The Cyberlaw Podcast

Our interview is with Mara Hvistendahl, an investigative journalist at The Intercept and author of a new book, The Scientist and the Spy: A True Story of China, the FBI, and Industrial Espionage, as well as a deep WIRED article on the least known Chinese AI champion, iFlytek. Mara’s book raises questions about the expense and motivations of the FBI’s pursuit of commercial spying from China. 

In the News Roundup, Gus Hurwitz, Nick Weaver, and I wrestle with whether Apple’s lawsuit against Corellium is really aimed at the FBI. The answer looks to be affirmative since an Apple victory would make it harder for contractors to find hackable flaws in the iPhone.

Germany’s top court ruled that German intelligence can no longer freely spy on foreigners – or share intelligence with other western countries. The court seems to be trying to leave the door open to something that looks like intelligence collection, but the hurdles are many. Which reminds me that I somehow missed the 100th anniversary of the Weimar Republic.

There’s Trouble Right Here in Takedown City. Gus lays out all the screwy and maybe even dangerous takedown decisions that came to light last week. YouTube censored epidemiologist Knut Wittkowski for opposing lockdown. It suspended and then reinstated a popular Android podcast app for the crime of cataloging COVID-19 content. We learned that anyone can engage in a self-help right to be forgotten with a bit of backdating and a plagiarism claim. Classical musicians are taking it on the chin in their battle with aggressive copyright enforcement bots and a sluggish Silicon Valley response.

In that climate, who can blame the Supreme Court for ducking cases asking for a ruling on the scope of Section 230? They’ve dodged one already, and we predict the same outcome in the next one. 

Finally, Gus unpacks the recent report on the DMCA from the Copyright Lobbying Office – er, the Copyright Office.

With relief, we turn to Matthew Heiman for more cyber and less law. It sure looks like Israel launched a disruptive cyberattack on Iranian port facility. It was probably a response to Iranian cybe-rmeddling with Israeli water systems.

Nick covers Bizarro-world cybersecurity: It turns out malware authors now can hire their own black-market security pentesters

I ask about open-source security and am met with derisive laughter, which certainly seems fair after flaws were found in dozens of applications

I also cover new developments in AI. And the news from AI speech imitation is that Presidents Trump and Obama have fake-endorsed Lyrebird. 

Gus reminds us that most of privacy law is about unintended consequences, like telling Grandma she’s violating GDPR by posting her grandchildren's photos without their parents' consent.

Beerint at last makes its appearance, as it turns out that military and intelligence personnel can be tracked with a beer enthusiast app. 

Finally, in the wake of Joe Rogan’s deal with Spotify, I offer assurances that the Cyberlaw Podcast is not going to sell out for $100 million. 

Download the 317th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-317.mp3
Category:general -- posted at: 11:18am EST

Peter Singer continues his excursion into what he calls “useful fiction” – thrillers that explore real-world implications of emerging technologies – with Burn-In: A Novel of the Real Robotic Revolution, to be released May 26, 2020. This interview explores a thoroughly researched (and footnoted!) host of new technologies, many already in production or on the horizon, all packed inside a plot-driven novel. The book is a painless way to understand what these technologies make possible and their impact on actual human beings. And the interview ranges widely over the policy implications, plus a few plot spoilers.

In the News Roundup, David Kris covers the latest Congressional FISA Follies, leading me into a rant on the utter irresponsibility of subjecting national security authorities to regular expiration – and regular ransom demands from the least responsible elements of Congress. Speaking of FISA, it turns out that the December Pensacola shootings were hatched by al-Qaeda’s Yemen franchise. Why are we only learning this in May? Because the evidence comes from an iPhone whose security Apple refused to find a way around. The FBI’s self-help solution worked in the end, but not until the trail had gone cold. 

Decoupling is in overdrive this week. Nick Weaver talks about the move by the Trump Administration to achieve semiconductor self-sufficiency – and the not-coincidental announcements that TSMC will build a chip factory in Arizona and that the Commerce Department has drafted a new export rule aimed at making it much harder for TSMC to build chips for Huawei. In response, China is preparing a list of unreliable US suppliers of technology. I wonder whether putting companies on the list for diversifying their supply chain out of China will have the long-term effect of making companies more reluctant to open new supply relationships with Chinese companies.

David and I note that recent U.S. accusations of Chinese and Iranian cyber intrusions on COVID-19 research may be more than just the usual imprecations. 

And Nick explains why so many US professors are going to jail for undisclosed China ties. The key word is “undisclosed.”

Mark MacCarthy previews France’s (and Germany’s and the EU’s and the UK’s) increasingly tough sanctions for US social media firms that fail to remove "hate speech" and other bad content within 24 hours (or sometimes one hour). More and more, it seems, Section 230 immunity is just a local U.S. ordinance.

Mark and Nick review the latest trial balloon from Europe’s technocrats: How about a Chinese firewall for Europe?  Some apparently respectable policy thinkers working for the European Parliament seem interested in such an idea. 

David and Nick find themselves agreeing with the latest release from DHS’s CISA pouring cold water on online voting

In quick hits, David notes the Trump administration’s now routine extension of the "telecom national security" Executive Order, Nick brings us This Week in NSO Bashing, I touch on a ransomware and doxing threat that has tripped up a celebrity law firm, and Nick and I muse on why cell phone contact tracing seems about to jump the shark.

We close with a surprising catfishing story.

Download the 316th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-316.mp3
Category:general -- posted at: 11:07am EST

J.P. Morgan once responded to President Teddy Roosevelt’s charge that he’d violated federal antitrust law by saying, “If we have done anything wrong, send your man to see my man, and we’ll fix it up.” That used to be the gold standard for monopolist arrogance in dealing with government, but Google and Apple have put J.P. Morgan in the shade with their latest instruction to the governments of the world: You can’t use our app to trace COVID-19 infections unless you promise not to use it for quarantine or law enforcement purposes. They are only able to do this because the two companies have more or less 99 percent of the phone OS market. That’s more control than Morgan had of U.S. railways, and their dominance apparently allows them to say, “If you think we’ve done something wrong, don’t bother to send your man; ours is too busy to meet.” Nate Jones and I discuss the question of Silicon Valley overreach in this episode. (In that vein, I apologize unreservedly to John D. Rockefeller, to whom I mistakenly attributed the quote.) The sad result is that a promising technological adjunct to contact tracing has been delayed and muddled by ideological engineers to the point where it isn’t likely to be deployed and used in a timely way.

Another lesson we draw in today’s episode is for authoritarian governments: Worry less about Cyber Command and more about NGOs. Citizen Lab has released a great paper making the case that WeChat monitors its users outside China, not to suppress their speech but to flag documents and images for later suppression inside China. Ironically, Matthew Heiman notes, Western users of WeChat who circulate human rights material are giving China’s censors the ability to hash and block that material as soon as it crosses the Great Firewall.

Meanwhile, Nate points out, Bellingcat has done for Russia’s GRU what Citizen Lab did for China. Perhaps inspired by Germany’s indictment of Dmitry Badin for hacking the Bundestag, Bellingcat doxes him to a fare-thee-well, finding his phone number, car registration, GRU office address and preposterously bad password.

David Kris explains the intersection of export control law and the Law of Unintended Consequences, as the U.S. Commerce Department finds that its efforts to isolate Huawei may be excluding U.S. firms from some standards bodies.

Anthony Anscombe joins us from Steptoe’s class action practice to unpack the recent Seventh Circuit decision on Article III standing and Illinois’s Biometric Information Privacy Act.

Israel’s passive-aggressive Supreme Court, meanwhile, has found a second way to say, “Meh,” to the Israeli government’s use of intelligence tools to do contact tracing.

Matthew lays out what’s at stake as the Senate tries again to pass its FISA bill. That may happen as early as today.

In short hits, everybody’s government hackers are adding COVID-19 to their targets, going after everyone from the WHO to coronavirus researchers. I make an effort to explain why Apple has brought a DMCA copyright lawsuit against Corellium. It’s all about the “chilling effect” on security research. And maybe one particular Five Eyes researcher. I make the case for Justice Department intervention on Corellium’s behalf—or at least Azimuth’s. Banjo’s CEO steps down. And where is Jean-Paul Sartre when you need him? He’s the only one who can resolve the odd dispute over “authenticity” between Twitter and the U.S. State Department.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets.

Direct download: TheCyberlawPodcast-315.mp3
Category:general -- posted at: 4:47pm EST

We begin with a new US measure to secure its supply chain for a critical infrastructure – the bulk power grid. David Kris unpacks a new Executive Order restricting purchases of foreign equipment for the grid.

Nick Weaver, meanwhile, explains the remarkable extent of surveillance built into Xiaomi phones and questions the company’s claim that it was merely acquiring pseudonymous ad-related data like others in the industry.

It wouldn’t be the Cyberlaw Podcast if we didn’t wrangle over mobile phones and the coronavirus. Mark MacCarthy says that several countries – Australia, the UK, and perhaps France – are deviating from the Gapple model for using phones for infection tracing. Several have bought in. India, meanwhile, is planning a much more government-driven approach to using phone apps to combat the pandemic.

Mark ventures into even more contested territory in response to an article in The Atlantic by Jack Goldsmith and Andrew Woods, who argue that China has won the debate with John Perry Barlow over whether the Internet will be a force for free speech. Mark and I more or less agree, which sends me off on a rant about the growing self-confidence and ham-handedness of Big Tech as they get comfortable in their role as Guardians of What You Can’t Say on the Internet. Things you can’t say include plausible arguments about the still highly unsettled question of how best to deal with COVID-19 and descriptions of treatment options that have been entertained by President Trump without establishment approval, not to mention “unverified” statements (not, notably, false ones) that could cause social unrest. Just reading such things, it turns out, will lead at least Facebook to track you down and tell you that it noticed and wants to correct your flirtation with thoughtcrime – a practice that earned it praise from Rep. Adam Schiff.

Nick and I note the difficulty Facebook is having getting out of FOSTA cases in Texas, and I ask why FOSTA hasn’t already spelled doom for end-to-end encryption since it basically does what the EARN IT Act does, and all right-thinking Americans have been told that EARN IT is The End of End-to-End Encryption.

David explains why Amazon is facing tough new scrutiny from both parties: A Wall Street Journal article that questioned the accuracy of Amazon testimony before Congress has turned into claims of perjury, a demand that Jeff Bezos testify, and suggestions that the administration open a criminal antitrust probe.

“You can’t decouple from me! I’m decoupling from you!” That’s the sentiment from China anyway as they push forward with their own remarkably familiar supply chain security regulations. David explains that while the rules are similar to those in the United States, they’re tougher and more likely to be implemented in a slow, inexorable way.

Download the 314th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

Direct download: TheCyberlawPodcast-314.mp3
Category:general -- posted at: 6:43pm EST

1