The Cyberlaw Podcast

In today’s interview, I spar with Harriet Moynihan over the application of international law to cyberattacks, a topic on which she has written with clarity and in detail. We disagree politely but profoundly. I make the case that international law is distinct from what works in cyberspace and is inconsistent with either clarity or effectiveness in deterring cyberattacks. Harriet argues that international law has been a central principle of the post-1945 international system and one that has helped to keep a kind of peace among nations. It’s a good exchange.

In the News Roundup, David Kris and I discuss the state of Team Telecom, which is taking unwonted (but probably welcome) fire for not being tough enough on state-owned Chinese telecom firms. Predictably, Team Telecom is going with the flow and reportedly seeking to knock four such firms out of the US market.

Maury Shenk reports that Vietnam is suspected of hacking Chinese health authorities. In response to the accusations, the Vietnamese released what looks to me like a word-for-word clone of Chinese cyber espionage boilerplate denials.

Gapple’s design for a COVID-19 tracing app isn’t the best way to track infections, I claim, but it’s all that Google and Apple are willing to let governments do because of their exquisitely refined and self-evidently superior sense of privacy. Nick Weaver disagrees, arguing that the Gapple system preserves privacy and allows health authorities all the information that they really need. Governments are mostly falling in line, either because they buy Nick’s argument or because they have decided that their Silicon Valley overlords have the ability to wreck any more centralized system. France is still fighting for its vision of contact tracing. But Australia seems to be adopting a lightly tweaked version of the Gapple model to add some centralization. And Germany seems to be surrendering as well.

Several senators want Cyber Command and the Cybersecurity and Infrastructure Security Agency (CISA) to do more to deter coronavirus hackers, David reports. More importantly, he points out that sending a military organization to attack a civilian criminal gang will raise a host of legal issues that should be sorted out before rather than after the attack begins.

Failure to protect your client from Chinese government hackers might be malpractice, a DC court rules. But as Maury points out, there’s a long road from winning a motion to dismiss and winning at trial, so the lesson to be drawn from this case won’t be certain for some time.

Three years later, the Shadow Brokers leak is making news, and still providing challenges for private security researchers. Nick reports on how a three-year-old leak led to the latest revelation of an unknown advanced persistent threat (APT) group.

Nick and I touch on the confused reporting about the latest filing in the mud fight between Facebook and NSO Group over NSO’s hacks of WhatsApp customers. NSO, Facebook says, has used a lot of US servers in those attacks. That matters for the technical question of whether NSO can be sued in the United States, but the volume (several hundred instances) also suggests to Nick that NSO did more than throw exploits over the wall to its customers – it was arguably offering espionage as a service.

David dings IBM for its handling of a researcher’s disclosure of four zero-days – and that leads to a dive into what a good bug bounty program can and can’t do.

Maury notes that Amazon is getting new scrutiny for its handling of third-party sales data, including suspicions on Congress’s part that it may have been lied to. This isn’t the last we’ll hear of this story.

In quick hits, I am nonplussed by Vimeo’s willingness to outsource its definition of “hate group” to the controversial Southern Poverty Law Center.

Nick celebrates the end to Crown Sterling’s “defamation” lawsuit against BlackHat, which has finally been settled.

And Nick and I mark the surprising ouster of Marc Rotenberg, EPIC’s long-time director, after Rotenberg continued to go to work and failed to notify staffers after he was diagnosed with COVID-19.

Download the 313th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-313.mp3
Category:general -- posted at: 9:06pm EST

In this episode, I interview Thomas Rid about his illuminating study of Russian disinformation, Active Measures: The Secret History of Disinformation and Political Warfare. It lays out a century of Soviet, East European, and Russian disinformation, beginning with an elaborate and successful operation against the White Russian expatriate resistance to Bolshevik rule in the 1920s. Rid has dug into recently declassified material using digital tools that enable him to tell previously untold tales – the Soviets’ remarkable success in turning opposition to US nuclear missiles in Europe into a mass movement (and the potential shadow it casts on the legendary Adm. Hyman Rickover, father of the US nuclear navy), the unimpressive record of US disinformation compared to the ruthless Soviet version, and the fake American lobbyist (and real German agent) who persuaded a German conservative legislator to save Willy Brandt’s leftist government. We close with two very different predictions about the kind of disinformation we’ll see in the 2020 campaign.

In the news, David Kris, Nick Weaver, and I trade perspectives on the Supreme Court’s grant of certiorari on the question when it’s a crime to access a computer “in excess of authority.” I predict that the Justice Department’s reading of the Computer Fraud and Abuse Act will lose, but it’s far from clear what will replace the Justice Department’s interpretation.

Remember when the House left town without acting on FISA renewal? That’s looking like a worse and worse decision, as Congress goes weeks without returning and Justice is left unable to use utterly uncontroversial capabilities in more and more cases. Matthew Heiman explains.

In Justice Department briefs, all the most damaging admissions are down in the footnotes, and it looks like that’s true for the inspector general’s report on the Carter Page FISA. Recently declassified footnotes from the report make the FBI’s pursuit of the FISA order look even worse, in my view. But at the end of the day, the footnotes don’t add much to suspicions of a partisan motivation in the imbroglio.

Speaking of IG reports, the DOD inspector general manages to raise the possibility of political skullduggery in the big DOD cloud computing award and then to offer a way to stick it to Amazon anyway. Meanwhile, the judge overseeing the bid protest gives the Pentagon a chance for a do-over

Matthew covers intel warnings about China-linked ‘Electric Panda’ hackers and that the Syrian government is spreading surveillance malware via coronavirus apps. And David notes that a Zoom zero-day is being offered for $500,000.Nick and I mix it up, first over the Gapple infection tracing plan and their fight with the UK National Health Service and then over Facebook’s decision to suppress posts about demonstrations that protest the lockdown by violating the lockdown.

Download the 312th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: 201782.mp3
Category:general -- posted at: 9:18pm EST

The Cyberspace Solarium Commission’s report was released into the teeth of the COVID-19 crisis and hasn’t attracted the press it probably deserved. But the commissioners included four sitting Congressmen who plan to push for the adoption of its recommendations. And the Commission is going to be producing more material – and probably more press attention – over the coming weeks. In this episode, I interview Sen. Angus King, co-chair of the Commission, and Dr. Samantha Ravich, one of the commissioners.

We focus almost exclusively on what the Commission’s recommendations mean for the private sector. The Commission has proposed a remarkably broad range of cybersecurity measures for business. The Commission recommends a new products liability regime for assemblers of final goods (including software) who don’t promptly patch vulnerabilities. It proposes two new laws requiring notice not only of personal data breaches but also of other significant cyber incidents. It calls for a federal privacy and security law – without preemption. It updates Sarbanes-Oxley to include cybersecurity principles. And lest you think the Commission is in love with liability, it also proposed liability immunities for critical infrastructure owners operating under government supervision during a crisis. We cover all these proposals, plus the Commission’s recommendation of a new role for the Intelligence Community in providing support to critical US companies.

In the news, Nick Weaver and I dig deep into the Google and Apple proposals for tracking COVID-19 infections. I’ve got a separate post in the works on the topic, but the short version is that I think Google and Apple have dramatically overvalued privacy interests and downgraded, you know, actually tracking infections. Nick and I agree that the app should operate on an opt-out basis, not opt-in.

The Great Decoupling, part 278: It looks as though China Telecom will be getting the boot from US telecom markets, at least if Team Telecom has anything to say about it. And speaking of Team Telecom, Brian Egan tells us that it has a new charter and a new, catchy acronym: CAFPUSTTSS!

Nick and I dig into a Ninth Circuit decision that may be bound for the Supreme Court. It holds that Facebook can be held liable for wiretapping when it gets information from its widely deployed “like” buttons on third-party sites.

Fish gotta swim, birds gotta fly, and the EU has to regulate tech, coronavirus or not. Maury Shenk reports, bemusedly.

Matching him bemusement for bemusement, Nick tries to explain a French ruling that Google must pay news outlets for content (and can’t stop linking to the outlets).

Maury explains the 5G-coronavirus conspiracy that has Brits burning cellular masts.

Nick explains how to make a “smart” lock spill its secrets, and how to fall foul of the FTC.

And in quick takes, the COVID-19 cyber threat has the US and UK authorities joining hands against cyberattacks, the Australian government is hacking criminals who are exploiting coronavirus, and it turns out that IoT devices may defect to work for foreign intelligence agencies.

Download the 311th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-311.mp3
Category:general -- posted at: 11:29am EST

Nate Jones and I dig deep into Twitter’s decision to delete Rudy Giuliani’s tweet (quoting Charlie Kirk of Turning Point) to the effect that hydroxychloroquine had been shown to be 100% effective against the coronavirus and that Gov. Whitmer (D-MI) had threatened doctors prescribing it out of anti-Trump animus. Twitter claimed that it was deleting tweets that “go directly against guidance from authoritative sources” and separately implied that the tweet was an improper attack on Gov. Whitmer. 

So where did Twitter find the “authoritative guidance” that Giuliani was supposed to be “going directly against”? Of course, Twitter isn’t explaining itself, which raises questions about the basis for its action. (I offered two of its representatives a chance to come on the podcast to offer a defense; they didn’t respond.)

In short, all the people who’ve been telling us our freedoms are at risk as a result of the health emergency might be right, but the source of the danger isn’t government. It’s Silicon Valley.

Nate thinks (probably correctly) that Kirk and Giuliani were wrong about the “100% effective” claim, and that people like them and the president are going to get people to take dangerous drugs without medical advice if they aren’t policed. It’s a spirited exchange.

In contrast, Paul Rosenzweig and I find a fair amount of common ground outside this week’s media consensus that Zoom is either evil or stupid, maybe both, for its handling of privacy and security of users. No doubt there are a staggering number of privacy and security holes in the product, and the company will get sued for several of them. But we suspect that many of the problems would have been exposed and fixed over the course of the three years it would have taken Zoom to reach the levels of use it’s instead reached in three weeks. One error, exposing LinkedIn data to unrelated users with the same Internet domain, seems to have hit Dutch users especially hard

The DOJ inspector general has found widespread gaps in the FBI’s compliance with its now-famous Woods procedures. Matthew Heiman and I try to put the damaging report in perspective. It’s hard to know at this point how serious the gaps are, though the numbers suggest that some will be serious. Meanwhile, the FISA court has ordered a rush evaluation from Justice of more or less exactly the same questions the IG is asking. We manage to agree that the court’s June 15 deadline is not realistic given everything else the same group of lawyers will be doing between now and November. 

Matthew tells us that the Saudis are suspected of a phone spying campaign in the United States. I point out that foreign location collection is pretty much built into the SS7 phone system, so the worst that can be said about the event is that the Saudis were caught doing “too much” spying in the US.

Paul comes down agreeing with a new court ruling that violating a site’s terms of service isn’t criminal hacking. And now that that’s settled, I have a research proposal for the Hewlett Foundation.

Washington State has adopted a facial recognition law that Microsoft likes, Nate tells us. No surprise, I suggest, since the law will only regulate governments, not the private sector. I’m not a fan; it looks like a law that virtually guarantees that any facial recognition system will be forced to “correct” empirical results in favor of quotas for “protected subpopulations.” This leads, in light of Zoom’s problems, to the question of whether that includes the Dutch.

Who is hacking the WHO? Who isn’t? Matthew notes that Iran has joined what must be a crowd of eavesdroppers in WHO networks.

Nostalgic for the days before the coronavirus? How about this blast from the past: Marriott has revealed a data breach exposing (some) personal data for up to 5.2 million customers.

I close the episode with the good news that some coders seem to be taking up the challenge I offered in the last episode and on Lawfare to construct an infection tracing system using mobile phones that will work in the US.

Download the 310th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll. You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-310.mp3
Category:general -- posted at: 10:32am EST

In this bonus episode, we present a lightly edited interview about Israel’s technology- and surveillance-heavy approach to the COVID-19 pandemic. In it, Matthew Waxman, Liviu Librescu Professor of Law at Columbia University, and I talk to Yuval Shany, a noted Israeli human rights expert and professor at Hebrew University. We cover the particularly fraught political crisis that the virus exacerbated, the Israeli government’s use of counterterrorism tools to trace contacts of infected individuals, and the significance of locational privacy in the face of a deadly contagion. Our thanks to both Nachum Braverman of Academic Exchange and Benjamin Wittes of Lawfare for making the interview possible.

Download the 309th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-309.mp3
Category:general -- posted at: 10:00am EST

1