The Capitol Hill hearings featuring TikTok’s CEO lead off episode 450 of the Cyberlaw Podcast. The CEO handled the endless stream of Congressional accusations and suspicion about as well as could have been expected.  And it did him as little good as a cynic would have expected. Jim Dempsey and Mark MacCarthy think Congress is moving toward action on Chinese IT products—probably in the form of the bipartisan Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act. But passing legislation and actually doing something about China’s IT successes are two very different things.

The FTC is jumping into the arena on cloud services, Mark tells us, and it can’t escape its DNA—dwelling on possible industry concentration and lock-in and not asking much about the national security implications of knocking off a bunch of American cloud providers when the alternatives are largely Chinese cloud providers. The FTC’s myopia means that the administration won’t get as much help as it could from the FTC on cloud security measures. I reissue my standard objection to the FTC’s refusal to follow the FCC’s lead in deferring on national security to executive branch concerns. Mark and I disagree about whether the FTC Act forces the Commission to limit itself to consumer protection.

Jim Dempsey reviews the latest AI releases, including Google’s Bard, which seems to have many of the same hallucination problems as OpenAI’s engines. Jim and I debate what I consider the wacky and unjustified fascination in the press with catching AI engaging in wrong think. I believe it’s just a mechanism for justifying the imposition of left-wing values on AI’s output —which already scores left/libertarian on 14 of 15 standard tests for identifying ideological affiliation. Similarly, I question the effort to stop AI from hallucinating footnotes in support of its erroneous facts. If ever there were a case for generative AI correction of AI errors, the fake citation problem seems like a natural.

Speaking of Silicon Valley’s lying problem, Mark reminds us that social media is absolutely immune for user speech, even after it gets notice that the speech is harmful and false. He reminds us of his thoughtful argument in favor of tweaking section 230 to more closely resemble the notice and action obligations found in the Digital Millennium Copyright Act (DMCA). I argue that the DMCA has not so much solved the incentives for overcensoring speech as it has surrendered to them.  

Jim introduces us to an emerging trend in state privacy law: bills that industry supports. Iowa’s new law is the exemplar; Jim questions whether it will satisfy users in the long run.  

I summarize Hachette v. Internet Archive, in which Judge John G. Koeltl delivers a harsh rebuke to internet hippies everywhere, ruling that the Internet Archive violated copyright in its effort to create a digital equivalent to public library lending. The judge’s lesson for the rest of us: You might think fair use is a thing, but it’s not. Get over it.

In quick hits, 

• I note that the Cyberlaw Podcast scooped WIRED in covering the GSA’s lies about the security of login.gov and its later effort to justify those lies by invoking “equity”—currently replacing patriotism as the last resort of scoundrels.

• And I offer a brief, nostalgic requiem for Toshiba, which is being broken up for scrap by what’s left of Japan Inc. Thirty years ago, Toshiba was treated on the Hill like Huawei is today – a scary and unstoppable competitor who threatened the American way of life.  Now, not so much. 

Download 450th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

GPT-4’s rapid and tangible improvement over ChatGPT has more or less guaranteed that it or a competitor will be built into most new and legacy information and technology (IT) products. Some applications will be pointless; but some will change users’ world. In this episode, Sultan Meghji, Jordan Schneider, and Siobhan Gorman explore the likely impact of GPT4 from Silicon Valley to China.  

Kurt Sanger joins us to explain why Ukraine’s IT Army of volunteer hackers creates political, legal, and maybe even physical risks for the hackers and for Ukraine. This may explain why Ukraine is looking for ways to “regularize” their international supporters, with a view to steering them toward defending Ukrainian infrastructure.

Siobhan and I dig into the Biden administration’s latest target for cybersecurity regulation: cloud providers.  I wonder if there is not a bit of bait and switch in operation here. The administration seems at least as intent on regulating cloud providers to catch hackers as to improve defenses.

Say this for China – it never lets a bit of leverage go to waste, even when it should.  To further buttress its seven-dashed-line claim to the South China Sea, China is demanding that companies get Chinese licenses to lay submarine cable within the contested territory. That, of course, incentivizes the laying of cables much further from China, out where they’re harder for the Chinese to deal with in a conflict. But some Beijing bureaucrat will no doubt claim it as a win for the wolf warriors. Ditto for the Chinese ambassador’s statement about the Netherlands joining the U.S. in restricting chip-making equipment sales to China, which boiled down to “We will make you pay for that. We just do not know how yet.” The U.S. is not always good at dealing with its companies and other countries, but it is nice to be competing with a country that is demonstrably worse at it.

The Security and Exchange Commission has gone from catatonic to hyperactive on cybersecurity. Siobhan notes its latest 48-hour incident reporting requirement and the difficulty of reporting anything useful in that time frame. 

Kurt and Siobhan bring their expertise as parents of teens and aspiring teens to the TikTok debate.

I linger over the extraordinary and undercovered mess created by “18F”—the General Service Administration’s effort to bring Silicon Valley to the government’s IT infrastructure. It looks like they brought Silicon Valley’s arrogance, its political correctness, and its penchant for breaking things but forgot to bring either competence or honesty.  18F lied to its federal customers about how or whether it was checking the identities of people logging in through login.gov. When it finally admitted the lie, it brazenly claimed it was not checking because the technology was biased, contrary to the only available evidence. Oh, and it refused to give back the $10 million it charged because the work it did cost more than that. This breakdown in the middle of coronavirus handouts undoubtedly juiced fraud, but no one has figured out how much. Among the victims: Sen. Ron Wyden (D.-Ore.), who used login.gov and its phony biometric checks as the “good” alternative that would let the Internal Revenue Service (IRS) cancel its politically inconvenient contract with ID.me. Really, guys, it’s time to start scrubbing 18F from your LinkedIn profiles.

The Knicks have won some games. Blind pigs have found some acorns. But Madison Square Garden (and Knicks) owner, Jimmy Dolan is still investing good money in his unwinnable fight to use facial recognition to keep lawyers he does not like out of the Garden. Kurt offers commentary, thereby saving himself the cost of Knicks tickets for future playoff games. 

Finally, I read Simson Garfinkel’s explanation of a question I asked (and should have known the answer to) in episode 448.

This episode of the Cyberlaw Podcast kicks off with the sudden emergence of a serious bipartisan effort to impose new national security regulations on what companies can be part of the U.S. Information Technology and content supply chain. Spurred by a stalled Committee on Foreign Investment in the United States negotiation with TikTok, Michael Ellis tells us, a dozen well-regarded Democrat and Republican senators have joined to endorse the Restricting the Emergence of Security Threats that Risk Information and Communications Technology Act, which authorizes the exclusion of companies based in hostile countries from the U.S. economy. The administration has also jumped on the bandwagon, making the adoption of some legislation more likely than in the past.  

Jane Bambauer takes us through the district court decision upholding the use of a “geofence warrant” to identify January 6th rioters. We end up agreeing that this decision (and the context) turned out to be the best possible result for the Justice Department, silencing the usual left-leaning doubters about law enforcement technological adaptation. 

Just a few days after issuing a cybersecurity strategy that calls for more regulation, the administration is delivering what it called for. Transportation Security Administration (TSA) has issued emergency cybersecurity orders for airports and aircraft operators that, I argue, take the regulatory framework from a few baby steps to a plausible set of minimum requirements. Things look a little different in the water and sewage sector, where the regulator is the Environmental Protection Agency (EPA)—not known for its cybersecurity expertise—and the authority to regulate is grounded if at all in very general legislative language. To make the task even harder, EPA is planning to impose its cybersecurity standards using an interpretive rule against a background in which Congress has done just enough cybersecurity legislating to undermine the case for a broad interpretation. 

Jane explores the story that Google was deterred from releasing its impressive AI technology by fear of bad press. That leads us to a meditation on politics inside companies with a guaranteed source of revenue. I offer hope that Google’s fears about politically incorrect AI will infect Chinese tech firms.

Jane and I reprise the debate over the United Kingdom’s Online Safety Act and end-to-end encryption, which leads to a poli-sci tour of European policymaking institutions. 

The other cyber and national security news in Congress is the ongoing debate over renewal of section 702 of the Foreign Intelligence Surveillance Act (FISA), where it appears that the FBI scored an own-goal. Michael reports that an FBI analyst did unauthorized searches of the 702 database for intelligence on one of the House intelligence committee’s moderates, Rep. Darin LaHood, R-Ill. Details are sketchy, Michael notes, but the search was disclosed by Rep. LaHood, and it is bound to have led to harsh questioning during the FBI director’s classified testimony, Meanwhile, at least one member of the President’s Civil Liberties and Oversight Board is calling for what could be a crippling “reform” of 702 database searches. 

Jane and I unpack the controversy surrounding the Federal Trade Commission’s investigation of Twitter’s compliance with its consent decree. On the law, Elon Musk’s Twitter is in trouble. On the political front, however, they are more evenly matched. Chances are, both parties are overestimating their own strengths, which could foretell a real donnybrook.

Michael assesses the stories saying that the Biden administration  is preparing new rules to govern outbound investment in China. He is skeptical that we’ll see heavy regulation in this space.

In quick hits,  

• Jane explains the 9th Circuit decision saying that Twitter can be prohibited from publishing a full report on how many FBI probes it answered

• Jane and I puzzle over reports that a Colorado Catholic group bought app data to track gay priests.

Download 448th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.