s lawsuit to stop a $10 billion Microsoft-DOD cloud contract. We note that Amazon wants to take testimony from President Trump. Thanks to his Twitter habit, we conclude, that’s not out of the question.

I preview my remarks at a February 19 Justice Department workshops on Section 230. I will reprise my article in Lawfare and the encryption debate with Nick Weaver that inspired it. And I hope to dig as well into the question whether Section 230 provides too much protection for Silicon Valley’s censors. Speaking of which, Jeff Bezos’s company has joined the censors but won’t tell us which books it’s suppressing.

Nick and I give a favorable review to CISA’s new #Protect2020 election strategy. We search for deeper meaning in the Internet Assigned Numbers Authority’s (IANA’s) failure to complete its Domain Name System Security Extensions (DNSSEC) root key signing ceremony because of… a physical safe. And we all take a moment to mock the latest vote-by-phone snake-oil app seller, Voatz.

Download the 300th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-300.mp3
Category:general -- posted at: 11:48am EDT

The next trade war will be over transatlantic data flows, and it will make the fight with China look like a picnic. That’s the subject of this episode’s interview. The European Court of Justice is poised to go nuclear – to cut off US companies’ access to European customer data unless the US lets European courts and data protection agencies refashion its intelligence capabilities according to standards no European government has ever been required to meet. Maury Shenk and I interview Peter Swire on the Schrems cases that look nearly certain to provoke a transatlantic trade and intelligence crisis. Actually, Maury interviews Peter, and I throw bombs into the conversation. But if ever there were a cyberlaw topic that deserves more bomb-throwing, this is it.

In the News Roundup, David Kris tells us that the trial of alleged Vault7 leaker Joshua Schulte is under way. And the star of the first day is our very own podcast regular, Paul Rosenzweig

If you’re wondering whether more cybersecurity regulation is what the country needs, you should be paying attention to the Pentagon, which has embraced cybersecurity regulation for its contractors. Matthew Heiman reports that DOD isn’t finding the path easy. DOD has released its final cybersecurity plan for contractors, but the audit process needed to enforce it remains a mystery.

That’s SNAKE spelled backwards: David tells us about a new strain of ransomware; ominously, it is targeting industrial control systems. I manage to find a very modest silver lining.

Nate Jones sums up the cybersecurity lessons from the voting debacle in Iowa

Nate also reports on the FCC’s latest half-step toward suing one or more telcos for selling phone-location data.

Matthew covers the Maze ransomware that has ravaged law firms in recent weeks. He argues that it’s only a matter of time before such attacks become dog-bites-man stories.

Matthew also notes that Google and Facebook have apparently dropped plans to terminate their transpacific cable in Hong Kong. US national security concerns seem to have driven the decision. Looks like the Great Decoupling could be spurring a very real physical decoupling.

Nate makes the best of the 2020 version of a Worthwhile Canadian Initiative: The Senate Intel Committee’s third volume of its Russian electoral interference report. It’s sober and responsible and bipartisan – and disappeared from the news cycle overnight.

And to bring you up to speed on past stories: 

  • A Brazilian judge has declined to accept charges against Glenn Greenwald, “for now.” 
  • The poster child for the facial recognition moral panic can’t catch a break: Clearview AI has been hit with cease-and-desist from Google and Facebook.
  • Tag-teaming with Bill Barr, child-welfare activists are attacking Facebook over its encryption plans and what that means for exploited kids. 
  • One of the first CCPA lawsuits has been filed, against Salesforce.
  • And This Week in Silicon Valley content moderation:
    • Letterboxd banned a black libertarian film critic’s reviews.
    • James O’Keefe’s Twitter account was suspended after he named a Bernie Sanders staffer who spoke fondly of gulags and electoral violence.
    • And Twitter banned the widely popular Zero Hedge account after it named a Chinese researcher who it thought might have a role in coronavirus.

Download the 299th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-299.mp3
Category:general -- posted at: 11:36am EDT

Nick Weaver and I debate Sens. Graham and Blumenthal’s EARN IT Act, a proposal to require that social media firms follow best practices on preventing child abuse. If they don’t, they won’t get full Section 230 immunity from liability for recklessly allowing the abuse. Nick thinks the idea is ill-conceived and doomed to fail. I think there’s a core of sense to the proposal, which simply asks that Silicon Valley firms who are reckless about child abuse on their networks pay for the social costs they’re imposing. Since the bill gives the attorney general authority to modify the best practices submitted by a commission of industry, academic, and civic representatives, critics are sure that the final product will reduce corporate incentives to offer end-to-end encryption. 

But before we get to that debate, Gus Hurwitz and I unpack the law and tactics behind Facebook’s decision to pay $550 million to settle a facial recognition class action. And Klon Kitchen and Nick ponder the shocking corruption and coverup alleged in the case of a Harvard chemistry chairman being prosecuted for hiding the large sums he was getting from the Chinese government to boost its research into nanomaterials. 

Klon gives us a feel for just how hard it can be to enforce Iranian sanctions, and the creativity that went into one app developer’s evasion scheme. 

Gus and Nick offer real hope that robocalling will start to get harder, and soon: DOJ has requested restraining orders to stop telephone companies from facilitating fraudulent robocalls; the FTC has put 19 VoIP providers on notice for facilitating robocalls; and SHAKEN/STIR is slowly making it harder to spoof a phone number.

Gus asks a question that had never occurred to me, and certainly not to millions of homeowners who may have committed inadvertent felonies by installing Ring doorbell cameras. It turns out that Ring recordings may be illegal intercepts in states with all-party consent laws. At least that’s what one enterprising New Hampshire defense lawyer is arguing.

First they cock a snook at Brussels, and now this: The UK government is on a roll. It’s proposing an IoT security law that Nick endorses with enthusiasm.

Maryland, not so much: Klon critiques a proposed state law that would make ransomware illegal – and maybe ransomware research, too.

In dog-bites-man news, the United Nations has suffered a breach – probably by a semi-competent government. Which doesn’t narrow things down much, since as Nick observes, everyone but the Germans has probably pwned the UN. And the Germans are just being polite.

A lot of old stories have come back for one more turn on stage: The Russian hacker that the Russian government was afraid would sing if extradited to the US has pleaded guilty here and is probably singing already. Avast has killed Jumpshot, its much-criticized data collection operation. The Bezosphone Saga continues, as Sen. Chris Murphy calls on the DNI and FBI to investigate the hacking allegations, and Bezos’s girlfriend’s brother is suing for defamation. Charges against the Iowa courthouse penetration testers have finally been dropped. LabMD’s Mike Daugherty should probably hang up his cleats. He won a great victory over the FTC, but his racketeering suit against Tiversa and lawyers is officially time-barred. Finally, it turns out that the FBI has been investigating NSO Group since 2017, though without bringing charges, so far. 

Download the 298th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-298.mp3
Category:general -- posted at: 11:59am EDT

This episode features an interview on the Bezos phone flap with David Kaye and Alex Stamos. David is a UN Special Rapporteur and clinical professor of law at UC Irvine who first drew attention to an FTI Consulting report concluding that the Saudis did hack Bezos’ phone. Alex is director of the Stanford Internet Observatory and was the CSO at Facebook; he thinks the technical case against the Saudis needs work, and he calls for a supplemental forensic review of the phone. 

In the news, Nate Jones unpacks the US-China “phase one” trade deal and what it means for the tech divide.

Nick Weaver and I agree that the King County (Seattle) Conservation District’s notion of saving postage by having everyone vote by phone is nuts. Nick in particular reacts as you’d expect him to. 

Nate talks about the profound hit the credibility of the FISA process has taken as a result of the Justice Department admitting that two of four Carter Page warrants were invalid. Among other things, it opens FISA to a kitchen sink full of proposals for handcuffing national security wiretaps. Like this one from Sen. Ron Wyden and Sen. Steve Daines.

Brazil has charged Glenn Greenwald with “cybercrimes” on evidence that would be thin at best in the US, Nate argues. Nick agrees and is only sad that the Bolsonaro government has put him in the position of defending Greenwald.

Google is redesigning its search results again, blurring even further the line between ads and organic results. Living up to its new motto (“Don’t be caught being evil”), Google announces that it’s just testing its design, and everyone should chill. Nick and I are skeptical that A/B testing will tell Google anything other than which redesign fools consumers most effectively and thus makes more protection money for Google.

And speaking of protection money, this episode was not brought to you by Avast, the company that probably would have paid the most not to be mentioned on the Cyberlaw Podcast this week. Because they’ve been caught getting largely uninformed consent to the monitoring of their customers’ Web activities. 

Download the 297th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-297.mp3
Category:general -- posted at: 3:01pm EDT

This week’s episode includes an interview with Bruce Schneier about his recent op-ed on privacy. Bruce and I are both dubious about the current media trope that facial recognition technology was spawned by the Antichrist. He notes that what we are really worried about is a lot bigger than facial recognition and offers ways in which the law could address our deeper worry. I’m less optimistic about our ability to write or enforce laws designed to restrict use of information that gets cheaper to collect, to correlate, and to store every year. It’s a good, civilized exchange.

The News Roundup is a little truncated due to a technical failure. (It was a glitch in Zencastr for those of you keeping score, and I definitely am). As a result, we lost Nick Weaver’s audio for about half the program, including a hammer and tongs debate over Apple’s fight with the FBI. (But never fear, opportunities for that fight come by about as often as the Red Line comes to Dupont Circle.)

That said, it’s still a feisty episode. It begins with Michael Vatis teeing off on the California Consumer Privacy Act, the worst-drafted law he’s worked with in over 30 years of practice—and not much better on policy grounds.

We then return to Illinois’s recent law regulating AI hiring interviews systems like HireVue, and sparks fly again as Mark MacCarthy and I mix it up over allegations of AI “bias.” (I’m a skeptic, to put it mildly.)

Matthew Heiman covers the surprisingly thin claim that the GRU has phished its way into Burisma Holdings. And Nick comments on (yet another!) Italian surveillance tech firm getting into trouble by misusing its capabilities.

Not-so-Big Tech has begun asking Congress for antitrust help against Big Tech. Mark is skeptical; I’m a little less so.

Matthew and I compliment frequent contributor David Kris on his speed in delivering an amicus report on the FBI’s Horowitz reforms between one episode and the next – and before his Congressional critics can finish a letter questioning his appointment. One lingering, and possibly salutary, effect of the kerfuffle is that questions are being directed at the FISA Court itself, asking why it didn’t do a better job of policing the Carter Page excesses.

Mark reports on an unusual effort by Europe’s chief privacy officer to exempt academic researchers from strict compliance with data protections laws.

In quick hits, Matthew notes that Erdogan has bowed to the Turkish Supreme Court and has reinstated access to Wikipedia. He also reports on the Department of the Interior permanently grounding its drone fleet over spying concerns. Nick chuckles over China’s APT 40 getting doxed, and we both give credit to NSA’s Anne Neuberger for disclosing and enabling the patch by Microsoft of a major vulnerability in the Crypt32 library. And I note the likelihood that Clearview will be sued for violating terms of service to obtain the facial recognition data it uses to provide identification services to law enforcement.

 

Download the 296th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-296.mp3
Category:general -- posted at: 3:48pm EDT

There’s a fine line between legislation addressing deepfakes and legislation that is itself a deep fake. Nate Jones reports on the only federal legislation addressing the problem so far. I claim that it is well short of a serious regulatory effort—and pretty close to a fake law.

In contrast, India seems serious about imposing liability on companies whose unbreakable end-to-end crypto causes harm, at least to judge from the howls of the usual defenders of such crypto. David Kris explains how the law will work. I ask why Silicon Valley gets to impose the externalities of encryption-facilitated crime on society without consequence when we’d never allow tech companies to say that society should pick up the tab for their pollution because their products are so cool. In related news, the FBI may be turning the Pensacola military terrorism attack into a slow-motion replay of the San Bernardino fight with Apple, this time with more top cover.

Poor Nate seems to draw all the fake legislation in this episode. He explains a 2020 appropriations rider requiring the State Department to report on how it issues export licenses for cyber espionage capabilities; this is a follow-up to investigative reporting on the way such capabilities in the UAE ended up being used against human rights activists. As we agree, it’s an interesting and likely unsolvable policy problem, so the legislation opts for the most meaningless of remedies, requiring the Directorate of Defense Trade Control to report “on cybertools and capabilities licensing, including licensing screening and approval procedures as well as compliance and enforcement mechanisms” within 90 days.

Nate also gets to cover some decidedly un-fake requirements in the 2019 NDAA, limiting how defense contractors can use Chinese technology. The other shoe is about to drop, and if the first one was a baby shoe, the second is a Clydesdale’s horseshoe.

It’s hard to call it fake, but the latest export control rule restricting sales of AI could hardly be narrower. Maury Shenk and I speculate that this is because a long-term turf war has broken out again in export control policy circles. Maury’s money is on the business side of that fight, and the narrowness of the AI rule gives weight to his views.

And here’s some Christmas cheer for DOJ and national security officials: A federal district court presented Edward Snowden with a lump of coal—the only royalties it thought he deserved from a book that violated his nondisclosure agreement. Nate thinks it’s time for me to buy one, but I’m waiting for appellate confirmation.

Less festive news comes from the European Court of Justice’s advocate general opinion in Schrems II, a case that could greatly complicate EU-US data transfers by purporting to put Europeans in charge of how the US defends itself from terrorism. Maury explains; I complain.

David unpacks with clarity a complex Second Circuit decision on the constitutionality of FISA 702 collection. On the whole, Judge Lynch did a creditable job with a messy and unprecedented set of claims, though I question the wisdom of erecting a baroque mansion of judge-made procedures on a slippery foundation like the Fourth Amendment’s requirement that searches be “reasonable.”

And in short hits, Maury tells us that Italy has imposed a French-style revenue tax on Internet companies, and Russia claims that it has successfully tested the ability to disconnect from the Internet. Now if we could only get them to stay that way. Illinois has a new, mostly fake law imposing modest regulations on the use of AI in video job interviews. The TRACED Act rises above fakeness in attacking robocalls but just barely. And the FAA released an NPRM calling for a pretty serious requirement for remote ID of drones.

And to put everyone back in the Christmas spirit, LabMD won nearly a million dollars in fees from the Federal Trade Commission for the FTC’s bullheaded pursuit of the company despite the many flaws in its case. The master’s opinion makes clear just how badly the FTC erred in hounding LabMD.

 

Download the 295th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-295.mp3
Category:general -- posted at: 2:19pm EDT

1