I take advantage of Scott Shapiro’s participation in this episode of the Cyberlaw Podcast to interview him about his book, Fancy Bear Goes Phishing – The Dark History of the Information Age, in Five Extraordinary Hacks. It’s a remarkable tutorial on cybersecurity, told through stories that you’ll probably think you already know until you see what Scott has found by digging into historical and legal records. We cover the Morris worm, the Paris Hilton hack, and the earliest Bulgarian virus writer’s nemesis. Along the way, we share views about the refreshing emergence of a well-paid profession largely free of the credentialism that infects so much of the American economy. In keeping with the rest of the episode, I ask Bing Image Creator to generate alternative artwork for the book.

In the news roundup, Michael Ellis walks us through the “sweeping”™ White House executive order on artificial intelligence. The tl;dr: the order may or may not actually have real impact on the field. The same can probably be said of the advice now being dispensed by AI’s “godfathers.”™ -- the keepers of the flame for AI existential risk who have urged that AI companies devote a third of their R&D budgets to AI safety and security and accept liability for serious harm. Scott and I puzzle over how dangerous AI can be when even the most advanced engines can only do multiplication successfully 85% of the time. Along the way, we evaluate methods for poisoning training data and their utility for helping starving artists get paid when their work is repurposed by AI.

Speaking of AI regulation, Nick Weaver offers a real-life example: the California DMV’s immediate suspension of Cruise’s robotaxi permit after a serious accident that the company handled poorly. 

Michael tells us what’s been happening in the Google antitrust trial, to the extent that anyone can tell, thanks to the heavy confidentiality restrictions imposed by Judge Mehta. One number that escaped -- $26 billion in payments to maintain Google as everyone’s default search engine – draws plenty of commentary.

Scott and I try to make sense of CISA’s claim that its vulnerability list has produced cybersecurity dividends. We are inclined to agree that there’s a pony in there somewhere.

Nick explains why it’s dangerous to try to spy on Kaspersky. The rewards my be big, but so is the risk that your intelligence service will be pantsed. Nick also notes that using Let’s Encrypt as part of your man in the middle attack has risks as well – advice he probably should deliver auf Deutsch.

Scott and I cover a great Andy Greenberg story about a team of hackers who discovered how to unlock a vast store of bitcoin on an IronKey but may not see a payoff soon. I reveal my connection to the story.

Michael and I share thoughts about the effort to renew section 702 of FISA, which lost momentum during the long battle over choosing a Speaker of the House. I note that USTR has surrendered to reality in global digital trade and point out that last week’s story about judicial interest in tort cases against social media turned out to be the first robin in what now looks like a remake of The Birds. 

Download 479th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast begins with the administration’s aggressive new rules on chip exports to China. Practically every aspect of the rules announced just eight months ago was sharply tightened, Nate Jones reports. The changes are so severe, I suggest, that they make the original rules look like a failure that had to be overhauled to work.

Much the same could be said about the Biden administration’s plan for an executive order on AI regulation that Chessie Lockhart thinks will  focus on government purchases. As a symbolic expression of best AI practice, procurement focused rules make symbolic sense. But given the current government market for AI, it’s hard to see them having much bite.

If it’s bite you want, Nate says, the EU has sketched out what appears to be version 3.0 of its AI Act. It doesn’t look all that much like Versions 1.0 or 2.0, but it’s sure to take the world by storm, fans of the Brussels Effect tell us. I note that the new version includes plans for fee-driven enforcement and suggest that the scope of the rules is already being tailored to ensure fee revenue from popular but not especially risky AI models.

Jane Bambauer offers a kind review of  Marc Andreessen’s “‘Techno-Optimist Manifesto”.  We end up agreeing more than we disagree with Marc’s arguments, if not his bombast. I attribute his style to a lesson I once learned from mountaineering.

Chessie discusses the Achilles heel of the growing state movement to require that registered data brokers delete personal data on request. It turns out that a lot of the data brokers, just aren’t registering.

The Supreme Court, moving with surprising speed at the Solicitor General’s behest, has granted cert and a stay  in the jawboning case, brought by Missouri among other states to stop federal agencies from leaning on social media to suppress speech the federal government disagrees with. I note that the SG’s desperation to win this case has led it to make surprisingly creative arguments, leading to yet another Cybertoonz explainer.

Social media’s loss of public esteem may be showing up in judicial decisions. Jane reports on a California decision allowing a lawsuit that seeks to sue kids’ social media on a negligence theory for marketing an addictive product. I’m happier than Jane to see that the bloom is off the section 230 rose, but we agree that suing companies for making their product’s too attractive may run into a few pitfalls on the way to judgment. I offer listeners who don’t remember the Reagan administration a short history of the California judge who wrote the opinion.

And speaking of tort liability for tech products, Chessie tells us that Chinny Sharma, another Cyberlaw podcast stalwart, has an article in Lawfare confessing some fondness for products liability (as opposed to negligence) lawsuits over cybersecurity failures. 

Chessie also breaks down a Colorado Supreme Court decision approving a keyword search for an arson-murder suspect. Although played as a win for keyword searches in the press, it’s actually a loss. The search results were deemed admissible only because the good faith exception excused what the court considered a lack of probable cause. I award EFF the “sore winner” award for its whiny screed complaining that, while it agree with EFF on the principle, the court didn’t also free the scumbags who burned five people to death.

Finally,  Nate and I explain why the Cybersecurity and Infrastructure Security Agency won’t be getting the small-ball cyber bills through Congress that used to be routine. CISA overplayed its hand in the misinformation wars over the  2020 election, going so far as to consider curbs on “malinformation” – information that is true but inconvenient for the government. This has led a lot of conservatives to look for reasons to cut CISA’s budget. Sen. Rand Paul (R-Ky.)  gets special billing.

Download 478th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast delves into a False Claims Act lawsuit against Penn State University by a former CIO to one of its research units. The lawsuit alleges that Penn State faked security documents in filings with the Defense Department. Because it’s a so-called qui tam case, Tyler Evans explains, the plaintiff could recover a portion of any funds repaid by Penn State. If the employee was complicit in a scheme to mislead DoD, the False Claims Act isn’t limited to civil cases like this one; the Justice Department can pursue criminal sanctions too–although Tyler notes that, so far, Justice has been slow to take that step.

In other news, Jeffery Atik and I try to make sense of a New York Times story about Chinese bitcoin miners setting up shop near a Microsoft data center and a DoD base. The reporter seems sure that the Chinese miners are doing something suspicious, but it’s not clear exactly what the problem is.

California Governor Gavin Newsom (D) is widely believed to be positioning himself for a Presidential run, maybe as early as next year. In that effort, he’s been able to milk the Sacramento Effect, in which California adopts legislation that more or less requires the country to follow its lead. One such law is the DELETE (Data Elimination and Limiting Extensive Tracking and Exchange) Act, which, Jim Dempsey reports, would require all data brokers to delete the personal data of anyone who makes a request to a centralized California agency. This will be bad news for most data brokers, and good news for the biggest digital ad companies like Google and Amazon, since those companies acquire their data directly from their customers and not through purchase. 

Another California law that could have similar national impact bans social media from “aiding or abetting” child abuse. This framing is borrowed from FOSTA (Allow States and Victims to Fight Online Sex Trafficking Act)/SESTA (Stop Enabling Sex Traffickers Act), a federal law that prohibited aiding and abetting sex trafficking and led to the demise of sex classified ads and the publications they supported around the country. 

I cover the overdetermined collapse of EPA’s effort to impose cybersecurity regulation on the nation’s water systems. I predict we won’t see an improvement in water system cybersecurity without new legislation.

Justin lays out how badly the Senate is fracturing over regulation of AI. Jeffery and I puzzle over the Commerce Department’s decision to allow South Korean DRAM makers to keep using U.S. technology in their Chinese foundries. 

Jim lays out the unedifying history of Congressional and administration efforts to bring a hammer down on TikTok while Jeffery evaluates the prospects for Utah’s lawsuit against TikTok based on a claim that the  app has a harmful impact on children. 

Finally, in what looks like good news about AI transparency, Jeffery covers Anthropic’s research showing that–sometimes–it’s possible to identify the features that an AI model is relying upon, showing how the model weights features like law talk or reliance on spreadsheet data. It’s a long way from there to understanding how the model makes its recommendations, but Anthropic thinks we’ve moved from needing more science to needing more engineering. 

Download 477th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The debate over section 702 of FISA is heating up as the end-of-year deadline for reauthorization draws near. The debate can now draw upon a report from the Privacy and Civil Liberties Oversight Board. That report was not unanimous. In the interest of helping listeners understand the report and its recommendations, the Cyberlaw Podcast has produced a bonus episode 476, featuring two of the board members who represent the divergent views on the board—Beth Williams, a Republican-appointed member, and Travis LeBlanc, a Democrat-appointed member. It’s a great introduction to the 702 program, touching first on the very substantial points of agreement about it and then on the concerns and recommendations for addressing those concerns. Best of all, the conversation ends with a surprise consensus on the importance of using the program to vet travelers to the United States and holders of security clearances.

Download 476th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Today’s episode of the Cyberlaw Podcast begins as it must with Saturday’s appalling Hamas attack on Israeli civilians. I ask Adam Hickey and Paul Rosenzweig to comment on the attack and what lessons the U.S. should draw from it, whether in terms of revitalized intelligence programs or the need for workable defenses against drone attacks. 

In other news, Adam covers the disturbing prediction that the U.S. and China have a fifty percent chance of armed conflict in the next five years—and the supply chain consequences of increasing conflict. Meanwhile, Western companies who were hoping to sit the conflict out may not be given the chance. Adam also covers the related EU effort to assess risks posed by four key technologies.

Paul and I share our doubts about the Red Cross’s effort to impose ethical guidelines on hacktivists in war. Not that we needed to; the hacktivists seem perfectly capable of expressing their doubts on their own.

The Fifth Circuit has expanded its injunction against the U.S. government encouraging or coercing social media to suppress “disinformation.” Now the prohibition covers CISA as well as the White House, FBI, and CDC. Adam, who oversaw FBI efforts to counter foreign disinformation, takes a different view of the facts than the Fifth Circuit. In the same vein, we note a recent paper from two Facebook content moderators who say that government jawboning of social media really does work (if you had any doubts).

Paul comments on the EU vulnerability disclosure proposal and the hostile reaction it has attracted from some sensible people. 

Adam and I find value in an op-ed that explains the weirdly warring camps, not over whether to regulate AI but over how and why.

And, finally, Paul mourns yet another step in Apple’s step-by-step surrender to Chinese censorship and social control.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Supreme Court has granted certiorari to review two big state laws trying to impose limits on social media censorship (or “curation,” if you prefer) of platform content. Paul Stephan and I spar over the right outcome, and the likely vote count, in the two cases. One surprise: we both think that the platforms’ claim of a first amendment right to curate content  is in tension with their claim that they, uniquely among speakers, should have an immunity for their “speech.”

Maury weighs in to note that the EU is now gearing up to bring social media to heel on the “disinformation” front. That fight will be ugly for Big Tech, he points out, because Europe doesn’t mind if it puts social media out of business, since it’s an American industry. I point out that elites all across the globe have rallied to meet and defeat social media’s challenge to their agenda-setting and reality-defining authority. India is aggressively doing the same. 

Paul covers another big story in law and technology. The FTC has sued Amazon for antitrust violations—essentially price gouging and tying. Whether the conduct alleged in the complaint is even a bad thing will depend on the facts, so the case will be hard fought. And, given the FTC’s track record, no one should be betting against Amazon.

Nick Weaver explains the dynamic behind the massive MGM and Caesars hacks. As with so many globalized industries, ransomware now has Americans in marketing (or social engineering, if you prefer) and foreign technology suppliers. Nick thinks it’s time to OFAC ‘em all.

Maury explains the latest bulk intercept decision from the European Court of Human Rights. The UK has lost again, but it’s not clear how much difference that will make. The ruling says that non-Brits can sue the UK over bulk interception, but the court has already made clear that, with a few legislative tweaks, bulk interception is legal under the European human rights convention.

More bad news for 230 maximalists: it turns out that Facebook can be sued for allowing advertisers to target ads based on age and gender. The platform slipped from allowing speech to being liable for speech because it facilitated advertiser’s allegedly discriminatory targeting. 

The UK competition authorities are seeking greater access to AI’s inner workings to assess risks, but Maury Shenk is sure this is part of a light touch on AI regulation that is meant to make the UK a safe European harbor for AI companies.

In a few quick hits and updates:

• I explain the splintered PCLOB report that endorses 702 renewal, with widely diverging proposals for reform.

• Paul tells us that the Biden Administration plans to bring back “net neutrality” rules. Hey, if we get to choose which golden oldie to revive, I actually liked the macarena more.

• I flag an issue likely to spark a surprisingly bitter clash between the administration and cloud providers – Know Your Customer rules. The government thinks it’s irresponsible from a cybersecurity point of view to let randos spin up virtual machines. The industry doesn’t think the market will tolerate any other way of doing business. 

• Speaking of government-industry clashes, it looks like Apple is caught between Chinese demands that it impose tough new controls on apps in its app store and, well, human decency. Maury has the story. And I’ve got a solution. Apple should just rebrand its totalitarian new controls as “app curation.” Seems to be working for everyone else.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.