The Cyberlaw Podcast (general)

Just one week of antitrust litigation news shows how much turbulence Facebook and Google are encountering. Michael Weiner gives us a remarkably compact summary of the many issues, from deeply historical (Facebook’s purchase of Instagram) to cutting edge tech (complaints about Oculus self-preferencing). In all, he brings us current on two state attorney general cases, two Federal Trade Commission cases and one Department of Justice case against the twin giants of surveillance advertising. 

Speaking of litigation, no major new technology has been greeted with more litigation in its infancy than face recognition. So this week we interview Hoan Ton-That, CEO of what must be the most controversial tech startup in decades—Clearview AI. We probe deeply into face recognition’s reputation for bias, and what the company is doing about it. Hoan is clearly taking the controversy in stride and confident that the technology will overcome efforts to turn it toxic. Meanwhile, I note, the debate is clearing out what would have been formidable competition from the likes of Microsoft, Amazon and IBM.  If you think face recognition should be banned as racist, sexist and inaccurate, this interview will make you think.

Meanwhile, David Kris notes, rumors of war are rampant on the Russian-Ukrainian border—and in cyberspace. So far, it’s a bit of a phony cyberwar, featuring web defacing and dormant file wipers. But it could blow up at any time, and we may be surprised how much damage can be done with a keyboard. 

Speaking of damage done with a keyboard, open source software is showing how much damage can be done without even trying (although some developers are in fact trying pretty hard). Nick Weaver and I dig into the Log4j and other messes, and the White House effort to head off future open source debacles. 

David is in charge of good news this week. It looks as though Russia has arrested a bunch of REvil co-conspirators, including one person that the White House holds responsible for the Colonial Pipeline attack. It’s surely not a coincidence that this hint of cooperation from Vladimir Putin comes when he’d very much like to have leverage on the Biden administration over Ukraine.

The EU is now firmly committed to cutting off the continent from a host of technologies offered, often free, by Silicon Valley. Google Analytics is out, according to Austrian authorities, even if this means accusing the European Parliament of violating European law. Nick reminds us that this isn’t all the services that could be cut off. Google Translate also depends on transatlantic data flows and could become unavailable in Europe. I offer an incendiary solution to that problem. 

Secure messaging is still under attack, but this week it’s European governments taking the shots. The UK government is planning an ad campaign against end-to-end encryption, and Germany is growling about shutting down Telegram for allowing hate speech. Nick issues a heartfelt complaint about the disingenuity of both sides in the crypto debate.

Speaking of Germans who can’t live up to their reputation on protecting privacy, Nick notes that German police did exactly what Gapple feared, using a coronavirus contact-tracing app to find potential witnesses. Meanwhile, in good news, let’s not forget Twitter, whose woke colonialism led it to suspend Nigeria’s president for threatening secessionists with war. Turns out it was easier to go to war with Twitter, which has now unconditionally surrendered to the Nigerian government

Finally, I claim kinship with Joe Rogan as one of the podcasters that bien pensant NGOs and academics hope to censor. My plan is to create a joint defense fund to which Joe and I will each contribute one percent of our podcasting revenues.

Download the 390th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-390.mp3
Category:general -- posted at: 1:35pm EDT

The Federal Trade Commission’s (FTC) other foot, I argue, is lodged firmly in its mouth. Tatyana Bolton defends the agency, which released what can only be described as a regulatory blog post in response to the log4j vulnerability, invoking the $700 million in fines imposed on Equifax to threatening “to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j.” She stresses that this is the best way to get companies to patch quickly and notes that only “reasonable steps” are required. I think we’ll hear that a lot from the FTC, now that it turns out that fixing the Log4j mess is going to require a lot more that regulatory flexing. Especially, since the FTC’s blog post seems to pull back from its tough-guy pose when talking about the open source maintainers who actually have to do much of the patch generation; unlike the companies it threatened with wrath, the FTC understands that open source coders “don’t always have adequate resources and personnel,” something the FTC “will consider as we work to address the root issues that endanger user security.”

Speaking of fallible regulators, Glenn Gerstell gives us a tour of China’s tech regulatory landscape, and the remarkable decline in the fortunes of consumer tech firms in that country, as the New York Times covered in detail last week. Is that good news for Silicon Valley or U.S. competitiveness? Sadly, probably not, I conclude.

Mark MacCarthy explains why the proposal to marry cryptocurrency to Signal is causing angst among Signal’s supporters about the end-to-end encrypted service’s ”regulatory attack surface.”

Glenn covers the latest story about security risks and telecom gear from China.

Mark and I dig into the growing enthusiasm for regulating big Silicon Valley companies as gatekeepers. The Germans are about to apply that approach to Google. And the South Koreans are doing the same to Apple and its app store payment policies.

Tatyana notes the press coverage about possible tensions between two talented and strong cybersecurity officials in the White House: Anne Neuberger and Chris Inglis. I put Glenn on the spot about claims that Anne has “a particular tendency to clash with lawyers.” That would only make me love her more, but Glenn (who, as the National Security Agency’s top lawyer, worked with her for years) absolves her of the charge.  

Mark and I handicap the probability that the plaintiff will succeed in a highly charged lawsuit against Facebook/Meta Platforms for bringing together the boogaloo conspirators who killed a federal protective officer. It’s a long shot, but if “negligent design” turns out to create liability for software and algorithms, Signal will have an even greater attack surface than its fans are worried about.

Glenn explains the charges brought in China against Walmart for breaches of cybersecurity laws (hint: it’s mostly not breaches of cybersecurity laws). Speaking of surprises that aren’t surprises, Glenn also covers the announcement by Lloyd’s of London that cyber insurance won’t cover cyberattacks attributable to nation-states.

Finally, I devote a few minutes to rant about the Justice Department’s decision to expand charges against Joe Sullivan, Uber’s former chief information security officer, for his role in payment of “bug bounties” to hackers who looked more like crooks than bounty hunters. More than a year after charging Sullivan with obstruction of justice, the department piled on new charges of wire fraud for failing to tell Uber’s drivers about the breach. Glenn and I both question the decision to do this without any new facts to base the charges on. And I point out that the result of exposing breach response into wire fraud charges will (or should be) fatal to the FBI’s desire to be called in while companies are dealing with breaches. If the company delays notice to the public for longer than the government thinks proper, wire fraud charges start to hang heavy in the air. If so, why would any general counsel want to have an FBI agent sitting in the room for the debate about when notice to customers is required?

Download the 389th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-389.mp3
Category:general -- posted at: 9:19am EDT

One of the good things about coming back from Christmas break are all the deep analyses that news outlets save up to publish over the holidays—especially those they can report from countries where celebrating Christmas isn’t that big a deal. At least that’s how I account for the flood of deep media dives on China technology issues. Megan Stifel takes us through a couple. The first is a Washington Post article on China using its tools for measuring internal dissent online and focusing them on the rest of the world. The second is a New York Times article that tells us what tools the Chinese government can use when the rest of the world says things it doesn’t like. Utterly unsurprising, to me at least, is that social media companies like Twitter have become hapless enablers of China’s speech police. Later in the podcast, Megan covers another story in the same vein—the growing global unease about China’s success in building Logink, a global logistics and shipping database.

Scott Shapiro and Nick Weaver walk us through the conviction of a Harvard professor for lying about his China ties. It may be too cynical to say that the Justice Department wanted Professor Charles Lieber especially badly because he’s not Asian, but there’s no doubt he’ll be Exhibit A when it defends the China Initiative against claims of ethnic profiling.

Megan takes us through another great story of hack-enabled great story of hack-enabled insider trading, helicopters to Zermatt, dueling extraditions and as the piece de resistance, hints we may learn more about Russian interference with the 2016 presidential election.  

Scott explains how Apple AirTags are being used to track people. Nick gives us a feel for just how hard it is to separate good from bad in designing Air Tags. I suggest that this is a problem we could leave to the plaintiffs’ lawyers. 

Nick lays out the economics of hacking as a service and introduces us to yet another company in that business—Cytrox. No one seems to last long in the business without changing their name. Nick and I explore the reasons for that, and the possibility that soon the teams that work for these companies will move on every year or two. 

Nick also explains why bitcoin isn’t always a cybercriminal’s best friend. It turns out that cryptography isn’t proof against rubber hose cryptanalysis, or maybe even plea bargaining. 

Drawing from research I’m doing for an article about why bias in face recognition has been overblown, I note that Canada, France and the entire Western world is imposing sanctions on Clearview AI for privacy violations, but Clearview AI is the only U.S. company doing as good or better at face recognition than Chinese and Russian suppliers. I argue that’s because a dubious bias narrative has forced IBM, Amazon, Microsoft and Meta to retreat from the market, leaving us at the mercy of Russian and Chinese tech. 

Megan explains why financial regulators and not the FBI turn out to be the biggest enemies of end-to-end encryption, as they fine JPMorgan Chase a cool $200 million for using WhatsApp and other unbreakable encrypted messaging systems.

Finally, in quick hits,

Download the 388th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets.

Direct download: TheCyberlawPodcast-388.mp3
Category:general -- posted at: 1:51pm EDT

All the cyber litigation that didn’t get filed, or decided, over Thanksgiving finally hit the fan last week, and we’re still cleaning up. But first, I have to ask Dave Aitel for a sanity check on Log4Shell.

Does it really deserve a 10 out of 10 for impact? And what does it mean for all the open source components buried in all our enterprise software? Dave’s only piece of good news is that some big projects were far enough behind in updates that they hadn’t built the flaw into their products.

In the first of several cyber lawsuits covered in this episode, Jamil Jaffer and I praise Google for a particularly comprehensive and creative approach to suing cybercriminals. RICO plus a boatload of computer privacy violations are at the heart of Google’s complaint against two criminals behind the Glupteba botnet. We note that the defendants deserve credit for their own creativity in using the blockchain to reconstitute their C2 infrastructure. If more criminals did that, Microsoft’s trademark approach—using trademark violations to seize botnet infrastructure—would be less effective. We note that this week Microsoft used litigation to take down a Chinese government network. Is it wrong to complain that Microsoft has been using this approach for long enough that botnets are only inconvenienced, not destroyed, by the tactic?

Maury Shenk digs into the remarkable report that Apple CEO Tim Cook promised $275 billion of investment to China. Five years ago. And we’re only finding out about it now. In secret. When Congress finally gets around to the cyber incident reporting bill that it bumped from the defense authorization act, maybe it will want to classify multibillion dollar deals with China as the kind of cyber incident that ought to be reported to anyone on the receiving end of corporate lobbying campaigns.

The Tenth Circuit finished its Thanksgiving by releasing a massive opinion upholding the constitutionality of Section 702 of FISA. Jamil Jaffer, who played a key role in the adoption of Section 702 walks us through the decision. The decision was 2-1, but not on the main ruling. Instead, the debate was over Article III and the “advisory” nature of FISA court opinions reviewing executive procedures under that section. I confess to some sympathy for the dissent but wonder how it would help the defendant to strike down that procedure.

Dave explains why Tor might not be as secure as we think. A mysterious and likely state sponsored actor is running hundreds of malicious Tor relays. And to add insult to injury, the actor is openly lobbying against measures to cut down on malicious Tor relays. 

But wait, there’s more cyber litigation, and again Jamil talks us through it. A Saudi women's rights activist has brought a Computer Fraud and Abuse Act lawsuit against DarkMatter and its expat American employees for an iPhone hack that she says got her arrested. I’m a little skeptical that the lawsuit will survive a Foreign Sovereign Immunities Act motion.

Maury and I question the wisdom of a recent Italian fine penalizing Amazon over a billion euros, mainly for preferencing sellers who sign up for Prime logistics support.

Dave tells the sad story of Ilya Sachkov, a Russian cybersecurity whiz kid and CEO who may have believed too much that everyone sees cybersecurity as a white hat enterprise. Word is that he may have been too helpful in unraveling the DNC attackers identities in 2016 and is now paying for it with a Russian treason charge.

Maury notes that the U.S. decision to blacklist the Chinese artificial intellgience company SenseTime was carefully timed to guarantee disruption of SenseTime’s IPO. Whether the U.S. action will be more than a delaying tactic remains to be seen, but Maury is skeptical. 

Maury notes that Wikileaks founder Julian Assange has lost an important battle as he fights extradition to the U.S.. Jamil notes that the cyber incident reporting bill didn’t make it into the defense authorization act, as mentioned earlier. He is one of the few cybersecurity buffs who isn’t especially disappointed.

Maury and I disagree about a much-ballyhooed group of companies claiming to combat artificial intelligence bias in hiring. I’ll believe it when they actually expose their recommendations to public scrutiny.  

For those who think bias in content moderation is not a thing, try spending ten minutes with this right-wing French candidate’s very effective campaign ad. Then ask yourself why exactly YouTube thought it wasn’t fit for children. My guess is that it was the ad’s effectiveness that YouTube really disapproved of.

Dave and I puzzle over the Biden administration’s unsatisfying “Initiative for Democratic Renewal”—a big international get-together that got only cursory attention in the U.S., perhaps because its theme is still a little hard to find. And, finally, just to give me an excuse to publicize my latest Cybertoonz comic, Jamil asks for Western militaries what it means to “impose a cost” on ransomware gangs.

With that, the Cyberlaw Podcast bids farewell to 2021. We will return in January.

Download the 387th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets.

Direct download: TheCyberlawPodcast-387.mp3
Category:general -- posted at: 11:11am EDT

Federal district judge Robert Pitman has enjoined enforcement of Texas’s law regulating social media censorship. The ruling sparks a fight between me and Nate Jones that ranges from how much weight should be given to the speech rights of social media to the Kyle Rittenhouse verdict imposed by Facebook when it decided he was guilty and wouldn’t let anyone disagree. On the merits, as before, we agreed that the Obama appointee was on solid ground (for now) in applying the Tornillo line of cases saying that the government should not directly regulate the editorial judgments of publishers. But the judge’s ruling on the transparency and due process requirements of the law suggests that he wasn’t prepared to give the law a fair shake. So, look for a competitive appeal on the topic and quite possibly a certiorari grant as well. By the time we stop beating this horse, he’s long past any possible right of self-defense.

Megan Stifel has an easier task: Explaining cybersecurity recommendations for rail and other surface transportation companies. The advice is mostly something that could have been offered in the 90s, so we both puzzle over the fierce resistance from industry. Maybe it’s the 24-hour requirement to notify TSA of cyber incidents.

Nate and I explore proposals from the Biden administration to muster a group of like-minded countries to curb sales of surveillance gear to authoritarian regimes. No doubt the initiative was reinforced by news that U.S. State Department phones were recently hacked by exported spyware from Israel. But I think the whole project fails for a simple reason: authoritarian governments can buy all the surveillance gear they need from China, which is happy to sell it. In the absence of credible enforcement, condemning such sales is empty virtue signaling. 

I critique a new story from the Markup about PredPol crime prediction software, which claims the software is biased because it urges the police to patrol more Black neighborhoods than white neighborhoods.

Speaking of stupid, Megan explains how a “smart contract”  turned out to be anything but, allowing hackers to steal $31 million in digital coin.

I ask exactly how the hacker’s feat differs from really good lawyering.

Nate and I look at how well Russia is doing in bringing Twitter to heel with a mobile slowdown. Twitter hasn’t broken yet, but it’s clear that the authoritarians of the world are slowly winning their battle with Silicon Valley.

Megan tells us how a cybersecurity professional at Ubiquiti decided to stop riding with the hounds and to ride instead with the fox. Of course, we all know how most fox hunts end for the fox, and this story is no exception.

In updates, I remind listeners of the elaborate gas-lighting effort put on by Jeff Bezos in trying to blame the Saudis and the National Enquirer for his brother-in-law’s leak of Bezos’s deeply embarrassing text messages. All the investigations that Bezos managed to get started are done now, and the verdict is in: the Saudis didn’t do it.

Megan and I note a Wall Street Journal article on how tough it is to be a spy in a world of smartphones, biometrics, and universal surveillance cameras.  Our reaction: Yup. 

Download the 386th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

Direct download: TheCyberlawPodcast-386.mp3
Category:general -- posted at: 10:20am EDT

This week we celebrated International Tech Policy Week, which happens every year around this time, when the American policymakers, the American execs who follow them, and the U.S. journalists who report on them all go home to eat turkey with their families and leave tech policy to the rest of the world.  

Leading off a review of China’s contribution to the week, Paul Rosenzweig and Jordan Schneider cover Beijing’s pressure on Didi to delist from a U.S. stock exchange. If you believe it is about data security, I have a Chinese unicorn tech stock, soon to be half a unicorn, to sell you.

Jordan explains why China is also taking Tencent to the woodshed for not quite getting the message about who makes the rules. In case you’re not getting the message, he also covers China’s decision to impose fines on tech firms for a decade’s worth of M&A deals.

David Kris turns what could have been a U.S. story—insurers’ running for cover with regards to ransomware losses—into an international story by focusing on a proposal from Lloyds of London.

Paul and I dig into a story that starts in the U.S. but soon moves abroad,  Apple’s slightly weird computer fraud and abuse lawsuit against the international exploit firm, NSO Group. I point to other stories that seem to me to signal that tech hubris on this issue is out of control. Facebook is trying to stop undercover cops from using fake accounts to collect quasi-public information. And Apple is telling its customers when it discovers that they are the targets of state-sponsored malware. This is wholesale interference with law enforcement activity that in other contexts would simply be unexceptionable undercover work or lawful interception of communications. In Apple’s case, it’s egregious, since the company has not explained how it will manage to avoid blowing up legitimate counterterrorism and criminal investigations that are using malware because Apple has already foreclosed less dramatic options. Meanwhile, in Israel, the demonization of NSO Group has led authorities to dramatically cut the number of countries to which spyware can be exported. Iran may not be on the list, but Israel seems to have exported plenty to that country, which is now returning the favor, as cyberconflict begins hitting ordinary citizens in both countries.

David, Paul and I reveal our history-based prejudices as we examine the latest mini flap that briefly detained Congress’s proposed cyber incident reporting mandate—its failure to require simultaneous reporting to the FBI. That is a dumb idea, and the Senate seems to have treated it with exactly the amount of deference it deserved. At least that’s my view from inside the locker.

Jordan touches briefly on a Chinese province’s plan to construct a surveillance system for foreigners. He thinks there’s more (or maybe less) to the story than it appears. He also covers the U.S. decision to  blacklist Chinese quantum computing companies, giving me a chance to divert him to coverage of the Endless Frontier Act and China’s peculiar decision to turn it into a BFD. 

David and I dig into a proposed (and likely to pass) new UK law on IOT security that looks a lot like California’s law on the same topic.

In quick hits and updates, I note that Meta will have trouble delivering end-to-end encryption on Facebook and Instagram before 2023. And despite efforts to toxify the entire field and this company in particular, Clearview artificial intelligence’s face recognition tool is performing very well against international competition. I also note that my research suggests that the whole “AI bias” narrative about face recognition has been stuck in 2016 and has ignored the remarkable accuracy (and debiasing) strides the industry has made in recent years. 

 

 

Download the 385th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-385.mp3
Category:general -- posted at: 9:06am EDT

Among the many problems with the current social media enthusiasm for deplatforming is this question: What do you do with all the data generated by people you deplatformed?  

Facebook’s answer, as you’d expect, is that Facebook can do what it wants with the data, which mostly means deleting it. Even if it’s evidence of a crime?  Yes, says the platform, unless law enforcement asks us to save it. The legal fight over a deplatformed group that defended historical statues (and may have shot someone in the process) will tell us something about the—law of deplatformed data as will the fight over Gambia’s effort to recover evidence of deplatformed human rights evidence. In the end, though, we need a law on this question. Because, given their track record in content moderation, leaving the question to the discretion of social media will translate into platforms’ preserving only evidence that hurts people they hate.

Tired: Data breach reporting. Wired: Cyber incident reporting. The unanimous view of our news panelists, Paul Rosenzweig  and Dmitri Alperovitch, is that cyber policy has turned from reporting personal data breaches to reporting serious cyber intrusions no matter what data is compromised. The latest example is the financial regulators’ adoption of a rule requiring banks and similar institutions to report major cyber incidents within 36 hours of determination that one has occurred. 

But who will make that determination and with what certainty? Dmitri’s money is on the lawyers. I think there’s a great ER-style drama in the process: “OK, I’m going to call it.  No point in trying to keep this alive any longer. Time of determination is 2:07 pm.”

Back after a long absence, we add an interview to the news roundup. David “moose” Wolpoff and Dan MacDonnell of Randori explain the consternation over their startup’s use of a serious vulnerability to conduct realistic penetration tests of buttoned-up networks instead of reporting it right away to the software provider. They argue that the value of zero days for pentesting is great and the risk of harm low, if handled responsibly. In fact, the debate sounds a lot like the arguments around the table at a government Vulnerability Equities Process (VEP) meeting.  And that makes me wonder whether the people pushing for a stricter VEP have any idea at all what they’re talking about.

Dmitri lays out the surprising complexity and sophistication of the Iranian attempt to influence the 2020 election. I’m less convinced. The Iranian effort failed, after all, and it resulted in the hackers’ indictment. 

I dig into a recent brief by Hikvision claiming that the FCC lacks authority to bar sales of its products in the U.S. I’m only half convinced by the legal claim, but I am sure of this: The Hikvision argument has created an opportunity for some enterprising politician to sponsor quick, uncontroversial legislation giving the FCC the authority that Hikvision says it doesn’t have.

Dmitri explains the latest advance of the hardware hack known as Rowhammer. It may not be deployed routinely even now, he says, but the exploit makes clear that we will never entirely secure our cyber infrastructure.

Paul and I agree that it’s perfectly legal for the government to buy advertising data that shows citizens’ locations. We more or less agree that some restraint on sales of location data—at least to the Russian and Chinese governments and maybe to anybody—are in order. 

Paul and I offer muted and squeamish criticism of a Big Report claiming that child sexual abuse is exploding online. There’s no doubt that it’s a problem that deserves more legal and platform effort, but the authors did their cause no favors by mixing kids exchanging nude selfies with truly loathsome material.

Dmitri and I perform a public service announcement about a scam that takes advantage of security habits that the banks have encouraged us to get used to. Zelle fraud is going to make us all regret those habits. 

And hopefully it will finally get banks to use hardware tokens instead of text messages to verify our transactions.

Germany and Mandiant are at odds in attributing the government sponsor of the Ghostwriter hacking gang. Germany, backed by the EU, says it’s Russia. Mandiant says it’s Belarus. 

Dmitri says “Never bet against Mandiant on attribution.” I can’t disagree.

Finally, Dmitri joins me in an appreciation of Alan Paller, who died last week. He was a major influence in cybersecurity,  and a role model for successful entrepreneurs who want to give back using their institution-creating skills.

Download the 384th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-384.mp3
Category:general -- posted at: 9:04am EDT

Two major Senate committees have reached agreement on a cyber incident reporting mandate. And it looks like the big winners are the business lobbyists who got concessions from both committees. At least that’s my take. Dmitri Alperovitch says the bill may still be in trouble because of Justice Department opposition. And Tatyana Bolton not unfairly credits the Cyber Solarium Commission for incident reporting getting this close to passage.  

Meanwhile, another piece of legislation, the Secure Equipment Act of 2021, has already been passed and signed by the president. It will lock a boatload of Chinese equipment out of U.S. markets. Dmitri explains why the FCC needed this additional authority. 

Mark MacCarthy explicates the EU court ruling that upheld a $2.8 billion award against Google for “self-preferencing” in shopping searches.

If you’re surprised by the Kyle Rittenhouse trial, and the strength of the defense case, you can blame Facebook and Twitter, which astonishingly suppressed posts arguing that Rittenhouse had acted lawfully in self-defense. In a reverse John Adams moment, Twitter even suspended Rittenhouse’s defense counsel for defending him. And Facebook declared him guilty of a mass shooting and blocked searches for his name. If you want more content mob-eration like that in your podcast feed, well, no worries: the NYT is on it; the gray old lady is demanding to know why woke censorship hasn’t yet come to podcasts.

This has turned out to be a pretty good week for catching bad guys, Dmitri reports. REvil affiliates have been, arrested, indicted, and had some of their 

ill-gotten gains seized.

Mark unpacks yet another bipartisan tech regulation-cum-competition bill. This one aims to reduce platforms’ ability to foist "opaque algorithms" on their users. Tatyana notes that a lot of the bills trying to improve portability and competition are likely to raise cybersecurity concerns.

Dmitri and I aren’t impressed by the hoax email sent out in the FBI’s name from a poorly designed FBI website. It’s one step up from defacing the FBI’s website. I argue the bureau ought to give the hacker a low four-figure bug bounty and call it a day, but Dmitri thinks the hacker will be on the FBI’s most wanted list for a while. I tend to agree; there is, after all, no greater crime than embarrassing the bureau.

In quick hits: 

  • Mark gives us a quick overview of the states’ recently updated antitrust complaint against Alphabet's Google.
  • Tatyana and Dmitri talk about the implications of the Commerce Department sending information requests to the world’s top chipmakers.
  • Tatyana explains (as much as anyone can) Elon Musk’s decision to sell a bunch of Tesla stock because that’s what Elon Twitter wanted. We note that Elon promised to show his tweets to a lawyer in advance if they could move the market and wonder whether he actually found a lawyer who thought that tweet was a good idea.
  • I do a quick victory lap for having suspected that Frances Haugen’s incoherent retreat from criticizing Facebook’s end-to-end encryption was forced on her by the Silicon Valley version of the Deep State. Thanks to Politico, we now know her European tour was run by a batch of lefty digerati who hate Facebook, but not as much as they hate the FBI. 
  • And I mourn the fact that this week the U.S. government finally surrendered to Microsoft and joined the Paris Call for Trust and Security in Cyberspace.

Download the 383rd Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-383.mp3
Category:general -- posted at: 10:13am EDT

We’re joined for this episode by Scott Shapiro, long-time listener and first-time panelist, not to mention our first philosopher. He breaks down the Biden administration sanctions on four offensive cyber firms, most notably the Israeli company, NSO. Imposing Commerce Department “entity list” sanctions on companies from friendly countries for human rights abuses is a departure from historical practice, and exactly how it will work out remains uncertain. The sanctions are not a death penalty for companies like NSO, we conclude, since U.S. companies can still buy their services even if they can’t sell NSO anything more sophisticated than toilet paper.

The Pentagon is a bastion of top-down cybersecurity regulation. In theory, that’s what the Cybersecurity Maturity Model Certification program was all about—comprehensive and mandatory cybersecurity regulation for defense contractors. But as Nate Jones describes it, the Department of Defense’s effort to actually put the regulations in place are a cautionary tale. The Pentagon has revamped and delayed its standards again. The new proposal may well be more workable and less bureaucratic than the last, but it also pushes the day of reckoning for contractors years into the future.

Jamil Jaffer thinks the good guys may have won another battle with ransomware gangs, but it’s probably too soon to tell. On the heels of REvil claiming to be out of business,  DarkMatter is making similar noises. But we won’t know for sure until the gangs have gone quiet for more than a couple of months.

Decoupling is still proceeding apace, as Yahoo surprises us all by announcing that it’s pulling out of China. (I’d forgotten they were still in.) 

Jamil and Nate note that GitHub is the last big Western web company left in China. And even for GitHub, the ice appears to be cracking under its feet. 

Scott takes us deep into jurisprudential philosophy in covering the ACLU’s threepeated loss as it argued a first amendment right to read classified FISA court opinions. It may be a first for our podcast to reference Marbury v. Madison, and it’s certainly a first to raise questions about whether it was correctly decided! Jamil also gives us a quick assessment of what Justice Gorsuch’s willingness to take the case tells us about his future role in national security cases.

Nate and I give the backs of our hand to legislative proposals to expand from “Five Eyes” to ‘Nine. I make the argument that we’re really down to Three.

Clearview AI took a beating down under for breaching Australians' privacy law. Nate is short on sympathy. He thinks a more responsible set of actors might have prevented the toxification of face recognition. I argue that the toxification came first, and the dearth of big respectable face recognition firms came later. As witness Facebook being driven from the market by a $650m award under the Illinois Biometric Privacy Act.

In quick hits:

  • For old time’s sake, Nate and I clash over lefty efforts to define a lack of enthusiasm for climate-based regulation as “digital hate.”
  • Jamil and I offer qualified endorsements of the State Department’s new cyber bureau.
  • I namecheck podcast regular Paul Rosenzweig and others for a thoughtful report on Chinese platforms in the United States. 
  • I see some good news for cybersecurity in the Cybersecurity and Infrastructure Security Agency’s latest Binding Operational Directive mandating that federal agencies we know are being exploited right now. I note that the directive is addressed to federal agencies to quickly patch vulnerabilities but aimed quite deliberately at private owners of critical infrastructure. Don’t say you weren’t warned!

Download the 382nd Episode (mp3) 

 You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-382.mp3
Category:general -- posted at: 10:56am EDT

In this episode, Dave Aitel and I dig into the new criminal law the House intelligence committee has proposed for workers at intelligence agencies. The proposal is driven by the bad decisions of three intel agency alumni who worked for the United Arab Emirates, doing phone hacking and other intrusions under the sobriquet of Project Raven. Dave criticizes the broad language, the assumption that hacking for the government teaches things you can’t learn in the private sector, and the use of criminal penalties where reporting obligations would suffice. I plug a podcast on the topic released by the Association of Former Intelligence Officers.

Maury Shenk and I dig into the Federal Communications Commission's decision to kick China Telecom off the U.S. telecommunications network. My view: this decision was overdetermined, a perfect storm of bad politics, poor decisions by China Telecom, and the fact that no American company has ever been licensed to do in China what China Telecom has spent 20 years doing in the United States.

We also dig into the proposal of a global regulatory alliance, Financial Action Task Force (FATF), to impose some fairly strict requirements on cryptocurrency transactions.  A lot of companies are criticizing the proposal, but unlike five years ago, they’re weighed down by the existence of an entire ransomware industry that depends on cryptocurrency.

The EU, meanwhile, is struggling to implement sanctions for cyberattacks. As usual, Europe is its own worst enemy, tied down by excessive politicization, weak intelligence collection made weaker by a lack of sharing, and aggressive judicial oversight.

Maury and I track down a tip about France trying to turn cloud security standards into a weapon for excluding U.S.-owned providers. The big cloud companies are deemed insecure because they aren’t immune to U.S. legal process. But neither are the “big” European champions, since they almost certainly are subject to U.S. jurisdiction. So not only will EU buyers of cloud services be stuck with Deutsche Telekom and its two percent market share, they still won’t be safe from the long arm of U.S. discovery. European data protection policy at its finest!

We briefly explore Facebook whistleblower Frances Haugen’s flirtation with criticizing Facebook for adopting end-to-end encryption (e2e). Once she discovered that criticizing e2e is beyond the pale, however, she retreated into a cloud of incomprehensibility. I capture the moment in my latest effort to turn cyber policy into cartoons.

Download the 381st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-381.mp3
Category:general -- posted at: 9:12am EDT

We begin the episode with Michael Ellis taking a close look at the takedown of the ransomware gang. It’s a good story for the good guys, as REvil seems to have been brought down by the same tactic it used against so many of its victims—malware that lingered in the backups it used to restore its network. I note that this seems to be a continuation of efforts that were interrupted in the early summer—and led to a lot of criticism that the FBI had prioritized its intrusion and takedown over giving victims the decryption key. Looks like the FBI is getting the last laugh.

The U.S. is trying to hold Putin responsible for stopping Russian ransomware gangs. Michael thinks that effort is not advanced by recent statements from the Pentagon raising doubts about whether Putin actually has the ability to stop the attacks.

One technology where Russia’s capabilities have grown stronger is, naturally, the ability to censor and suppress criticism both on domestic and Western platforms. David Kris discusses the kinds of hostages Russia has learned to take, and their success in bringing Western social media to heel.

The U.S. Commerce Department has released a complex new rule for the export of network intrusion tools. Meredith Rathbone, from Steptoe’s trade regulation practice, boils the rule down to a few soundbites. The short version? Commerce has done a pretty good job of protecting legitimate distributors of intrusion software, but even the good guys are going to have to save a lot more receipts.

Michael and Paul Rosenzweig reprise the latest news about content moderation, particularly Twitter’s own study showing that its algorithms offer up a bit more conservative than left-wing content. That raises the question whether right-leaning commentary and news is more popular because more people want it. If so, the employees at Facebook are determined to keep it from them, as recent leaks show aggressive internal efforts to squash Breitbart’s reach on the platform.

David and I unpack Ian Bremmer’s Foreign Affairs article on “How Big Tech Will Reshape the Global Order.” David sees more in the piece than I do.

Paul and Michael kick off a discussion of our negotiations with the EU over transatlantic data flows. But in no time, all four of us are sounding off. We offer some solutions, and plenty of criticism for the EU (“The continent that invented hypocrisy”). 

David notes that NSA is pursuing more collaboration with the private sector. How well that will work out is TBD, we agree.

In quick hits and updates:

  • I note with irony that Frances Haugen has discovered the limits of criticizing Facebook. Whatever you do, you can’t criticize WhatsApp’s growing use of end2end encryption, even if it does allow the service to ignore foreign cyberespionage.
  • Trump and TRUTH are together at last, and Paul has the details. Bottom line: it feels like a typical Donald Trump production: great hype, plenty of controversy, and weak execution
  • Hackback, isn’t dead, it turns out, yet. I discuss the political and business advocates for a kinder, gentler version of private hackback, modeled on private investigators.

Download the 380th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-380.mp3
Category:general -- posted at: 10:38am EDT

Fresh from his launch of the Alperovitch Institute for Cybersecurity Studies, Dmitri Alperovitch kicks off this episode with a hopeful take on the 31-nation videoconference devoted to combatting ransomware. He and Nate Jones both think a coordinated international effort could pay off. I challenge Dmitri to identify one new initiative that this group could enforce, and he rises to the occasion.

Dmitri also previews one of the proposals for regulating Silicon Valley that might yet make it through Congress—a ban on “self-preferencing” by platforms that sell both their own and other people’s products. No, we don’t get out of this discussion without a “Master of our domain” Seinfeld reference. Or a nod in the direction of China’s even more aggressive use of antitrust remedies against companies like meal delivery giant Meituan.

Tatyana Bolton, meanwhile, identifies a second front in the attack on Big Tech – regulation of algorithms. This leads us into a discussion of freedom of speech versus “freedom of reach” and a WSJ story on the weaknesses of Facebook’s AI system for downrating but only occasionally nuking “hate speech.” I argue that social media will embrace AI reach restrictions, if only as a way to make sure the victims of Silicon Valley censorship never realize how much their voices are being squelched.

Microsoft has given up its ambitions for LinkedIn’s China operations, Dmitri notes, dropping the social media elements and moving to straight job listings. I think the retreat was overdetermined by the Chinese government’s effort to extract both financial and political concessions from Microsoft. In more news about Chinese regulation, it turns out that the Chinese ban on crypto-mining didn’t quite reach the crypto miners using state resources.

But if China is slowly poisoning its high-tech sector, why does a former Pentagon official think the U.S. has lost the AI race to China? Nate and I are cautiously skeptical of that view, not least because of the official’s, uh, provenance.

Tatyana and I dig into WhatsApp’s somewhat limited adoption of encrypted backups, and the policy’s likely impact on law enforcement and different categories of criminal. In quick hits, I also nod to the critique of “client-side scanning” of phone content for law enforcement offered by All the Usual Cryptographers.

In more comic relief, the governor of Missouri embarrasses himself by threatening criminal prosecution after a state website’s security flaws are exposed by a reporter who seems to have done all the right things from a responsible disclosure point of view.

In other quick hits, 

  • I report on Facebook’s appeal of the magistrate opinion unexpectedly gutting the Stored Communications Act for everyone who’s ever been deplatformed by social media. It’s a workmanlike effort, but only mildly persuasive. This could turn out to be a big hole in the SCA, I offer.
  • Dmitri breaks down the federal government’s plan to issue SD cards to all its employees for network access. It’s a good idea, he thinks, but saying it will end phishing of employees is more fond hope than reasonable expectation.

Download the 379th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-379.mp3
Category:general -- posted at: 2:06pm EDT

The theme of this episode is a surge of creativity in the Biden administration as it searches for ways to regulate cybersecurity and cryptocurrency without new legislative authority. Paul Rosenzweig lays out the Department of Homeland Security’s entries in the creativity sweepstakes: New (and frankly pretty modest) cybersecurity directives to the rail and air industry plus a much more detailed (and potentially problematic) set of requirements for pipeline companies. Matthew Heiman describes a Justice Department plan for enforcing cybersecurity rules for federal contractors that should chill the hearts of management: an initiative that raises the prospect of whistleblower suits under the False Claims Act for failure to disclose breaches to the government. I suggest that this means the notoriously short tenure of the Chief Information Security Officer (CISO) at large companies will now come with a built-in retirement compensation package.

Creativity in regulating cryptocurrency was signaled both by the White House, which is working on a broader and more coordinated regulatory approach and by the Justice Department, which is planning a major criminal investigative approach to the industry. Nick Weaver gives us the details.

Paul covers a remarkably creative assertion of The Committee on Foreign Investment in the United States (CFIUS) jurisdiction over a Chinese purchase of Magnachip, a company with virtually no ties to the United States. Despite having no obvious skin in the game, CFIUS insisted on a CFIUS filing under President Trump and then vetoed the deal under President Biden. I suggest that the claim of extraterritorial jurisdiction, which in other circumstances might have annoyed South Korea, is in this case a good way for South Korea to avoid taking heat from China. 

Paul explains why the Facebook outage was a much bigger deal than Americans realized. If you were living in Costa Rica, the loss of Facebook and WhatsApp, he says, could have greatly complicated every aspect of daily life, including calls for emergency services.

Paul digs into the return of “hactivism”—not to mention skepticism about hactivism. I marshal the evidence that the Pandora Papers were the result of hacks, not leaks—and roast the newspapers feasting on the hack for their utter hypocrisy. Hey, Marty Baron! We haven’t forgotten that after the Democratic National Committee (DNC) leaks of 2016, you said “Before reporting on the release of hacked or leaked information, there should be a conversation with senior editors about the newsworthiness of the information, its authenticity and whether we can determine its provenance... If a decision is made to publish a story about hacked or leaked information, our coverage should emphasize what we know—or don’t know—about the source of the information and how that may fit into a foreign or domestic influence operation. Our stories should prominently explain what we know about the full context of the information we are presenting, including its origins and the motivations of the source, including whether it appears to be an effort to distract from another development.” We’re still looking for that “full context” in the Pandora Papers or the Epik leaks.

Nick fills us in on Facebook’s extreme reaction to the creation of a tool that allows users to escape the News Feed. I discover that I’ve completely missed the central Facebook experience because I semi-inadvertently disabled the news feed.

Paul offers some surprising news about the limits of Artificial Intelligence (AI). Turns out, it’s not that good even at some of the things it should be superb at, like radiology reviews.

Nick and I explore Google’s acceptance of warrants based on search terms. He thinks that this has gone on under the radar for some time because both government and Google think the public reaction will be bad for business. 

Finally, in two quick hits:

I brag about the proof that I’m one of the 14,000 Gmail users that the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) fears most: Google caught the Russian spy agency trying to phish me with a doctored Word document. 

And Matthew reveals what the Russian SolarWinds hackers were looking for. From all the SolarWinds bad news, we extract this bit of good news: U.S. sanctions are really getting under Putin’s skin. So much so that sanctions are among Russian spies’ top collection priorities.

And more!

Download the 378th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-378.mp3
Category:general -- posted at: 9:24am EDT

This is the meatiest episode in a long time, as Dmitri Alperovitch, Dave Aitel, and Mark MacCarthy go deep on the substance of a dozen stories or more. 

First up, Dmitri and I speculate on possible outcomes from the newly announced administration plan to convene 30 countries to crack down on ransomware. We also report on what may be the first conformed death resulting from the equipment failures caused by ransomware—a newborn strangled by its umbilical cord without the usual electronic warnings. 

Dmitri also recaps and explains a new cryptocurrency regulatory topic that doesn’t concern its use in ransomware schemes—the move to ensure the financial stability of stablecoins. 

Dave weighs in on two surprising provisions of the House intel authorization bill. The first would respond to the Project Raven incident by imposing new controls on ex-spies working for foreign governments. No one is against the idea, but no one thinks that the problem is limited to alumni of a few intelligence agencies. And the bill’s sweep is far broader than cases like Project Raven. I make the argument that it may criminalize ex-spies giving security advice to Airbus, or perhaps even the Atlantic Council.

The second imposes reporting requirements on U.S. government purchases of vulnerabilities from foreign vendors. This leads to a discussion of which nation has the best offensive talent. Dave thinks the old champ has been decisively dethroned. 

In other legislative news, Dmitri covers the three committees producing bills to require cyber incident reporting, with special emphasis on the recently leaked bill from Senate Intel.

It’s a very aggressive bill, perhaps designed to stake out negotiating room with the Homeland committees. I ask, “What’s the difference between Europe’s staggering fines for General Data Protection Regulation (GDPR) violations and the fines for violating U.S. cyber reporting obligations?” The answer: about two weeks, at which point the maximum fine due to the U.S. will exceed the top European fine.

Mark gives an overview and some prognostication about Google’s effort to overturn the EU’s $5 billion antitrust fine for its handling of Android. 

Dmitri and I find ourselves forced to face up to the growing soft power of Russia and China, which are now increasingly forcing Silicon Valley companies to project Russian and Chinese power into the West. Russia, having forced Apple and Google to send hostages in the form of local employees, are trying to use their leverage to control what those companies do in countries like Germany.  And Linkedin, the last Western social media company still standing in China, is trying to keep that status by asking Americans to self-censor their accounts.

At Dave’s request, we visit a story we missed last week and explore all the complex equities at work when the FBI decides whether to use ransomware keys for remediation or disruption.

Mark gives an overview of the new Federal Trade Commission, where regulatory ambition is high but practical authority weak, at least until the Senate confirms a third Democratic commissioner.

Waiting in the wings for that event is even more antitrust action, possible new online privacy rules and Commissioner Slaughter’s enthusiasm for addressing racial equity quotas under the guise of algorithmic fairness.

Dmitri offers his best guess about the recent Russian arrest of a cybersecurity executive for treason (that’s the second in five years if you’re counting) and the U.S. decision to send a Russian scammer back to Russia after bitterly fighting to extradite him from Israel (it’s the magic of time served awaiting extradition, I speculate).

 In quick hits:

  • Dmitri makes a public service announcement about the ways that Two-Factor Authentication (2FA) can be subverted. 
  • I celebrate some good news for the U.S.: China is planning to encourage provincial controls on the design and use of user algorithms. That’s bound to give US companies a new competitive advantage in a field where TikTok has passed them.
  • Dave and I dissect the guilty plea of former Ethereum developer Virgil Griffith to violating U.S. sanctions to offer a bland speech on cryptocurrency in North Korea. 
  • I give the highlights of two new and eminently contestable cyberlaw rulings:
  • In U.S. v. Wilson, the Ninth Circuit decided that law enforcement needs a warrant to open files that it knows from hashes are 99.9 percent certain to be child porn. The decision would be unfortunate if it weren’t meaningless; the hash itself provides probable cause, so warrants will be quickly and routinely issued. Thanks for the make-work, EFF! 
  • And a magistrate judge clearly gunning for promotion has written a Stored Communications Act opinion that would fill me with concern about the way it empowers Silicon Valley’s biased Trust and Safety operatives to de-platform people and then turn their posts over to law enforcement without the subpoena they usually demand. I would worry more about those troubling consequences if I thought the opinion would survive.  
  • And, finally, Dmitri is pleased to find one field where AI is succeeding without controversy, as machine learning declares a famous Peter Paul Rubens painting, Samson and Delilah, to be a fake. But how long, I wonder, before this AI is forced by the FTC to correct its notorious anti-Flemish bias?

And more!

Download the 377th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberLawPodcast-377.mp3
Category:general -- posted at: 1:51pm EDT

In this episode, we welcome Nick Weaver back for a special appearance thanks to the time-shifting powers of podcast software. He does a sack dance over cryptocurrency, flagging both China’s ban on cryptocurrency transactions and the U.S. Treasury’s sanctioning of the SUEX crypto exchange.

Maury Shenk explains the plans that the Biden administration and the EU have for Big Tech and the rest of us. Hint: it involves more content moderation in support of, err, democracy.

Adam Candeub gives us a tour of Wall Street Journal’s the deeply reported series on Facebook’s difficulties managing the social consequences of, well, the internet, a responsibility that the press is determined to impose on the company. Among the quasi-scandals turned up by the Wall Street Journal is details on the list of “secret elite” of users protected from Facebook’s clunky and clueless content moderation algorithms. But really, in today’s world, true power is about escaping the clueless algorithms otherwise imposed on us by various authorities. We all aspire to join that elite. And perhaps we all can, if Ohio’s Attorney General and its latest Senate candidate get their way, making Google into a common carrier. (If that happens, we’ll credit Adam, who wrote an amicus brief in support.)

And what’s an elite without its hands on the levers of industry? China’s embrace of national champions on the world stage has forced a rethinking in the West of industrial policy. So, the auto industry’s commercial problem (they want cheap, plentiful, and antiquated chips for their cars) is suddenly a matter for White House meetings, and hints that the government might have its own supply allocation plans.

In fact, regulating the private sector is so in vogue, as long as it’s a tech-ish private sector, that California barely made news when it imposed a new and almost undefinable regulatory obligation on warehouse companies like Amazon. At bottom, I argue, this is yet another attempt to put workers back on top of the algorithm—by demanding that it explain itself.

Maury next takes us to the heart of algorithmic power and our unease with it, explaining that Google now admits that it has no idea how to make AI less toxic.

In quick hits:

  • Washington whispers about Zoom’s ties to China have grown louder, as the U.S. government announces a national security review of its proposed acquisition of Five9 for $15 billion. 
  • Contrary to my understanding, at least one former intel operative who went to work for the United Arab Emirates in Project Raven landed very much on his feet—as CTO at ExpressVPN, though company employees have been expressing unhappiness about his history.
  • And podcast regular Dmitri Alperovitch has an op-ed in the New York Times that urges much tougher tactics in the fight against ransomware gangs. 

And more!

Download the 376th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-376.mp3
Category:general -- posted at: 10:54am EDT

Jordan Schneider rejoins us after too long an absence to summarize the tech policy coming out of Beijing today:  Any Chinese government agency with a beef against a tech company has carte blanche to at least try it out. From Didi and others being told to stop taking on subscribers to an end to Western IPOs, to the forced contributions to common welfare, China’s beefs with Big Tech sound a lot like those in the West (well, except for the complaints about AI-enabled censorship). What’s different is that China has freed up its agencies to actually throw sand in the gears of technology businesses. Jordan and I explore the downside of empowering agencies this way. First, it makes the Chinese government responsible for an enormous and hard to govern part of the economy, as the government’s problems with the overvalued property sector show. And it creates opportunities for companies that are better at politics than customer service to cripple their competitors.

Meanwhile, the U.S. government is trying out its own version of letting a thousand regulatory flowers bloom. Michael Weiner unpacks the new, amended complaint in FTC v. Facebook and concludes that the FTC has done a plausible job of meeting the objections that led the district court to throw out the first complaint.

Then he tells us the five buckets of sand the Biden administration is dumping into technology merger law in the hope of slowing a massive acquisition boom, from no longer granting early termination, insisting on future merger approvals in standard consent agreements, issuing “close at your own peril” letters when they haven’t finished their review, and replacing the Vertical Merger Guidelines issued in June 2020 with, uh, nothing.

Pete Jeydel takes us on a tour of Project Raven and the deferred prosecution agreements imposed on three former U.S. government hackers who sold their services too freely to the United Arab Emirates. The cases raise several novel legal issues, but one of the mysteries is why the prosecutors ultimately settled the cases without jail time. My guess? Graymail.

In quick hits and updates we note: That TikTok faces an Irish General Data Protection Regulation probe over children’s data and–more significantly–its transfers of data to China. What’s most remarkable to me is how long TikTok has staved off this scrutiny. Who says Donald Trump was bad for Chinese tech companies?

President Biden has nominated a 5th Federal Trade Commission Commissioner. Alvaro Bedoya is a Georgetown Law professor who writes about privacy and face recognition. There’s a lot of dumb stuff out there about AI bias and face recognition, but I’m pleased to say that it doesn’t look as though Prof. Bedoya wrote any of it.

The special prosecutor for Russia-Russia-Russia-gate has indicted a Perkins Coie lawyer for lying to the FBI general counsel while turning over a bunch of bogus evidence of Donald Trump’s ties to Russia. Turns out, I know all of the principals in this drama, and it’s uncomfortable.

Captain Obvious, speaking for the FBI, acknowledged that there is “no indication” Russia has cracked down on ransomware gangs after President Biden yelled at Vladimir Putin about them.

The 4th Circuit has tossed Wikimedia’s money-wasting lawsuit against the National Security Agency for its collection of overseas intelligence in the U.S.

And the Bolsonaro’s ban on social media censorship of politicians has been doubly overturned by the Brazilian Senate and its Supreme Court, leaving Bolsonaro’s decree in the same place as Florida’s (and, probably soon, Texas’s) effort to do something similar.

And more!

Download the 375th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-375.mp3
Category:general -- posted at: 12:14pm EDT

The district court has ruled in the lawsuit between Epic and Apple over access to the Apple app store. Apple is claiming victory and Epic is appealing. But Apple’s victory is not complete, and may have a worm at its core. Jamil Jaffer explains.Surprised that ransomware gangs REvil and Groove are back—and thumbing their noses at President Biden? Dmitri Alperovitch isn’t. He explains why U.S. ransomware policy has failed so far.

WhatsApp has finally figured out how to let users encrypt their chat backups in the cloud, to the surprise of many users who didn’t realize their backups weren’t encrypted.

Speaking of the encryption debate, Dmitri notes that Proton Mail joined the scrum this week, in a way it no doubt regrets. After all its bragging that mail users’ privacy is “protected by Swiss law,” Proton Mail disclosed that Swiss law can be surprisingly law enforcement friendly. Responding to a French request through Europol, Swiss authorities ordered the service to collect metadata on a particular account and overrode what had been seen as a Swiss legal requirement that users be notified promptly of such actions. 

Is China suffering from Russia’s Main Intelligence Directorate (GRU) envy? I ask and David Kris answers: It sure looks that way, as China has begun trying to rally Chinese in America to support Chinese government positions on things like the origin of COVID. So far, China’s record of success is as dismal as the GRU’s but I argue that it poses a bigger problem for the body politic and Chinese American interest groups.

Who’d have guessed? Turns out that the EU’s always-flakey General Data Protection Regulation (GDPR) provision against allowing automated decision making that affects people isn’t just a charming nostalgia act; it’s yet another reason for Europe to be left behind in the technology race. Jamil reports on a high-powered UK task force recommendation that the Brits dump the provision in order to allow for the growth of an AI industry.

David and I debate the meaning of Brazilian President Jair Bolsonaro banning social networks from removing political posts.

And in a few quick hits:

  • I praise the Biden administration (faintly) for finally kicking off serious negotiations with the EU about transatlantic data transfer.
  • Dmitri dissects the undiplomatic speech of China’s ambassador to the U.S.
  • David downloads the inside poop on smart toilets. Among other things, they’ll be identifying us with, uh, let’s just call it the opposite of facial recognition. 
  • And Dmitri offers a solution for the dual European Community encryption story.

And more!

Download the 374th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

Direct download: TheCyberlawPodcast-374.mp3
Category:general -- posted at: 1:32pm EDT

Back at last from hiatus, the podcast finds a host of hot issues to cover. Matthew Heiman walks us through all the ways that China and the U.S. found to get in each other’s way on technology. China’s new data security and privacy laws take effect this fall, and in keeping with a longstanding theme of the podcast—that privacy law is mostly about protecting the privilege of the powerful—we muse on the ways that legal innovations in the West have empowered China’s rulers. The SEC is tightening the screws on Chinese companies that want to list on American exchanges. Meanwhile, SenseTime is going forward with a $2 billion IPO in Hong Kong despite being subject to the stiffest possible Commerce Department sanctions. Talk about decoupling!

In Washington, remarkably, a bipartisan breach notification law is moving “We Can’t Run a Twelfth-Century Regime Without WhatsApp!” through both House and Senate. Michael Ellis explains the unorthodox (but hardly unprecedented) path the law is likely to take—a “preconference” followed by attachment to the defense authorization bill scheduled to pass this fall. 

I ask Brian Egan for the tech fallout from the fall of the U.S.-backed regime in Afghanistan. All things considered, it’s modest. Despite hand-wringing over data left behind, that data may not be really accessible. Google isn’t likely to turn over government emails to the new regime, if only because US sanctions make that legally risky. The Taliban’s use of WhatsApp is likely to suffer from the same sanctions barrier.  I predict a Taliban complaint that it’s being forced to run a thirteenth century regime with twelfth century technology.

Meanwhile, Texas Republicans are on a roll, as Democrats forced to return to the State House sit on their hands. They’ve adopted a creative and aggressive antiabortion law that has proven a challenge to tech companies, which responded by canceling tech services for pro-life groups and promising to defend gig workers who are caught up in litigation. Texas has kept pace, adopting a bill that limits Silicon Valley censorship of political speech; it raises many of the same issues as the Florida statute, but without the embarrassing prostration before the Disney theme park empire. I ask whether Texas could have used the same tactics for its interpretation of Section 230 that it used in the abortion bill—authorizing private suits but not government enforcement. Such tactics work when there is a real possibility that the Supreme Court will overturn some settled circuit rulings, and section 230 is ripe for exactly that.

Matthew Heiman and I debate whether the Justice Department’s dropping of several Chinese visa fraud cases heralds a retrenchment in the department’s China Initiative.

Michael and I dig into the Apple decision to alienate the Guardians of Privacy in an effort to do something about child sex abuse material on iPhones—and Apple’s recent decision to alienate the rest of the country by casting doubt on whether it would ever do something about child sex abuse material on its phones.

Finally, in quick hits, Brian doubts the significance of claims that the Israeli government is launching an investigation of  NSO Group over spyware abuse. Michael picks apart the Cyberspace Solarium Commission’s report card on Congress’s progress implementing its recommendations. And Brian highlights the UK’s new and much tougher version of CFIUS, the National Security and Investment Act 2021. I turn that into career advice for our listeners.

And more!

Download the 373rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-373.mp3
Category:general -- posted at: 3:16pm EDT

The Biden administration’s effort to counter ransomware may not be especially creative, but it is comprehensive. The administration is pushing all the standard buttons on the interagency dashboard, including the usual high-level task force and a $10 million reward program (but not including hackback authority for victims, despite headlines suggesting otherwise). And all the noise seems to be having some effect, as the RE ransomware gang's web sites have mysteriously shut down.

Our interview is with Josh Steinman, who served as the National Security Council’s Cybersecurity Senior Director for the entire Trump administration. He offers his perspective on the issues and the personalities that drove cybersecurity policy in those chaotic years. As a bonus, Josh and I dig into his public effort to find a suitable startup, an effort we have to cut short as I start getting too close to one of the more promising possibilities.

Nick Weaver reminds us (in song, no less) that the government’s efforts to stop scourges like Trickbot have a distinct whiff of Whack-a-Mole, and the same may be true of REvil.

Maury Shenk covers the Biden administration’s belated but well-coordinated international response to China’s irresponsible Microsoft Exchange hack, including the surprising revelation that China may be back to hacking like it’s 1999—relying on criminal hackers to serve the government’s ends.

In other China news, Maury Shenk and Pete Jeydel catalog the many ways that the current regime is demonstrating its determination to bring China’s tech sector to heel. It’s punishing Didi in particular for doing a U.S. IPO despite go-slow signals from Beijing. It’s imposing cybersecurity reviews on other companies that IPO outside China.  And it seems to be pressing for competition concessions that the big tech companies would have successfully resisted a few years ago.

It was a big week for state-sponsored attacks on secure communications. Nick and I dig in the FBI and Australian federal police coup in selling ANOM phones to criminal gangs. Previewing an article for Lawfare, I argue that the Australian police may have to answer tough questions about whether their legal authority for the phone’s architecture really avoided introducing a systemic weakness into the phone’s security.

Law enforcement agencies around the world could face even tougher questions if they’ve been relying on NSO or Candiru, Israeli firms that compromise mobile phones for governments. Both firms have been on the receiving end of harsh forensics analyses from Amnesty International and Citizen Lab. Nick thinks the highly specific and centralized target logs are particularly a problem for NSO’s claims that it doesn’t actually know the details of how its malware is deployed.

Pete Jeydel tells us that the administration is learning to walk and chew gum on cybersecurity at the same time. While coordinating pushes on Chinese and Russian hacks, it also managed to get big chunks of the government to turn in their federal cybersecurity homework on time. Pete talks us through one of those assignments, the NTIA’s paper setting minimum elements for a Software Bill of Materials.

It wouldn’t be the Cyberlaw Podcast without a brief rant on content moderation. The Surgeon General claimed this week that “Misinformation takes away our freedom to make informed decisions about our health.” He didn’t say that administration censorship would give us our freedom back, but that seems to be the administration’s confident view, as the President, no less, accuses Facebook of “killing people” by not jumping more quickly to toe the CDC’s official line.

And if you thought it would stop with social media, think again.  The White House is complaining that telecom carriers also should be screening text messages that are hostile to vaccinations.

Finally, just to show that the world has truly turned upside down, Maury reminds me that a German—German!—court has fined American social media for too enthusiastically censoring a lockdown protest video.

Pete tells us what’s in the new Colorado privacy bill. Short version: it joins Virginia’s in some of hosing down California’s excesses.

And in short takes:

  • Maury explains Vietnam's version of China’s fifty-cent army.
  • Nick explains why Psiphon is a better tool for evading Cuban censorship that the sleaze-infested Tor system.
  • Maury updates me on the European Parliament LIBE committee’s latest proposal for accepting the U.S. intelligence community’s transatlantic surrender on data flows.
  • And Pete tells us that the Securities and Exchange Commission may finally be putting the screws to companies that have been lax about reporting breaches to their investors.

And more!

Download the 371st Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

Direct download: TheCyberlawPodcast-371.mp3
Category:general -- posted at: 11:19am EDT

We begin the episode with the Biden administration’s options for responding to continued Russian ransomware outrages. Dmitri Alperovitch reprises his advice in the Washington Post that Putin will only respond to strength and U.S. pressure. I agree but raise the question whether the U.S. has the tools to enforce another set of alleged red lines, given Putin’s enthusiasm and talent for crossing them. If jumping U.S. red lines were an Olympic sport, Russia would have retired the gold by now. Dmitri reminds us that Russian cooperation against cybercrime remains a mirage. He also urges that we keep the focus on ransomware and not the more recent attempt to hack the Republican National Committee.

The Biden White House has been busy this week, or at least Tim Wu has. When Wu took a White House job as special assistant to the president for technology and competition policy, some might have wondered why he did it. Now, Gus Hurwitz only after giving child abusers a six-month holiday from scrutiny tells us, it looks as though he was given carte blanche to turn his recent think tank paper into an executive order. Gus: Biden targets Big Tech in sweeping new executive order cracking down on anti-competitive practices. It’s a kitchen sink full of proposals, Mark MacCarthy notes, most of them more focused on regulation than competition. That observation leads to a historical diversion to the way Brandeisian competition policy aimed at smaller competitors and ended by creating bigger regulatory agencies and bigger companies to match.

We had to cover Donald Trump’s class actions against Twitter, Facebook, and Google, but if the time we devoted to the lawsuits was proportionate to their prospects for success, we’d have stopped talking in the first five seconds.  

Mark gives more time to a House Republican leadership plan to break up Big Tech and stop censorship. But the plan (or, to be fair, the sketch) is hardly a dramatic rebuke to Silicon Valley—and despite that isn’t likely to get far. Divisions in both parties’ House caucuses now seem likely to doom any legislative move against Big Tech in this Congress.

The most interesting tech and policy story of the week is the Didi IPO in the U.S., and the harsh reaction to it in Beijing. Dmitri tells us that the government has banned new distributions of Didi’s ride-sharing app and opened a variety of punitive regulatory investigations into the company. This has dropped Didi’s stock price, punishing the U.S. investors who likely pressed Didi to launch the IPO despite negative signals from Beijing.

Meanwhile, more trouble looms for the tech giant, as Senate conservatives object to Didi benefiting from U.S. investment and China makes clear that Didi will not be allowed to provide the data needed to comply with U.S. stock exchange rules.

Mark and Gus explain why 37 U.S. states are taking Google to court over its Play Store rules and why, paradoxically, Google’s light hand in the Play store could expose it more to antitrust liability than Apple’s famously iron-fisted rule.

Dmitri notes the hand-wringing over the rise of autonomous drone weapons but dismisses the notion that there’s something uniquely new or bad about the weapons (we’ve had autonomous, or at least automatic, submarine weapons, he reminds us, since the invention of naval mines in the 14th century).

In quick hits, Gus and Dmitri offer dueling perspectives on the Pentagon’s proposal to cancel and subdivide the big DOD cloud contract.

Gus tells us about the other Fortnite lawsuit against Apple over it app policy; this one is in Australia and was recently revived.

As I suspected, Tucker Carlson has pretty much drained the drama from his tale of having his communications intercepted by NSA. Turns out he’s been seeking an interview with Putin. And no one should be surprised that the NSA might want to listen to Putin.

The Indian government is telling its courts that Twitter has lost its 230-style liability protection in that country. As a result, it looks as though Twitter is rushing to comply with Indian law requirements that it has blown off so far. Still, the best part of the story is Twitter’s appointment of a “grievance officer.” Really, what could be more Silicon Valley Woke? I predict it’s only a matter of months before the whole Valley fills with Chief Grievance Officers, after which the Biden administration will appoint one for the Executive Branch.

And, finally, I give the EU Parliament credit for doing the right thing in passing legislation that lets companies look for child abuse on their platforms. Readers may remember that the problem was EU privacy rules that threatened to end monitoring for abuse all around the world. To make sure we remembered that this is still the same feckless EU Parliament as always, the new authority was grudgingly adopted only after giving child abusers a six-month holiday from scrutiny. It was also limited to three years, after which the Parliament seems to think that efforts to stop the sexual abuse of children will no longer be needed.

And More!                                                                                                                                  

Download the 370th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-370.mp3
Category:general -- posted at: 12:18pm EDT

We begin the episode with a review of the massive Kaseya ransomware attack.

Dave Aitel digs into the technical aspects while Paul Rosenzweig and Matthew Heiman explore the policy and political  implications. But either way, the news is bad.

Then we come to the Florida “deplatforming” law, which a Clinton appointee dispatched in a cursory opinion last week. I’ve been in a small minority who thinks the law, far from being a joke, is likely to survive (at least in part) if it reaches the Supreme Court. Paul challenges me to put my money where my mouth is. Details to be worked out, but if a portion of the law survives in the top court, Paul will be sending a thousand bucks to Trumpista nonprofit. If not, I’ll likely be sending my money to the ACLU.

Surprisingly, our commentators mostly agree that both NSA and Tucker Carlson could be telling the truth, despite the insistence of their partisans that the other side must be lying. NSA gets unaccustomed praise for its … wait for it … rapid and PR-savvy response. That’s got to be a first.

 Paul and I conclude that Maine, having passed in haste the strongest state facial recognition ban yet, will likely find itself repenting at leisure. 

Matthew decodes Margrethe Vestager’s warning to Apple against using privacy, security to limit competition.

And I mock Apple for claiming to protect privacy while making employees wear body cams to preserve the element of surprise at the next Apple product unveiling. Not to mention the 2-billion-person asterisk attached to Apple’s commitment to privacy.

Dave praises NSA for its stewardship of a popular open source reverse engineering tool, Ghidra.

And everyone has a view about cops using YouTube’s crappy artificial intelligence takedown engine to keep people from posting videos of their conversations with cops. 

And more!

Download the 369th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

Direct download: TheCyberlawPodcast-369.mp3
Category:general -- posted at: 9:04am EDT

This episode offers an economical overview of the six antitrust reform bills reported out of the House Judiciary Committee last week. Michael Weiner and Mark MacCarthy give us the top line for all six (though only four would make substantial new policy). We then turn quickly to the odd-couple alliances supporting and opposing the bills, including my brief cameo appearance, in Rep. Jim Jordan’s opposition, on the gratifying ground (ok, among others) that Microsoft had never explained its suppression of my recent LinkedIn post. On the whole, I think Rep. Jordan is right; there’s very little in these bills that will encourage a diversity of viewpoints on social media or among its “trust and safety” bureaucrats.

Nick Weaver trashes the FBI for its prosecution of AnMing Hu. I’m more sympathetic, but neither of us thinks this will end well for the bureau or the China Initiative.

Adam Candeub makes his second appearance and does a fine job unpacking three recent decisions on the scope of Section 230. The short version: Facebook only partly beat the rap for sex trafficking in the Texas Supreme Court; SnapChat got its head handed to it in the speed filter case; and all the Socials won but faced persuasive dissents in a case over assistance to terrorist groups.

The long version: Silicon Valley has sold the courts a bill of goods on Section 230 for reasons that sounded good when the Internet was shiny and democratic and new. Now that disillusion has set in, the sweeping subsidy conferred by the courts is looking a lot less plausible. The wheels aren’t coming off Section 230 yet, but the paint is peeling, and Big Tech’s failure to get their reading of the law blessed by the Supreme Court ten years ago is going to cost them—mainly because their reading is inconsistent with some basic rules of statutory interpretation.

Nick and I engage on the torture indictments of executives who sold internet wiretapping capabilities to the Qaddafi regime.

Mark is unable to hose down my rant over Canada’s bone-stupid effort to impose Canadian content quotas on the internet and to write an online hate speech law of monumental vagueness. 

And in closing, Nick and I bid an appropriately raucous and conflicted adieu to the Hunter Thompson of Cybersecurity:  John McAfee.

And more!

Download the 368th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-368.mp3
Category:general -- posted at: 9:29am EDT

We could not avoid President Biden’s trip to Europe this week. He made news (but only a little progress) on cybersecurity at every stop. Nick Weaver and I dig into the President’s consultations with Vladimir Putin, which featured veiled threats and a modest agreement on some sort of continuing consultations on protecting critical infrastructure.

Jordan Schneider sums up the G7 and NATO statements aligning with U.S. criticisms of China.

And our newest contributor, Michael Ellis, critiques the EU-U.S. consultations on technology, which featured a complete lack of U.S. resolve on getting an outcome on transatlantic data flows that would preserve US intelligence capabilities.

Michael also recaps the latest fallout from the Colonial Pipeline ransomware shutdown—new regulatory initiatives from TSA and a lot of bipartisan regulatory proposals in Congress.

I note the very unusual (or, maybe, all too usual) meaning given to “bipartisanship” on Capitol Hill.

Nick is not exactly mourning the multiple hits now being suffered by ransomware insurers, from unexpected losses to the ultimate in concentrated loss – gangs that hack the insurer first and then systematically extort all its ransomware insurance customers.

Jordan sums up China’s new data security law. He suggests that, despite the popular reporting on the law, which emphasizes the government control narrative, the motive for the law may be closer to the motive for data protection laws in the West—consumer suspicion over how private data is being used. I’m less convinced, but we have a nice discussion of how bureaucratic imperatives and competition work in the Peoples Republic of China.

Michael and Nick dig into the White Paper on FISA applications published by the outgoing chairman of the Privacy and Civil Liberties Oversight Board. Notably, in my mind, the White Paper does not cast doubt on the Justice Department’s rebuttal to a Justice Inspector General’s report suggesting that the FISA process is riddled with error. The paper also calls urgently for renewal of the expired FISA section 215 authority and suggests several constructive changes to the FISA paperwork flow.

In quick hits, Michael brings us up to date on the FCC’s contribution to technology decoupling from China: a unanimous vote to exclude Chinese companies from the U.S. telecom infrastructure and a Fifth Circuit decision upholding its decision to exclude Chinese companies from subsidized purchases by U.S. telecom carriers.  And Jordan reminds us just how much progress China has made in exploring space.

And more!

Download the 367th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-367.mp3
Category:general -- posted at: 8:50am EDT

This week the Business Software Alliance issued a new report on AI bias. Jane Bambauer and I come to much the same conclusion: It is careful, well-written, and a policy catastrophe in the making. The main problem? It tries to turn one of the most divisive issues in American life into a problem to be solved by technology. Apparently because that has worked so well in areas like content suppression. In fact, I argue, the report will be seen by many, especially in the center and on the right, as an effort to impose proportional representation quotas by stealth in a host of places that have never been the objects of such policies before. Less controversial, but only a little, is the U.S. government’s attempt to make government data available for training more AI algorithms. Jane more or less persuades me that this effort too will end in tears or stasis. 

In cheerier news, the good guys got a couple of surprising wins this week. While encryption and bitcoin have posed a lot of problems for law enforcement in recent years, the FBI has responded with imagination and elan, at least if we can judge by two stories from last week. First, Nick Weaver takes us through the laugh-out-loud facts behind a, government-run encrypted phone for criminals complete with influencers, invitation-only membership, and nosebleed pricing to cement the phone’s exclusive status. Jane Bambauer unpacks some of the surprisingly complicated legal questions raised by the FBI’s creativity.

Paul Rosenzweig lays out the much more obscure facts underlying the FBI’s recovery of much of the ransom paid by Colonial Pipeline. There’s no doubt that the government surprised everyone by coming up with the private key controlling the bitcoin account. We’d like to celebrate the ingenuity behind the accomplishment, but the how it pulled it off, probably because it hopes to do the same thing again and can’t if it blows the secret. FBI isn’t actually explaining.

The Biden administration is again taking a shaky and impromptu Trump policy and giving it a sober interagency foundation.  This time it’s the TikTok and WeChat bans; these have been rescinded. But a new process has been put in place that could restore and even expand those bans in a matter of months. Paul and I disagree about whether the Biden administration will end up applying the Trump policy to TikTok or WeChat or to a much larger group of Chinese apps.

For comic relief, Nick regales us with Brian Krebs’s wacky story of the FSB’s weird and counterproductive attempt to secure communications to the FSB’s web site. 

Jane and I review the latest paper by Bruce Schneier (and Henry Farrell) on how to address the impact of technology on American democracy. We are not persuaded by its suggestion that our partisan divide can best be healed by more understanding, civility, and aggressive prosecutions of Republicans.

Finally, everyone confesses to some confusion about the claim that the Trump Justice Department breached norms in its criminal discovery motions that turned up records relating to prominent Democratic congressmen and at least one Trump administration official.

Best bet: this flap will turn out to be less interesting the more we learn. But I renew my appeal, this time aimed at outraged Democrats, for more statutory guardrails and safeguards against partisan misuse of national security authorities. Because that’s what we’ll need if we want to keep those authorities on the books.

And more!

Download the 366th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-366.mp3
Category:general -- posted at: 9:23pm EDT

The Biden administration is pissing away one of the United States’ most important counterterrorism intelligence programs. At least that’s my conclusion from this episode’s depressing review of the administrations halting and delusion-filled approach to the transatlantic data crisis. The EU thinks time is on its side, and it’s ignoring Jamil Jaffer’s heartfelt plea to be a better ally in the face of Russian and Chinese pressure. Every day, Silicon Valley companies whose data stores in the U.S. have been a goldmine for counterterrorism are feeling legal pressure to move that data to Europe. Those companies care little whether the U.S. gets good intelligence from its section 702 requests, at least compared to the prospects of massive fines and liability in Europe. So, unless the administration creates a countervailing incentive, the other actors will simply present Washington with a fait accompli. The Biden administration, like the Trump administration before it, seems unable to grasp the need for action. When Trump was in charge, we could call him incompetent. When we wake up to what we’ve lost under Biden, that’s what we’ll call him, too.

For companies struggling with their role in this global drama, Charles Helleputte has moderately good news. The European Commission, contrary to the dogmatic approach of the data protection agencies, has opened a door for transfers using the new standard contractual clauses. If your data has not been requested by the U.S. under section 702 or similar intelligence programs and you can offer good reason to think they won’t be requested in the future, you could avoid the hammer of a data export ban while using the standard corporate clauses if they have never received a 702 or similar request and can offer good reason to think they won’t in future.

In other news, Jamil and I cross swords on whether the Colonial pipeline hack should have ended TSA’s light-touch oversight of pipeline cybersecurity.

And Nate Jones and I dig deep into the state trend toward regulating police access to DNA ancestry databases. After some fireworks, we come close to agreement that some state law provision on database access is inevitable and workable, but that the Maryland law is so hostile to solving brutal crimes with DNA searches that it is hard to distinguish from a ban.

Jamil explains the Biden administration’s decision to provide a new foundation for the Trump ban on investment in Chinese military companies. Treasury will take the program away from the Department of Defense, which had handled its responsibilities with the delicacy of Edward Scissorhands.

Nate limbers up the DeHype Machine to put in perspective the Department of Justice's claim to be giving ransomware hacks the same priority as terrorism. Jamil takes on autonomous drones and pours cold water on the notion that the Pentagon will be procuring some of its drones from China.

In a moment of weakness I fail to attack or even mock the UN GGE’s latest report on norms for cyberconflict.

And in a series of quick hits: 

  • Jamil reviews Facebook’s latest antitrust problems in the EU and UK.
  • I bring back the Congresswoman whose failed lawsuit over a newspaper’s publication of her nude photos is now set to cost her over $100,000.
  • In case you haven’t heard, Facebook might let Trump come back in January 2023, and his blog page has shut down for good.
  • The European Commission has proposed a trusted and secure Digital Identity for all Europeans but Charles thinks there’s less there than meets the eye.
  • And Nigeria has suspended Twitter after the platform shut down the President’s account for obliquely threatening military action against secessionists.

And more!

Download the 365th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-365.mp3
Category:general -- posted at: 3:33pm EDT

We don’t get far into my interview with the authors of a widely publicized Ransomware Task Force report, before I object that most of its recommendations are “boring” procedural steps that don’t directly address the ransomware scourge. That prompts a vigorous dialogue with Philip Reiner, the Executive Director of the Institute for Security and Technology (IST), the report’s sponsoring organization, from Megan Stifel, of the Global Cyber Alliance, and Chris Painter, of The Global Forum on Cyber Expertise Foundation. And we, in fact, find several new and not at all boring recommendations among the nearly 50 put forward in the report.

In the news roundup, Dmitri Alperovitch has an answer to my question, “Is Putin getting a handle on U.S. social media?” Not just Putin, but every other large authoritarian government is finding ways to bring Google, Twitter and Facebook to heel. In Russia’s case, the method is first a token fine, then a gradual throttling of service delivery that makes domestic competitors look better in comparison to the Silicon Valley brand.

Mark MacCarthy handicaps the Epic v. Apple lawsuit. The judge is clearly determined to give both sides reason to fear that the case won’t go well. And our best guess is that Epic might get some form of relief but not the kind of outcome they hoped for.

Dmitri and I marvel at the speed and consensus around regulatory approaches to the Colonial Pipeline ransomware event. It’s highly likely that the attack will spur legislation mandating reports of cyber incidents (and without any liability protection) as well as aggressive security regulation from the agency with jurisdiction—TSA.  I offer a cynical Washington perspective on why TSA has acted so decisively. 

Mark and I dig into the signing and immediate court filing against Florida’s social media regulation attacking common content moderation issues. Florida will face an uphill fight, but neither of us is persuaded by the tech press’s claim that the law will be “laughed out of court.”  There is a serious case to be made for almost everything in the law, with the exception of the preposterous (and probably severable) exemption for owners of Florida theme parks.

Dmitri revs up the DeHyping Machine for reports that the Russians responded to Biden administration sanctions by delivering another cyberpunch in the form of hijacked USAID emails. It turns out that the attack was garden variety cyberespionage, that the compromise didn’t involve access to USAID networks, that it was launched before sanctions, and that it didn’t get very far. 

Jordan Schneider explains the impact of U.S. government policy on the cellular-equipment industry, and the appeal of Open RAN as a way of end-running the current incumbents. U.S. industrial policy could be transformed by the shape-shifting Endless Frontier Act. 

Jordan and Dmitri explain how. I ask whether we’re seeing a deep convergence on industrial policy on both sides of the Pacific, now that President Xi has given a speech on tech policy that could have been delivered by half a dozen Republican or Democratic senators. 

Finally, Dmitri reviews the bidding in cryptocurrency regulation both at the White House White House and in London. 

In short hits, we cover:

The European Court of Human Rights decision squeezing but not quite killing GCHQ’s mass data interception programs and cooperation with the U.S. I offer a possible explanation for the court’s caution.

A court filing strongly suggesting that the Biden administration will not be abandoning a controversial Trump administration rule that requires visa applicants to register their social media handles with the U.S. government.  I speculate on why.

A WhatsApp decision not to threaten its users to get them to accept the company’s new privacy terms. Instead, I suspect, WhatsApp will annoy them into submission.

And, finally, a festival of EU competition law Brussels attacks on Silicon Valley, from Germany and France. 

And More!

Direct download: TheCyberlawPodcast-364.mp3
Category:general -- posted at: 11:10am EDT

Paul Rosenzweig kicks off the news roundup by laying out the New York Times’s brutal overview of the many compromises Tim Cook’s Apple has made with an increasingly oppressive Chinese government. There is no way to square Apple’s aggressive opposition to U.S. national security measures with its quiet surrender to much more demanding Chinese measures. I suggest that the disparity could not be greater if Tim Cook were Dorian Gray and storing his portrait behind the Great Firewall. Paul, Jamil Jaffer and I note the tension between Apple’s past claim that it could not legally share data with the Chinese government and its new claim that it solved the problem by turning its data over to a Chinese government-owned corporation.

Ransomware hasn’t stopped making news, Paul tells us, Irish hospitals with the latest to go down. Nate Jones assesses the likelihood (low) that governments will effectively ban the payment of ransomware demands. And Paul points out that, while cryptocurrency may be facilitating crime, at least it’s also warming the planet, as an entire American power plant is taken out of mothballs to power cryptocurrency mining operations.

Governments are increasingly cracking down on cryptocurrency, and Paul gives us one week of news in new regulation: China has reiterated its opposition to unregulated access to crypto.

The IRS is threatening action against unreported transactions in cryptocurrency.

And Hong Kong plans to restrict crypto exchanges to professional investors.

Another 60+ pages from the FISA court approving the executive branch’s section 702 procedures.

With Nate on the job, you don’t need to read it all, or rely on the ideologically motivated criticism of privacy groups. Nate tells us that in approving the 702 procedures the FISA court has much less leeway than a court usually does in reviewing federal agency action (with a hat tip to a good analysis by NSA alum George Croner).   

Jamil bemoans the enthusiasm sweeping Europe for sticking it to US (but not Chinese) tech companies under a variety of competition law theories.

Google has been fined just over €100 million by Italy’s antitrust watchdog for abuse of a dominant market position in Android auto apps.

Germany is readying big guns for an attack on Amazon’s market.

I point out that American policyholders seem to share this enthusiasm, at least judging from the questions the presiding judge in Epic v. Apple posed this week to Tim Cook.

Nate and I explore Apple’s apparent decision to let Parler back into the app store. (And, given the enthusiasm for regulating such dual-facing markets on antitrust grounds, that decision would be wise.) But Apple is still demanding that Parler block speech that Parler doesn’t think it should be blocking.

We wrap up with a few quick hits:

Looking for a cheap way to defeat ransomware?  Brian Krebs has a “might not work but what do you have to lose?” Idea: install a Russian keyboard layout on your computer (although with my luck, the ransomware will translate all my files into Russian). 

Andy Greenberg has a good retrospective on the seeds. OG supply chain hack: the Chinese theft of RSA’s core security.

Dangling the other shoe: The UK’s head of MI5 isn’t mincing words. Ken McCallum is accusing Facebook of giving a ‘free pass’ to terrorists by preparing to introduce end-to-end crypto on its messaging app. Sooner or later, this is going to end in tears.

And we all agree that the Biden administration was lucky to persuade Matt Olsen to leave Uber to become head of the Department of Justice’s National Security Division.

And more!

Direct download: TheCyberlawPodcast-363.mp3
Category:general -- posted at: 9:18am EDT

Our interview is with Brandon Wales, acting head of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and Jen Daskal, deputy general counsel for Cyber and Technology Law at DHS. We dig deep into the latest Executive Order on cybersecurity. There’s a lot to say. The EO is focused largely on how the federal civilian government protects its networks, and it is just short of revolutionary in overriding long standing turf fights, almost all of which are resolved in favor of CISA—to the point where it seems clear that CISA is on its way to being the civilian agencies’ CISO, or Chief Information Security Office. This is clearly CISA’s moment. It is getting new authorities from the president and new money from Congress. Whether it can meet all the expectations that these things bring is the question.

We also touch on parts of the EO that will touch the private sector, from the determined push for breach and other incident reporting in federal contracts to the formation of a Cyber Safety Review Board to investigate private sector incidents. I predict that the board will need and will get subpoena power soon. Neither Brandon nor Jen takes the other side of that bet.

In the news, we get an update on the Colonial Pipeline ransomware attack from Nick Weaver and first-timer Betsy Cooper. Colonial has paid $5 million in ransom, gotten a bad decryption tool and restarted operations anyway. Since it’s likely to end up as the second test case for the Cyber Security Review Board, Colonial may regret having waited five days to start sharing information with CISA.

Maury Shenk explains the 200-page Irish High Court decision allowing the Irish data protection regulator to begin an inquiry that could cut off its data exports to the United States. Facebook would love to forestall that day until EU-U.S. talks on a new data export deal is done, but the Biden administration isn’t exactly making it a priority to bail out either Facebook or the U.S. intelligence community, which has as much at stake in data flows as the companies.

One of the puzzles of recent weeks has been persistent but vague stories that DHS wants more authority to gather information from public postings on social media. Nick, Betsy, and I try to make sense of the story, and we’re not helped by the fact that much of the media and politicians have switched from condemning such intelligence operations to demanding them, and vice versa, since the Trump administration ended.

Nick can’t resist a story that leaves both bitcoin and Tor looking bad, so of course we cover the boom in Tor exit nodes configured to steal the cryptocurrency of Tor users.

Betsy covers the unanimous view of chip making and consuming companies that the federal government should subsidize chip making in the U.S. Industrial policy is making a comeback, we note, but Betsy reminds us there’s a reason it went away. *cough*Solyndra*cough*

Betsy seizes on the latest WhatsApp tactic to lament the willingness of data-driven tech companies to annoy us into submission.

Nick and I cross swords over Apple’s firing of Antonio García Martínez, author of Chaos Monkeys, in my view one of the funniest and most insightful Silicon Valley books of the last decade. Part of its appeal is Garcia Martinez’s relentless burning of every bridge in his past business and personal life.  How, you keep asking, can he recover from telling all those truths about Morgan Stanley, Facebook, Y Combinator, and AdTech? Turns out, he can’t. But it wasn’t any of those supposedly potent institutions that nailed him. Instead, it was his claim that the women of Silicon Valley are mostly "soft and weak, cosseted and naïve” and possessed of a “self-regarding entitlement feminism.”

Apple employees demanded that they be protected from Garcia Martinez, and he was summarily fired. The more interesting question is whether hiring Garcia Martinez shows just how determined Apple is to replace Facebook as Google’s main competition in the “leverage customer data to sell ads” business.

In quick hits, I revisit the claim that a Saudi prince hacked Jeff Bezos’s phone and turned his unexpurgated selfies over to the National Enquirer in order to suppress Washington Post publicity over the killing of Jamal Khashoggi. That was all BS, it turns out, apparently designed to turn Bezos from an ordinary tawdry adulterer into a press freedom crusader.

And Nick draws our attention to Counterfit, a promising Microsoft tool for testing artificial intelligence algorithms to find security flaws.

And More!

Download the 362nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-362.mp3
Category:general -- posted at: 10:31am EDT

Bruce Schneier joins us to talk about artificial intelligence (AI) hacking in all its forms. He’s particularly interested in ways AI will hack humans, essentially preying on the rough rules of thumb programmed into our wetware—that big-eyed, big-headed little beings are cute and need to have their demands met or that intimate confidences should be reciprocated. AI may not even know what it’s doing, since machines are famous for doing what works unless there’s a rule against it.  Bruce is particularly interested in law-hacking—finding and exploiting unintended consequences buried in the rules in the U.S. Code. If any part of that code will lend itself to AI hacking, Bruce thinks, it’s the tax code (insert your favorite tax lawyer joke here). It’s a bracing view of a possible near-term future.

In the news, Nick Weaver and I dig into the Colonial Pipeline ransomware attack and what it could mean for more aggressive cybersecurity action in Washington than the Biden administration was contemplating just last week as it was pulling together an executive order that focused heavily on regulating government contractors.

Nate Jones and Nick examine the stalking flap that is casting a cloud over Apple’s introduction of AirTags.

Michael Weiner takes us through a quick tour of all the pending U.S. government antitrust lawsuits and investigations against Big Tech. What’s striking to me is how much difference there is in the stakes (and perhaps the prospects for success) depending on the company in the dock. Facebook faces a serious challenge but has a lot of defenses. Amazon and Apple are being attacked on profitable but essentially peripheral business lines. And Google is staring at existential lawsuits aimed squarely at its core business. 

Nate and I mull over the Russian proposal for a UN cybercrime proposal. The good news is that stopping progress in the UN is usually even easier than stopping legislation in Washington.

Nate and I also puzzle over ambiguous leaks about what the Department of Homeland Security wants to do with private firms as it tries to monitor extremist chatter online. My guess: This is mostly about wanting the benefit of anonymity or a fake persona while monitoring public speech.

And then Michael takes us into the battle between Apple and Fortnite over access to the app store without paying the 30 percent cut demanded by Apple. Michael thinks we’ve mostly seen the equivalent of trash talk at the weigh-in so far, and the real fight will begin with the economists’ testimony this week.

Nick indulges a little trash talk of his own about the claim that Apple’s app review process provides a serious benefit to users, citing among other things the litigation-driven disclosure that Apple never sent emails to users of the 125 million buggered apps it found a few years back.

Nick and I try to make sense of stories that federal prosecutors in 2020 sought phone records for three Washington Post journalists as part of an investigation into the publication of classified information that occurred in 2017.

I try to offer something new about the Facebook Oversight Board’s decision on the suspension of President Trump’s account.  To my mind, a telling and discrediting portion of the opinion reveals that a minority of the board members thought that international human rights law required more limits on Trump’s speech—and they chose to base that on the notion that calling the coronavirus a Chinese virus is racist. Anyone who has read Nicholas Wade’s careful article knows that there’s lots of evidence the virus leaked from the Wuhan virology lab. If any virus in the last hundred years deserves to be named for its point of origin, then, this is it. Nick disagrees.

Nate previews an ambitious task force plan on tackling ransomware. We’ll be having the authors on the podcast soon to dig deeper into its nearly 50 recommendations.

Signal is emerging a Corporate Troll of the Year, if not the decade. Nick explains how, fresh from trolling Cellebrite, Signal took on Facebook by creating a bevy of personalized Instagram ads that take personalization to the Next Level. 

Years after the fact, the New York Attorney General has caught up with the three firms that generated fake comments opposing the Federal Communications Commission’s net neutrality rollback. They’ll be paying fines. But I can’t help wondering why anyone thinks it’s useful to think about proposed rules by counting the number of postcards and emails that shout “yes” or “no” but offer no analysis.

Download the 361st Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-361.mp3
Category:general -- posted at: 2:57pm EDT

Our interview is with Kevin Roose, author of Futureproof: 9 Rules for Humans in the Age of Automation that debunks most of the comforting stories we use to anaesthetize ourselves to the danger that artificial intelligence and digitization poses to our jobs. Luckily, he also offers some practical and very personal ideas for how to avoid being caught in the oncoming robot apocalypse. 

In the news roundup, Dmitri Alperovitch and I take a few moments to honor Dan Kaminsky, an extraordinary internet security and even more extraordinarily decent man. He died too young, at 42, as Nicole Perlroth demonstrates in one of her career-best articles. 

Maury Shenk and Mark MacCarthy lay out the EU’s plan to charge Apple with anti-competitive behaviour in running its app store. 

Under regulation-friendly EU competition law, the more austere U.S. version, it sure looks as though Apple is going to have trouble escaping unscathed.  

Mark and I duke it out over Gov. DeSantis’s Florida bill on content moderation reform.

We agree that it will be challenged as a violation of the First Amendment and as preempted by federal Section 230. Mark thinks it will fail that test. I don’t, especially if the challenge ends up in the Supreme Court, where Justice Thomas at least has already put out the “Welcome” mat. 

Dmitri and I puzzle over the statement by top White House cyber official Anne Neuberger that the U.S. reprisals against Russia are so far not enough to deter further cyberattacks. We decide it’s a “Kinsley gaffe”—where a top official inadvertently utters an inconvenient truth. 

This Week in Information Operations: Maury explains that China may be hyping America’s racial tensions not as a tactic to divide us but simply because it’s an irresistible comeback to U.S. criticisms or Chinese treatment of ethnic minorities. And Dmitri explains why we shouldn’t be surprised at Russia’s integrated use of hacking and propaganda. The real question is why the US has been so bad at the same work.

In shorter stories: 

  • Mark covers the slooow rollout of an EU law forcing one-hour takedowns of terrorist content 
  • Dmitri also notes the inevitability of more mobile phone adtech tracking scandals, such as the compromise of U.S. military operations 
  • Maury and I discuss the extent to which China’s internet giants find themselves competing, not for consumers, but for government favor, as China uses antitrust law to cement its control of the tech sector 
  • Finally, Dmitri and I unpack the latest delay in DOD’s effort to achieve cybersecurity maturity through regulatory-style compliance, an effort Dmitri believes is doomed

Download the 360th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-360.mp3
Category:general -- posted at: 8:50am EDT

The Cyberlaw Podcast discusses issues at the intersection of technology and the law.

Download the 359th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-359.mp3
Category:general -- posted at: 2:17pm EDT

Our interview is with Mark Montgomery and John Costello, both staff to the Cyberspace Solarium Commission. The commission, which issued its main report more than a year ago, is swinging through the pitch, following up with new white papers, draft legislative language and enthusiastic advocacy for its recommendations in Congress, many of which were adopted last year. That makes it the most successful of the many cybersecurity commissions that have come and gone in Washington. And it’s not done yet. Mark and John review several of the most important legislative proposals the commission will be following this year. I don’t agree with all of them, but they are all serious ideas and it’s a good bet that a dozen or more could be adopted in this Congress.

In the news roundup, David Kris and I cover the FBI’s use of a single search warrant to remove a large number of web shells from computers infected by China’s irresponsible use of its access to Microsoft Exchange. The use of a search (or, more accurately, a seizure warrant)  is a surprisingly far-reaching interpretation of Federal Criminal Rule 41. But despite valiant efforts, David is unable to disagree with my earlier expressed view that the tactic is lawful.

Brian Egan outlines what’s new in the Biden administration’s sanctions on Russia for its SolarWinds exploits. The short version: While some of the sanctions break new ground, as with Russian bonds, they do so cautiously.

Paul Rosenzweig, back from Costa Rica, unpacks a hacking story that has everything—terrorism, the FBI, Apple, private sector hacking and litigation. Short version: we now know the private firm that saved Apple from the possibility of an order to hack its own phone. It’s an Australian firm named Azimuth that apparently only works for democratic governments but that is nonetheless caught up in Apple’s bully-the-cybersecurity-researchers litigation campaign.

Gus Hurwitz talks to us about the seamy side of content moderation (or at least on seamy side) – the fight against “coordinated inauthentic behaviour.”

In quicker takes, Paul gives us a master class in how to read the intel community’s Annual Threat Assessment.  David highlights what may be the next Chinese  telecom manufacturing target, at least for the GOP, after Huawei and ZTE. I highlight the groundbreaking financial industry breach notification rule that has finished and is moving toward adoption. And Gus summarizes the state of Silicon Valley antitrust legislation—everyone has a bill—so no one is likely to get a bill.

Download the 358th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-358.mp3
Category:general -- posted at: 2:23pm EDT

They used to say that a conservative was a liberal who’d been mugged. Today’s version is that a conservative who’s comfortable with business regulation is a conservative who’s been muzzled by Silicon Valley. David Kris kicks off this topic by introducing Justice Thomas’s opinion in a case over Trump’s authority to block users he didn’t like. The case was made thoroughly moot by both the election and Twitter’s blocking of Trump, but Justice Thomas wrote separately to muse on the ways in which Twitter’s authority to block users could be regulated by treating the company as a common carrier or public accommodation. David sees a trend among conservative jurists to embrace limits on Big Social’s authority to suppress speech.

I recount my experience being muzzled by LinkedIn, which would not let me link to a new Daily Mail story about the Hunter Biden laptop and say, “The social media giants that won’t let you say the 2020 election was rigged are the people who did their best to rig it: The Hunter Biden laptop was genuine and scandalous according to the Daily Mail.” To my mind, this is Big Social protecting its own business interests by suppressing a story that could convince people that the industry has too much power over our national dialogue and our elections. (I mocked LinkedIn by posting 5 variants of my original post, all making the same point in slightly different ways. You can see this on my LinkedIn account result.)

But my view that we should not let five or six Silicon Valley owners take over our national dialogue is challenged by Jamil Jaffer, a friend and conservative who is appalled at my deviation from Republican antiregulatory orthodoxy and first amendment doctrine. It’s a great conservative catfight that mirrors the much greater catfight now under way in the Republican party.

Elsewhere in the news roundup, Jordan Schneider and David dig into the claims that China has built advanced weapons systems with the help of American chip designers and Taiwanese fabs.

The accusation has led the Biden administration to slap export controls on several Chinese firms. Whether this will work without more aggressive U.S. controls on, say, foreign fabs serving those firms is open to question.

More to the point, it raises questions about long term U.S. industrial policy. David notes that one answer, the bipartisan “Endless Frontier Act,” is gaining some momentum. (I understand the motivation but question the execution.) We also touch on the sad story of Intel’s recent missteps, and the opportunity that industrial policy has created for GlobalFoundries’ IPO.

Meanwhile Jamil takes on AdTech espionage, while U.S. senators ask Digital-Ad auctioneers to name foreign clients amid national-security concerns.

We all weigh in on the administration’s cyber picks, announced over the weekend. The unanimous judgment is that Chris Inglis, Jen Easterly and Rob Silvers are good picks—and, remarkably, ended up in the right jobs.

In shorter hits, David and I ponder Twitch’s unusual decision to start punishing people on line for misdeeds offline—misdeeds that Twitch will investigate itself. While neither of us are comfortable with the decision, including the effort to do privately what we pay cops and courts to do publicly, but there is more justification for the policy in some cases (think child sexual abuse) than might be apparent at first glance.

I tell the story of the Italian authorities identifying and arresting someone trying to hire a hitman using cryptocurrency and the dark web. As far as I know, successful cryptocurrency hitmen remain as rare as unicorns

David suggests that I should be glad not to live in Singapore, where the penalty for information the establishment doesn’t like is a criminal libel judgment that I’d be forced to crowdfund like Singapore’s government critics. I note that American sites like GoFundMe and Patreon have already imposed ideological screens that mean I wouldn’t be able to crowdfund my defense against Big Social.

And, for This Week in Data Breaches, I note the new tactic of ransomware gangs trying to pressure their victims to pay by threatening the victims’ customers with doxxing plus the remarkable phenomenon of half-billion-user data troves that the source companies  say are not really the result of network breaches and so not disclosable.

Direct download: TheCyberlawPodcast-357_.mp3
Category:general -- posted at: 4:50pm EDT

Our interview is with Kim Zetter, author of the best analysis to date of the weird messaging from the National Security Agency (NSA) and Cyber Command about the domestic “blind spot” or “gap” in their cybersecurity surveillance. I ask Kim whether this is a prelude to new NSA domestic surveillance authorities (definitely not, at least under this administration), why the gap can’t be filled with the broad emergency authorities for the Foreign Intelligence Surveillance Act and criminal intercepts (they don’t fit, quite) and how the gap is being exploited by Russian (and soon other) cyberattackers. My most creative contribution: maybe Amazon Web Services, where most of the domestic machines are being spun up, would trade faster cooperation in targeting such machines for a break on the know-your-customer rules they may otherwise have to comply with. And if you haven’t subscribed to Kim’s (still free for now) substack newsletter, you’re missing out.

In the news roundup, we give a lick and a promise to today’s Supreme Court decision in the fight between Oracle and Google over application programming interface copyrights, but Mark MacCarthy takes us deep on the Supreme Court’s decision cutting the heart out of most, class actions for robocalling. Echoing Congressional Democrats, Mark thinks the court’s decision is too narrow. I think it’s exactly right. We both expect Congress to revisit the law soon.

Nick Weaver and I explore the fuss over vaccination passports and how Silicon Valley can help. 

Considering what a debacle the Google and Apple effort on tracing turned into, with a lot of help from privacy zealots, I’m pleased that Nick and I agree that this is a tempest in a teapot. Paper vax records are likely to be just fine most of the time. That won’t prevent privacy advocates from trying to set unrealistic and unnecessary standards for any electronic vax records system, more or less guaranteeing that it will fall of its own weight. 

Speaking of unrealistic privacy advocates, Charles-Albert Helleputte explains why the much-touted General Data Protection Regulation privacy regime is grinding to a near halt as it moves from theory to practice. Needless to say, I am not surprised.

Mark and I scratch the surface of Facebook’s Fairness Flow for policing artificial intelligence bias. Like anything Facebook does, it’s attracted heavy criticism from the left, but Mark thinks it’s a useful, if limited, tool for spotting bias in machine learning algorithms.  I’m half inclined to agree, but I am deeply suspicious of the confession in one “model card” that the designers of an algorithm for identifying toxic speech seem to have juiced their real-life data with what they call “synthetic data” because “real data often has disproportionate amounts of toxicity directed at specific groups.” That sure sounds as though the algorithm relying on real data wasn’t politically correct, so the researchers just made up data that fit their ideology and pretended it was real—an appalling step for scientists to take with little notice.  I welcome informed contradiction. 

Nick explains why there’s no serious privacy problem with the IRS subpoena to Circle, asking for the names of everyone who has more than $20 thousand in cryptocurrency transactions. Short answer: everybody who doesn’t deal in cryptocurrency already has their transactions reported to the IRS without a subpoena.

Charles-Albert and I note that the EU is on the verge of finding that South Korea’s data protection standards are “adequate” by EU standards.  The lesson for the U.S. and China is simple: The Europeans aren’t looking for compliance; they’re looking for assurances of compliance. As Fleetwood Mac once sang, “Tell me lies, tell me sweet little lies.” 

Mark and I note the extreme enthusiasm with which the FBI used every high-tech tool to identify even people who simply trespassed in the Capitol on Jan. 6. The tech is impressive, but we suspect a backlash is coming. Nick weighs in to tell me I’m wrong when I argue that we didn’t see these tools used this way against Antifa’s 2020 rioters.

Nick thinks we haven’t paid enough attention to the Accellion breach, and I argue that companies are getting a little too comfortable with aggressive lawyering of their public messages after a breach. One result is likely to be a new executive order about breach notification (and other cybersecurity obligations) for government contractors, I predict.

And Charles and I talk about the UK’s plan to take another bite out of end-to-end encryption services, essentially requiring them to show they can still protect kids from sexual exploitation without actually reading the texts and pictures they receive. 

Good luck with that!

Download the 356th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-356.mp3
Category:general -- posted at: 12:20pm EDT

Our interview this week is with Francis Fukuyama, a fellow and teacher at Stanford and a renowned scholar and public intellectual for at least three decades. He is the coauthor of the Report of the Working Group on Platform Scale. It’s insightful on the structural issues that have enhanced the power of platforms to suppress and shape public debate. It understands the temptation to address those issues through an antitrust lens – as well as the reasons why antitrust will fail to address the threat that platform power poses to our democracy. As a solution, it proposes to force the platforms to divest their curatorial authority over what Americans (and the world) reads, creating a host of middleware suppliers who will curate consumers’ feeds in the way that consumers prefer. We explore the many objections to this approach, from first amendment purists to those, mainly on the left, who really like the idea of suppressing their opponents on the right. But it remains the one policy proposal that could attract support from left and right and also make a real difference.

In the news roundup, Dmitri Alperovich, Nick Weaver, and I have a spirited debate over the wisdom of Google’s decision to expose and shut down a western intelligence agency’s use of zero day exploits against terrorist targets. I argue that if a vulnerabilities equities process balancing security and intelligence is something we expect from NSA, it should also be expected of Google. 

Nate Jones and Dmitri explore the slightly odd policy take on SolarWinds that seems to be coming from NSA and Cyber Command – the notion that the Russians exploited NSA’s domestic blind spot by using US infrastructure for their attack. That suggests that NSA wants to do more spying domestically, although no such proposal has surface. Nate, Dmitri, and I are united in thinking that the solution is a change in US law, though Dmitri thinks a know your customer rule for cloud providers is the best answer, while I think I persuaded Nate that empowering faster and more automatic warrant procedures for the FBI is doable, pretty much as we did with the burner phone problem in the 90s.

The courts, meanwhile, seem to be looking for ways to bring back a Potter Stewart style of jurisprudence for new technology and the fourth amendment: “I can’t define it, but I know it when it creeps me out.” The first circuit’s lengthy oral argument on how long video surveillance of public spaces can continue without violating the fourth amendment is a classic of the genre. 

Dmitri and Nick weigh in on Facebook’s takedown of Chinese hackers using Facebook to target Uighurs abroad.

Dmitri thinks we can learn policy lessons from the exposure (and likely sanctioning) of the private Chinese companies that carried out the operation.

Dmitri also explains why CISA’s head is complaining about the refusal of private companies to tell DHS which US government agencies were compromised in SolarWinds. The companies claimed that their NDAs with, say, Treasury meant that they couldn’t tell DHS that Treasury had been pawned. That’s an all too familiar example of federal turf fights hurting federal cybersecurity.  

In our ongoing feature, This Week in U.S.-China Decoupling, we cover the “Disaster in Alaska” evaluate the latest bipartisan bill to build a Western technology sphere to compete with China’s sector, note the completely predictable process ousting of Chinese telecom companies from the US market, and conclude that the financial sector’s effort to defy the gravity of decoupling will be a hard act to maintain. 

Always late to embrace a trend, I offer Episode 1 of the Cyberlaw Podcast as a Non-Fungible Token to the first listener to cough up $150, and Nick explains why it would be cheap at a tenth the price, dashing my hopes of selling the next 354 episodes and retiring. 

Nick and I have kind words for whoever is doxxing Russian criminal gangs, and I suggest offering the doxxer a financial reward (not just a hat tip in a Brian Krebs column. We fewer kind words have for the prospect that AI will soon be able to locate, track, and bankrupt problem gamblers.   

I issue a rare correction to an earlier episode, noting that Israel may not have traded its citizens’ health data for first dibs on the Pfizer vaccine. It turns out that what was deidentified aggregate health data, Israel offered Pfizer which with proper implementation may actually stay aggregate and deidentified. And I offer my own hat tip to Peter Machtiger, for a student note in an NYU law journal that cites the Cyberlaw Podcast, twice!

And more!

Download the 355th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-355.mp3
Category:general -- posted at: 4:17pm EDT

Our news roundup for this episode is heavy on China and tech policy. And most of the news is bad for tech companies. Jordan Schneider tells us that China is telling certain agencies, not to purchase Teslas or allow them on the premises, for fear that Elon Musk’s famously intrusive record-keeping systems will give U.S. agencies insight into Chinese facilities and personnel. Pete Jeydel says the Biden administration is prepping to make the same determination about Chinese communications and information technology, sending subpoenas to a number of Chinese tech suppliers. Meanwhile, Apple’s effort to protect its consumers from apps that collect personal data is coming under pressure from what Jordan sees as a remarkable alliance of normally warring companies, including Baidu, Tencent and Bytedance. In addition to their commercial heft, all these companies likely have more juice in Beijing than Apple, so look for Tim Cook to climb down from his privacy high horse in China. (And Russia, where Apple has already agreed to let the Russian government specify the apps that must come preinstalled on iPhones sold in Russia.) Still, you can expect that Apple will continue to bravely refuse to cooperate with the FBI on terrorism and serious crime because that might set a precedent for cooperating with government demands in places like Russia and China (like them, I guess, but, you know, smaller).

But the episode gets its title from our discovery that President Xi’s critique of social media platforms sounds exactly like Sen. Josh Hawley’s. It is, in fact, the global bien pensant consensus, which has no dissenters to speak of now that the Chinese go to Davos. Jordan offers insights into why the Chinese government’s concerns about Big Tech might have its origins in something other than factional strife in Beijing.

David Kris and I dive into the final word from the intelligence community on foreign governments’ interference  (via hacking or influence ops) in our 2020 election. The short answer is that the Russians and the Chinese didn’t hack our election machinery, in fact they didn’t even try. So, chest-beating over our 2020 cyber defenses may be a little like doing a victory lap after the other team forfeits. David and I manage to disagree about a few things, including the Hunter Biden laptop story, which I contend is now the principal disinformation campaign of 2020, as the media and Big Tech combined to throttle the story on spurious suspicions of a Russian hand in its provenance; David disagrees.

Pete Jeydel and Ishan Sharma, our interview guest, weigh in on the latest cyber conflict paper from the United Nations. We all agree that it could be worse, and that getting the General Assembly to accept it was an achievement at a time of lowered expectations for the UN.

The Cyber Space Solarium Commission is not going away, Pete and I agree, as witness the most recent report card issued to the Biden administration by a Solarium staffer. In principle, that’s a good thing; commissions need to stick around and fight for their recommendations. But I can’t help complaining that some of the things the commission is fighting for—Senate confirmation of a White House cyber director, and cutting the Department of Homeland Security out of supply chain governance—are bad ideas. 

We close with a recognition of the rafts of material supplied over the years to the podcast by the data protection authorities of Europe. They’ve mostly always been an example of what Texans call “all hat and no cattle” – better talkers than doers. But now their lack of serious implementation skills is catching up to them, as the companies they have penalized begin to  pursue, and win, judicial appeals. That’s a trend likely to continue, and a good thing too.

Our interview is with Ishan Sharma, from the Federation of American Scientists, and author of “A More Responsible Digital Surveillance Future Multi-stakeholder Perspectives and Cohesive State & Local, Federal, and International Actions."

If you like the episodes where I disagree profoundly with my guests, this one’s for you. I don’t think Ishan gets more than two minutes in before the critiquing begins. Still, he holds his own, defending a vision of surveillance technology that serves democratic ends and is for that reason supported and even subsidized in a global competition with the less democratic alternatives from China. I suspect that he’ll lose friends on both the left and the right as he tries to walk this line, but he’s clearly put a lot of thought into finding an alternative to technopessimism, and he defends it ably.

And more!

Download the 354th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.



Direct download: TheCyberlawPodcast-354.mp3
Category:general -- posted at: 8:49am EDT

This week we interview Eliot Higgins, founder and executive director of the online investigative collective Bellingcat and author of We Are Bellingcat.

Bellingcat has produced remarkable investigative scoops on everything from Saddam’s use of chemical weapons to exposing the Russian FSB operatives who killed Sergei Skripal with Novichok, and, most impressive, calling a member of the FSB team that tried to kill Navalny and getting him to confess. Eliot talks about the techniques that make Bellingcat so effective and the hazards, physical and moral, that surround crowdsourced investigations.

In the news, Dave Aitel gives us the latest on the Exchange server compromise, and the reckless Chinese hack-everyone spree that was apparently triggered by Microsoft’s patch of the vulnerability.

Jamil Jaffer introduces us to the vulnerability of the week – dependency confusion, and the startling speed with which it is being exploited.

I ask Nate Jones and the rest of the panel what all this means for government policy.  No one thinks that the Biden published cyberstrategy tells us anything useful. More interesting are two deep dives on cyber strategy from people with a long history in the field. We see Jim Lewis’s talk on the topic as an evolution in the direction of much harsher responses to Russian and Chinese intrusions. Dmitri Alperovich’s approach also has a hard edge, although he points out that the utter irresponsibility of the Chinese pawn-em-all tactic  deserves an especially harsh response.  I wonder why Cyber Command didn’t respond by releasing a worm that would install poorly secured shells on every Exchange server in China. 

In other news, I blame poor (or rushed) Pentagon lawyering for the district court ruling that the Department of Defense couldn’t list Xiaomi as an entity aligned with the Chinese military. Jamil is more charitable both to DOD and the Judge who made the ruling, but he expects (or maybe just hopes) that the court of appeal will show the Pentagon more deference.

Twitter, on the other hand, is praying that the Northern District of California suffers from full-blown Red State Derangement, as it asks the court there to enjoin a Texas Attorney General investigation into possible anticompetitive coordination in the Great Deplatforming of January 2021.

Nate gives us the basics. I observe that, to bring such a Hail Mary of a case, Twitter must deeply fear what its own employees were saying about the deplatforming at the time. Neither Nate nor I give Twitter a high probability of success. And even if it does succeed, red states are lining up new laws and regulatory initiatives for Silicon Valley, most notably Gov. DeSantis’s controversial effort to navigate section 230 and the first amendment.

Nate also provides a remarkably clear explanation of the sordid tale of European intelligence and law enforcement agencies trying to cut a special deal for themselves in the face of surveillance-hostile rulings from the EU’s Court of Justice. The agencies are right to want to avoid those foolish decisions, but leaving the US on the hook will only inflame trans-Atlantic relations.

In quick hits, Jamil and Dave talk us through Israel’s Unit 8200, the press on which offers a better cybersecurity VC alumni network than Stanford. We also discuss recent news about security lapses in what Dave calls the internet of things.

And more!

Download the 353rd Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-353.mp3
Category:general -- posted at: 5:31pm EDT

We’re mostly back to our cybersecurity roots in this episode, for good reasons and bad. The worst of the bad reasons is a new set of zero-day vulnerabilities in Microsoft’s Exchange servers. They’ve been patched, Bruce Schneier tells us, but that seems to have inspired the Chinese government hackers to switch their campaign from Stealth to Promiscuous Mode. Anyone who hasn’t already installed the Microsoft patch is at risk of being compromised today for exploitation tomorrow.

Nick Weaver and Dmitri Alperovitch weigh in on the scope of the disaster and later contribute to our discussion of what to do about our ongoing cyberinsecurity. We’re long on things that don’t work. Bruce has pointed out that the market for software products, unfortunately, makes it entirely rational for industry to skimp on security while milking a product’s waning sales. Voluntary information sharing, has failed Dmitri notes. In fact, as OODA Loop reported in a devastating chart, information sharing is one of half a dozen standard recommendations made in the last dozen commission recommendations for cybersecurity. They either haven’t been implemented or they don’t work.

Dmitri is hardly an armchair quarterback on cybersecurity policy. He’s putting his money where his mouth is, in the form of the Silverado Policy Accelerator, which we discuss during the interview segment of the episode. Silverado is focused on moving the cybersecurity policy debate forward in tangible, sometimes incremental, ways. It will be seeking new policy ideas in cybersecurity, international trade and industrial security, and ecological and economic security (what the group is calling Eco2Sec).

(The unifying theme is the challenge to the US posed by the rise of China and the inadequacy of our past response to that challenge.) But ideas are easy; implementation is hard. Dmitri expects Silverado to focus its time and resources both on identifying novel policy ideas and on ensuring those ideas are transformed into concrete outcomes.

Whether artificial intelligence (AI) would benefit from some strategic decoupling sparks a debate between me, Nick, Jane Bambauer and Bruce, inspired by the final AI commission report. We shift from that to China’s version of industrial policy, which seems to reflect Chinese politics in its enthusiasm not just for AI and chips but also for keeping old leaders alive longer.

Jane and I check in on the debate over social media speech suppression, including the latest developments in the Facebook Oversight Board and the unusual bedfellows that the issue has inspired. I mock Google for YouTube’s noblesse oblige promise that it will stop suppressing President Trump’s speech when it no longer sees a threat of violence on the Right. And then I mock it again for its silly refusal to return search results for “BlueAnon”—the Right’s label for the Left’s wackier conspiracy theories.

In quick hits, Bruce and Dmitri explore a recent Atlantic Council report on hacked access as a service and what to do about it. Bruce thinks the problem (usually associated with NSO Group) is real and the report’s recommendations plausible. Dmitri points out that trying to stamp out a trade in zero days is looking at the wrong part of the problem, since reverse engineering patches is the source of most successful attacks, not zero days.  Speaking of NSO Group, Nick reminds us of the rumors that they have been under criminal investigation and that the investigation has been revived recently.

Jane notes that Virginia has become the second state with a consumer data protection law, and one that resembles the California Consumer Privacy Act. 

Jane also notes the Israeli Supreme Court decision ending (sort of) Shin Bet’s use cellphone data  for coronavirus contact tracing. Ironically, it turns out to have been more effective than most implementations of the Gapple privacy-crippled app. 

Bruce and Dmitri celebrate the hacking of three Russian cybercrime forums for the rich array of identity clues the doxxing is likely to make available to researchers like Bellingcat (whose founder will be our interview guest on Episode 353 of the Cyberlaw Podcast).

And more!

Download the 352nd Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-352.mp3
Category:general -- posted at: 12:41pm EDT

In the news roundup, David Kris digs into rumors that Chinese malware attacks may have caused a blackout in India at a time when military conflict was flaring on the two nation’s Himalayan border. This leads us to Russia’s targeting of the U.S. grid and to uneasy speculation on how well our regulatory regime is adapted to preventing successful grid attacks.

The Biden administration is starting to get its legs under it on cybersecurity. In its first major initiative, Maury Shenk and Nick Weaver tell us, it has called for a set of studies on how to secure the supply chain in several critical products, from rare earths to semiconductors. As a reflection of the rare bipartisanship of the issue, the president’s order is weirdly similar to Sen. Tom Cotton’s to “beat China” economically. 

Nick explains the most recent story on how China repurposed an NSA attack tool to use against U.S. targets. Bottom line: It’s embarrassing for sure, but it’s also business as usual for attack teams. This leads us to a surprisingly favorable review of the Cyber Threat Alliance’s recent paper on how to run a Vulnerability Equities Process.

Maury explains the new rules that Facebook, WhatsApp and Twitter will face in India. 

Among other things, the rules will require Indi-based “grievance officers”to handle complaints. I am unable to resist snarking that if ever there were a title that the wokeforce at these companies should aspire to, it’s Chief Grievance Officer.

Nick and I make short work of two purported scandals—ICE investigators using a private utility database to enforce immigration law and the IRS purchasing cellphone location data. I argue that the first is the work of ideologues who would loudly protest ICE access to the White Pages. And the second is a nonstory largely manufactured by Sen. Wyden. 

In a story that isn’t manufactured, David and I predict that the Supremes will agree to decide the scope of cellphone border searches.  More than that, we conclude, the Ninth Circuit will lose. The hard question is how broadly the Court decides to rule once it has kicked the Ninth Circuit rule to the curb.

Maury reports that Facebook and Google have pushed the Aussie government into a compromise on paying Aussie media fees for links. 

Facebook gets the credit for being willing to shoot the family members the government was holding hostage (although in Facebook’s case, the hostage was probably a second cousin once removed). 

Maury predicts that the negotiations will be tougher once the European Union starts rounding up its hostages.  

In quick hits, I claim credit for pointing out years ago that sooner or later the crybullies would come for  “quantum supremacy.” And they have.

Maury and I note the rise of audits for AI bias. 

He’s mildly favorable; I am not. And I close by noting the surprisingly difficult choices illustrated by Pro Publica’s story on how the content moderation sausage was made at Facebook when the Turkish government demanded that a Kurdish group’s postings be taken down. 

And more!

Download the 351st Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-351.mp3
Category:general -- posted at: 11:24am EDT

This episode features an interview with Jason Fagone, journalist and author of The Woman Who Smashed Codes: A True Story of Love, Spies, and the Unlikely Heroine Who Outwitted America's Enemies. I wax enthusiastic about Jason’s book, which features remarkable research, a plot like a historical novel, and deep insights into what I call the National Security Agency’s (NSA) “pre-history”—the years from 1917 through 1940 when the need for cryptanalysis was only dimly perceived by the US government. Elizebeth and William Friedman more or less invented American cryptanalysis in those years, but the full story was never known, even to NSAers. It was protected by a force even stronger even than classification—J. Edgar Hoover’s indomitable determination to get good press for the FBI even when all the credit belonged elsewhere. And, at all its crucial stages, that prehistory is a love story that lasted, literally, right to the grave. Don’t miss this (long!) interview with Jason Fagone, or his book.

Meanwhile, in the news roundup. Dmitri Alperovitch covers the latest events in what we just can’t call the SolarWinds hack any more. There’s no doubt that Microsoft code is at the center of the hack, though not because of unintended features; the hackers showed great interest in Microsoft’s code. Dmitri predicts multiple executive orders from Anne Neuberger’s review, and he hopes it means more centralization of federal civilian security monitoring and policy under the Cybersecurity and Infrastructure Security Agency. Dmitri and I agree that the Congressional effort to turn the cybersecurity director position into a Senate-confirmed White House office is more trouble than it’s worth.

The Maryland law imposing taxes on Google and Facebook ad revenue is ground-breaking, and for that reason, it will also be heavily litigated. First time caller, first time listener David Fruchtman explains the tax and the litigation it has already spawned.

Which came first, China’s dream of a rare-earth boycott or U.S. nightmares of a rare-earth boycott? We ask Jordan Schneider, who suggests that neither the dream nor the nightmare is likely to come true any time soon.

Is Australia going to war with Big Tech?  I take on Oz’s link fee and end up siding, improbably, with Mike Masnick and Facebook and against the fee. Meanwhile, the Australian infrastructure protection bill is drawing fire from Microsoft. Dmitri leans toward Microsoft’s view that the law should not give government authority to intervene when a private sector entity is unable or unwilling to respond to an attack.  I lean toward the government.

Jordan Schneider reviews the latest stories of tech companies getting a little too close for comfort to the Chinese surveillance state. The ByteDance censorship story is compelling but not new.  The Oracle story is compelling, new, and a clever piece of journalism by another alumna of the podcast, Mara Hvistendahl: Feeding the Beast: How Oracle Sells Repression in China 

Finally, in a series of quick bites, we cover:

And more!

Download the 350th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-350.mp3
Category:general -- posted at: 8:31am EDT

Our interview this week is with Nicole Perlroth, The New York Times reporter and author of This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. It’s wide-ranging, occasionally confrontational and a great tour of the issues raised in the book about 0-day exploits, U.S. responsibility for the global cyber arms race and the colorful personalities whose hard choices helped shape the cybersecurity environment we all now live in.

In the news roundup, Nate Jones serves up a second helping of the SuperMicro story, a rerun of a much-maligned Bloomberg report from two years ago that SuperMicro gear had been elaborately compromised by China. This time, Nate reports, Bloomberg offers much more evidence, but probably not enough to completely satisfy the critics. Still, as we conclude, even giving the critics their due, this is a very bad story for SuperMicro—and for its customers. 

It seemed like a classic cybersecurity horror story, with hackers using access to the industrial control system to nearly poison Oldsmar, Florida’s water supply. But Nate and I both suspect that it will turn out to be a much more mundane horror story, one where the call is always coming from inside the house—and untraceable because all the employees use the same password and no firewall.

Paying for news links is suddenly all the rage among Western governments. I’d link to the Australian stories about their new law, but I’m afraid they’d want me to pay them. Mark MacCarthy says that risk is overrated, but the prospect for such payment schemes is pretty good. Not just Australia, but also the European Union is moving in this direction.

And Microsoft has expressed its willingness to let Google pay such a fee in the U.S. I suggest that this is all part of restoring an establishment of “authoritative narrative shapers,” in an internet age, noting that the critical question will be which publishers can attach themselves to the flow of internet funding—a question already causing angst among French publishers.

Paul Rosenzweig summarizes the work done by a lot of smart people on the question of how to think about Chinese technology platforms operating in the United States. He also summarizes the current state of litigation over Chinese technology platforms operating in the United States. In a word, it’s mostly on hold, waiting for the Biden administration to run a laborious interagency review.

Nate says the process has already begun for a related topic—how to secure the U.S. tech supply chain, particularly manufacturing semiconductors.

Meanwhile, the U.S. Court of Appeals for the First Circuit has taken on the question of border searches of mobile phones, ruling against a coalition of cyberleft organizations. There is now a circuit conflict that could bring the Supreme Court into the fray—soon if the cyberleft losers are imprudent enough to seek cert but not much longer than that if the Solicitor General picks a favorable case to lose in the U.S. Court of Appeals for the Ninth Circuit.

In short hits, I wonder at just how bad open source security has gotten, noting a clever hack that pawned many companies by providing a public (and compromised) package in a public repository, thereby trumping the companies’ private packages.

Luckily, NIST is all over open source security. Or not. It turns out that NIST is actually offering a host of insecure open source  products with known flaws. The purpose of the products? Better computer security, naturally. 

The creative policing award of the week goes to the Beverly Hills cop who expresses his unhappiness with being filmed on the job by playing background snippets of songs that will get the video taken down by copyright bots if it is ever posted. 

In the “about time” category, a Canadian woman who defamed dozens of ordinary people in online vendettas has been arrested in Toronto.  

And EncroChat, the phone that promised criminals absolute security but delivered them into the hands of law enforcement has spawned a complicated debate about whether stealing messages from memory was wiretapping or hacking. 

Finally, either The Cyberlaw Podcast has hit a new height or the Harvard Law Review has hit a new low: Looking for a way to sum up the European Court of Justice’s ruling in Schrems II , a student note in the review quotes from the podcast, characterizing Schrems II as “solipsistic Europocrisy meets judicial imperialism.” Couldn’t have said it better myself!

And more!

Download the 349th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-349.mp3
Category:general -- posted at: 9:30am EDT

This episode features a deep dive into the National Security Agency’s (NSA) self-regulatory approach to overseas signals intelligence, or SIGINT. Frequent contributor David Kris takes us into the details of the SIGINT Annex that governs NSA’s collections outside the U.S. It turns out to be a surprising amount of fun as we stop to examine the SIGINT turf wars of the 1940s, the intelligence scandals of the 1970s, and how they shaped NSA’s corporate culture.

In the news roundup, Bruce Schneier and I review the privacy commissioner’s determination that Clearview artificial intelligence (AI) violated Canadian privacy law by scraping Canadians’ photos from social media.

Bruce thinks Clearview had it coming; I’m skeptical, since it appears that pretty much everyone has been scraping public face data for their machine learning collections for years.

David Kris explains why a sleepy investment review committee with practically no staff is now being compared to a SWAT team. The short answer is “CFIUS.”

More and more, Gus Hurwitz and I note, Big Tech CEOs are being treated like comic book supervillains in Washington.  But have they met their match? Sen. Amy Klobuchar is clearly campaigning to be, if not attorney general, then their nemesis. Like Doc Ock, she’s throwing punch after punch at Big Tech, not just in antitrust legislation but Section 230 reform as well.

We’re not done with SolarWinds yet, and Bruce Schneier thinks that’s fair. He critiques the company for milking profits from its software niche without reinvesting in security.

Gus revives the theme of Big Tech at bay, noting that Australia may start charging Google when it links to Australian news stories and that the new administration seems quite willing to join the rest of the world in imposing more taxes on tech profits.

David covers the flap between India and Twitter, which is refusing to follow an Indian order to suppress several Twitter accounts. That’s probably, I suggest, because there is insufficient proof that the accounts in question belong to Republicans.

IBM seems to be bailing on blockchain, and Bruce thinks it’s about time.  In some ways, IBM is the most interesting of tech companies, since it has less of a moat around its business than most and must live by its wits, which are formidable. Bruce offers quantum computing as an example of IBM doing the right things well.

Bruce and Gus help me with a preview of an upcoming interview of Nicole Perlroth as we cover an op-ed pulled from her new book. Bruce also offers a quick assessment of the draft report of the National Security Commission on Artificial Intelligence. The short version: There isn’t enough there there.

Finally, Gus reminds us that a prophet who predicts the attention economy but then refuses to play by its rules is almost guaranteed to end up as an attention Cassandra, as Michael Goldhaber has.  

And more!

Download the 348th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-348.mp3
Category:general -- posted at: 12:14pm EDT

The U.S. has never really had a “cyberczar.” Arguably, though, the U.K. has. The head of the National Cyber Security Center (NCSC) combines the security roles of the National Security Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. To find out how cybersecurity issues look from that perspective, we interview Ciaran Martin, the first director of the NCSC.

In the news roundup, Paul Rosenzweig sums up recent successes in taking down the NetWalker  and Emotet hacking networks: It’s a win, and that’s good, but we will need more than this to change the overall security status of the country.

Jordan Schneider explains the remarkable trove of leaked Chinese police records and the extraordinary surveillance now being imposed on the Uighur minority in China.

Enthusiasts for end-to-end encryption should be worried, Mark MacCarthy and I conclude. First, the EU—once a firm advocate of unbreakable encryption—is now touting “security through encryption and security despite encryption.” You can only get the second with some sort of lawful access, an idea that has now achieved respectability inside Brussels government circles, despite lobbying by e2e messaging firms based in Europe. On top of that, there’s a growing fifth column of encryption skeptics inside the firms, whose sentiments can be summarized as, “I’m all for cop-proof encryption as long as it isn’t used by lawbreakers who voted for Trump.” 

Paul brings us up to speed on the Office 36—I mean the SolarWinds—attack. Turns out lots of companies were compromised without any connection to SolarWinds. The episode shows that information sharing about exploits still has a ways to go. And if you’re a lawyer who’s been paying ten cents a page for downloads from the federal courts’ electronic filing system, whatever you’ve been paying for, it isn’t security. The attackers got in there, and as a result, we’ll be making sensitive filings on paper.  First voting, then suing—more and more of our lives are heading off line.

Does China want your DNA, and why? I have a truly scary suggestion, and Jordan tries to talk me down.

The Facebook Oversight Board has issued its first decisions. Paul and Mark touch on the highlights. I predict that the board will overrule Trump’s deplatforming, to surprisingly little dissent. 

Jordan and I dig into two overviews of U.S. tech and military competition. It starts to feel a little incestuous when it turns out we all know the authors—and that Jordan has invited them all to be on his excellent podcast, ChinaTalk.

In short hits, I predict that Beijing will fight CFIUS to the last dollar of TikTok revenue. And could easily win. I question YouTube’s demonetization of the Epoch Times, but Jordan has less sympathy for the paper. I’m less flexible about Google’s hard-to-justify decision to block the ads of a group that (like most Americans) opposes Democratic proposals to pack the Supreme Court. And if you’re wondering how dumb stuff like this happens, the L.A.Times gives an object lesson. Faced with a campaign to recall California Governor Gavin Newsom, the Times dug into the online organizations supporting recall. Remarkably, it found that the groups included a lot of the same kinds of folks who came to Washington in January to protest President Biden’s victory. Shortly after that drive-by festival of guilt by association, Facebook banned ads supporting the recall movement.

And more!

Download the 347th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-347_.mp3
Category:general -- posted at: 8:01pm EDT

It’s a story that has everything, except a reporter able to tell it. A hostile state attacking the U.S. power grid is a longstanding and quite plausible national security concern.

The Trump administration was galvanized by the threat, even seizing Chinese power equipment at the port to do a detailed breakdown and then issuing an executive order and follow-up rulings designed to cut Chinese products from the supply chain.

Yet the Biden administration suspended this order for 90 days—the only Trump cybersecurity order to be called into question so far.

Industry lobbying? Chinese maneuvering? Tech uncertainty?  No one knows, but Brian Egan and I at least sketch the outlines of an irresistible story that will have to wait for a persistent journalist.

The SolarWinds story needs a new moniker, as the compromises spread beyond the scope of SolarWinds distributions to victims like Malwarebytes.

Increasingly, it looks as though Microsoft and its cloud are the common denominators, Sultan Meghji and I observe, but that’s one moniker the story will never acquire.

In other cyber news, the Chinese are stealing airline passenger reservation data, Sultan notes.

Maybe they’re just trying to find out when Mike Pompeo next plans to come to China so they can meet him at the airport and enforce their latest sanctions—no Great Wall tours for you, Mr. Secretary!

This is our last week of Trumpian cyber news, so we wallow in it. The President issued a last-minute order calling for an assessment of the security risks of Chinese drones, Maury Shenk tells us.

And Brian unpacks the other last-minute order requiring U.S. cloud providers to know which foreigners they are selling virtual machines to.

I claim victory in my short letter to former Secretary of the Treasury Steven Mnuchin, suggesting that, instead of jamming a cryptocurrency regulation through on his watch, he concentrates on convincing the newly confirmed Secretary Janet Yellen to carry through.  If he took my advice, it seems to have worked. Sultan reports that she is showing signs of wanting to "curtail" cryptocurrency. 

In other news, Sultan boldly predicts the advent of interplanetary cryptocurrency in Elon Musk’s lifetime.

Brian and I unpack the latest Cyberspace Solarium Commission product—Transition Book—which is persuasive for the Biden administration.

I predict that the statutorily mandated cybersecurity director will have to be subordinated to the deputy national security adviser for cybersecurity for the office to be accepted in the administration.

And in quick hits, Maury covers the surprisingly robust European enforcement of employee protections against video surveillance. I explain Parler’s loss in trying to overturn the Amazon Web Services ban that pushed it off the internet. Sultan explains why the Biden Peloton is a cybersecurity risk, and I tip my hat to the president’s physical fitness.  

I summarize the Michael Ellis story; he held the job of NSA's general counsel for about a day before a political witch-hunt caught up with him, and may never serve another day.  

And, finally, a little schadenfreude for the European Parliament, which is being investigated by the EU’s lead data regulator for poor cookie notices on a website it set up for Members of the European Parliament to book coronavirus tests. The complainant? Max Schrems, who is on his way to becoming as unpopular with European politicos as he is in the U.S.

And more!

 

Download the 346th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-346.mp3
Category:general -- posted at: 11:34am EDT

We interview Jane Bambauer on the failure of COVID-tracking phone apps. She and Brian Ray are the authors of “COVID-19 Apps Are Terrible—They Didn't Have to Be,” a paper for Lawfare’s Digital Social Contract project. It turns out that, despite high hopes, the failure of these apps was overdetermined, mainly by twenty years of privacy scandalmongering and privacy laws. In essence, Google and Apple set far too strict rules for the apps in an effort to avoid privacy-based political attacks, and the governments that could have reined them in surrendered instead, in order to avoid privacy-based political attacks. So, we have no one to blame but ourselves, and our delusional enthusiasm for privacy.

In the news roundup, suddenly face recognition isn’t toxic at all, since it can be used to identify pro-Trump protestors. And, of course, we have always been at war with Oceania. Dave Aitel explains why face recognition might work even with a mask but still not be very good.  And Jane Bambauer reprises her recent amicus argument that Illinois’s biometric privacy law is a violation of the First Amendment.

If you heard last week’s episode about Silicon Valley speech suppression, you might be interested in seeing the proposal I came up with then, now elaborated in a Washington Post op-ed. Meanwhile, Dave reports that Parler may be back from the dead but dependent on Russian infrastructure. Dave wants to know if that means Parler can be treated by the Biden team like TikTok was treated by the Trump administration.

Dave also brings us up to speed on the latest SolarWinds news. He also casts a skeptical eye on a recent New York Times article pointing fingers at JetBrains as a possible avenue of attack. The story was anonymously sourced and remains conspicuously unconfirmed by other reporting.

Not dead yet, the Trump administration has delivered regulations for administering the executive order allowing the exclusion of risky components from the national IT and communications infrastructure. Maury Shenk explains the basics. 

Speaking of which, China is getting ready to strike back at such measures, borrowing the basic blocking statute rubric invented by the Europeans. Blocking statutes can be effective, but only by putting private companies in a vise between two inconsistent legal duties. Bad news for the companies, but more work for lawyers.

I ride one more hobbyhorse, critiquing Mozilla’s decision to protect “user privacy” while imposing new burdens and risks on enterprise security. The object of my ire is Firefox’s Encrypted Client Hello. Dave corrects my tech but more or less confirmed that this is one more nail in the coffin for chief information security officer’s control of corporate networks.

Matthew Heiman and I dig into the latest ransomware gang tactics—going after top executive emails to raise the pressure to pay. The answer? I argue for more fake emails

In a few quick hits, Maury tells us about the CNIL’s decision that privacy law prevents France from using drones to enforce its coronavirus rules.

I note a new Federal Deposit Insurance Corporation cybersecurity rule that isn’t (yay!) grounded in personal data protection.

Maury explains the recent EU advocate general’s opinion, which would probably make Schrems II even less negotiable than it is now.  If it’s adopted by the European Court of Justice, which I argue it will be unless the court can find some resolution that is even more anti-American than the advocate general’s proposal.

And, finally, Matthew tells us that the State Department has reorganized to deal with cyber issues—a reorganization that may not last longer than a few months.

And more!

Download the 345th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-345.mp3
Category:general -- posted at: 3:10pm EDT

In this episode, I interview Zach Dorfman about his excellent reports in Foreign Policy about U.S.-Chinese intelligence competition in the last decade. Zach is a well-regarded national security journalist, a senior staff writer at the Aspen Institute’s Cyber and Technology program and a senior fellow at the Carnegie Council for Ethics in International Affairs. We dive deep into his tale of how the CIA achieved remarkable penetration of the Chinese government and then lost it, inspiring China to build a far more professional and formidable global intelligence network.

In the news roundup, we touch on the disgraceful riot at the Capitol this week, and I criticize Silicon Valley’s rush to score points against the right in a way it never did with the BLM demonstrations last summer. Nate Jones disagrees with my take, but we manage to successfully predict Parler’s shift from platform to (antitrust) plaintiff and to bond over my proposal to impose heavy taxes on social media with more than ten million users. Really, why spend three years in court trying to break‘em up when you can get them to do it themselves and raise money to boot?

SolarWinds keep blowing. Sultan Meghji and Zach Dorfman give us the latest on the attribution to Russia, the fine difference between attack and espionage and the likelihood of direct or indirect regulation.

Pete Jeydel and Sultan cover the latest round of penalties imposed by the rapidly dwindling Trump administration on Chinese companies.

Nate dehypes the UK High Court decision supposedly ruling mass hacking illegal. He previews some Biden appointments, and we talk about the surprising rise of career talent and why that might be happening. Nate also critiques former Director of National Intelligence Ric Grenell after accusations of politicization of intelligence. I’m kinder. But not when I condemn Distributed Denial of Services for joining forces with ransomware gangs to punish victims; it’s hard to believe that anyone could make Julian Assange and Wikileaks look responsible, but they do. Speaking of Julian, he’s won another Pyrrhic victory in court – likely extending his imprisonment with another temporizing win.

And more!

Download the 344th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-344.mp3
Category:general -- posted at: 4:10pm EDT

Episode 343 of the Cyberlaw Podcast is a long meditation on the ways in which technology is encouraging other nations to exercise soft power inside the United States. I interview Nina Jankowicz, author of How to Lose the Information War on how Russian disinformation has affected Poland, Ukraine and the rest of Eastern Europe—and the lessons, if any, those countries can offer a divided United States. 

In the news, Bruce Schneier and I dig for more lessons in the rubble left behind by the SolarWinds hack. Nobody comes out looking good. Persistent engagement and defending forward only works if you’re actually, you know, engaged and defending, and Russia’s cyberspies managed (not surprisingly) to have hidden their achievement from the National Security Agency (NSA) and Cyber Command.

More and better defense is another answer (not that it’s worked for the last 40 years it’s been tried). But whatever solution we pursue, Bruce makes clear, it’s going to be expensive. 

Taking a quick break from geopolitics, Michael Weiner gives us a rundown on the new charges and details (mostly redacted) in the Texas case against Google for monopolization and conspiring with competitor Facebook. The scariest thing about the case from Google’s point of view, though, may be where it’s been filed. Not Washington but Beaumont, Texas, the most notoriously pro-plaintiff, anti-corporate jurisdiction in the country.

Returning to ways in which foreign governments are using our technology against us, David Kris tells the story of the Zoom executive who used pretextual violations of terms of service to take down speech the Chinese government didn’t like, censoring American efforts to hold a Tiananmen memorial. The good news: He was indicted by the Justice Department. The bad news: I can’t help suspecting that China learned this trick from lefty ideologues in Silicon Valley. 

Aaand, right on cue, it turns out that China’s been accused of using its 50-cent army to file complaints of racism and video game violence to get YouTube to demonetize Americans using the platform to criticize China’s government. 

Then Bruce points us toward a deep and troubling series of Zach Dorfman articles about how effectively China is using technology to vault over US intelligence agencies in the global spying competition. 

And in quick succession, David Kris explains what’s new and what’s not in Israel’s view of international law and cyberconflict. 

I note that President Trump’s NDAA veto has been overridden, making the cyberczar and DHS’s CISA the biggest winners in the cyber policy arena.

Bruce and I give a lick and a promise to the FinCen proposed rule regulating cryptocurrency. We’re both inclined to think more reregulation is worth pursuing, but we agree it’s too late for this administration to get anything on the books.

David Kris notes that Twitter has been fined around $550,000 over a data breach filing that was a few days late – by the Irish data protection office, in a GDPR ruling that is a few years late. 

Apple has lost its bullying copyright battle against security start-up Corellium but the real risk to Corellium may be in the as-yet unresolved claim for violation of the DMCA.

And Trump’s DHS is leaving office with new warnings about the cyber risks of Chinese technology, this time touching on backdoors in TCL smart TVs and spillage from Chinese data services. 

And more.

Download Episode 343 (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-343.mp3
Category:general -- posted at: 12:12pm EDT

Our interview is with Alex Stamos, who lays out a complex debate over child sexual abuse that’s now roiling Brussels. The application of European privacy standards and artificial intelligence (AI) hostility to internet communications providers has called into question the one tool that has reduced online child sex predation. Scanning for sex abuse images works well, and even scanning for signs of “grooming” is surprisingly effective. But they depend on automated monitoring of communications content, something that has come as a surprise to European lawmakers hoping to impose more regulation on American tech platforms. Left unchanged, the new European rules could make it easier to abuse children.  Alex explains the rushed effort to head off that disaster—and tells us what Ashton Kutcher has to do with it (a lot, it turns out).

Meanwhile, in the news roundup, Michael Weiner breaks down the Federal Trade Commission's (FTC) (and the states’) long-awaited antitrust lawsuit against Facebook. Maybe the government will come up with something as the case moves forward, but its monopolization claims don’t strike me as overwhelming.  And, Mark MacCarthy points out, the likelihood that the lawsuit will do something good on the privacy front is vanishingly small. 

Russia’s SVR, heir of the KGB, is making headlines with a remarkably sophisticated and well-hidden cyberespionage attack on a lot of institutions that we hoped were better at defense than they turned out to be. Nick Weaver lays out the depressing story, and Alex offers a former CISO’s perspective, arguing for a federal breach notification law that goes well beyond personal data and includes disciplined after-action reports that aren’t locked up in post-litigation gag orders. Jamil Jaffer tells us that won’t happen in Congress any time soon.

Jamil also comments on the prospects for the National Defense Authorization Act (NDAA), chock full of cyber provisions and struggling forward under a veto threat. If you’re not watching the European Parliament tie itself in knots trying to avoid helping child predators, tune in to watch American legislators tie themselves into knots trying to pass an important defense bill without drawing the ire of the President.

The Federal Communications Commission (FCC), in an Ajit Pai farewell, has been hammering Chinese telecoms companies. In one week, Jamil reports, the FCC launched proceedings to kick China Telecom out of the U.S. infrastructure, reaffirmed its exclusion of Huawei from the same infrastructure and adopted a “rip and replace” mandate for U.S. providers who still have Chinese gear in their networks.

Nick and I clash over the latest move by Apple and Google to show their contempt for US counterterrorism efforts—the banning of a location data company whose real crime was selling the data to (gasp!) the Pentagon.

Mark explains the proposals for elaborate new regulation of digital intermediaries now working their way through—where else? Brussels. I offer some cautious interest in regulation of “gatekeeper” platforms, if only to prevent Brussels and the gatekeepers from combining to slam the Overton window on conservatives’ fingers. 

Mark also reports on the Trump administration's principles for U.S. government use of AI, squelching as premature my celebration at the absence of “fairness” and “bias” can’t.

Those who listen to the roundup for the porn news won’t be disappointed, as Mark and I dig into the details of Pornhub’s brush with cancellation at the hands of Visa and Mastercard—and how the site might overcome the attack.

In short hits, Nick and I disagree about Timnit Gebru, the “ethicist” who was let go at Google after threatening to quit. I report on the enactment of a modest but useful internet-of-things cybersecurity law and on the doxxing of the Chinese Communist Party membership rolls as well as the adoption of the most law-enforcement-hostile technology yet to come out of Big Tech—Amazon’s Sidewalk. 

And More!

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-342.mp3
Category:general -- posted at: 9:06am EDT

Did you ever wonder where all that tech money came from all of a sudden? Turns out, a lot of it comes from online programmatic ads, an industry that gets little attention even from the companies, such as Google, that it made wealthy. That lack of attention is pretty ironic, because lack of attention is what’s going to kill the industry, according to Tim Hwang, former Google policy maven and current research fellow at the Center for Security and Emerging Technology (CSET).

In our interview, Tim Hwang explains the remarkably complex industry and the dynamics that are gradually leaching the value out of its value proposition. Tim thinks we’re in an attention bubble, and the popping will be messy.  I’m persuaded the bubble is here but not that its end will be disastrous outside of Silicon Valley.

Sultan Meghji and I celebrate what seems like excellent news about a practical artificial intelligence (AI) achievement in predicting protein folding. It’s a big deal, and an ideal problem for AI, with one exception.  The parts of the problem that AI hasn’t solved would be a lot easier for humans to work on if AI could tell us how it solved the parts it did figure out.  Explainability, it turns out, is the key to collaborative AI-human work.

We welcome first time participant and long-time listener Jordan Schneider to the panel. Jordan is the host of the unmissable ChinaTalk podcast. Given his expertise, we naturally ask him about … Australia.  Actually, it’s natural, because Australia is now the testing ground for many of China’s efforts to exercise power over independent countries using cyber power along with trade. Among the highlights: Chinese tweets highlighting a report about Australian war crimes followed by a ham-handed tweet-boosting bot campaigns. And in a move that ought to be featured in future justifications of the Trump administration’s ban on WeChat, the platform refused to carry the Australian prime minister’s criticism of the war-crimes tweet. 

Ted Cruz, call your office! And this will have to be Sen. Cruz’s fight, because it looks more and more as though the Trump administration has thrown in the towel. Its claim that it is negotiating a TikTok sale after ordering divestment is getting thinner; now the divestment deadline has completely disappeared, as the government simply says that negotiations continue. Nick Weaver is on track to win his bet with me that CFIUS won’t make good on its order before the mess is shoveled onto Joe Biden’s plate.

Whoever was in charge of beating up WeChat and TikTok may have left the government early, but the team that’s sticking pins in other Chinese companies is still hard at work. Jordan and Brian Egan talk about the addition of SMIC to the amorphous defense blacklist. And Congress has passed a law (awaiting the president’s signature) that will make life hard for Chinese firms listed on U.S. exchanges. 

China, meanwhile, isn’t taking this lying down, Jordan reports. It is mirror-imaging all the Western laws that it sees as targeting China, including bans on exports of Chinese products and technology. It is racing (on what Jordan thinks is a twenty-year pace) to create its own chip design capabilities. And with some success. Sultan takes some of the hype out of China’s claims to quantum supremacy.  Though even dehyped, China’s achievement should be making those who rely on RSA-style crypto just a bit nervous (that’s all of us, by the way).

Michael Weiner previews the still veiled state antitrust lawsuit against Facebook and promises to come back with details as soon as it’s filed. 

In quick hits, I explain why we haven’t covered the Iranian claim that their scientist was rubbed out by an Israeli killer robot machine gun: I don’t actually believe them. Brian explains that another law aimed at China and its use of Xinjian forced labor is attracting lobbyists but likely to pass. Apple, Nike, and Coca-Cola have all taken hits for lobbying on the bill; none of them say they oppose the bill, but it turns out there’s a reason for that. Lobbyists have largely picked the bones clean.

President Trump is leaving office in typical fashion—gesturing in the right direction but uninteresting in actually getting there. In a “Too Much Too Late” negotiating move, the President has threatened to veto the defense authorization act if it doesn’t include a repeal of Section 230 of the Communications Decency Act. If he’s yearning to wield the veto, the Democrats and GOP alike seem willing to give him the chance.  They may even override, or wait until January 20 to pass it again. 

Finally, I commend to interested listeners the oral argument in the Supreme Court’s Van Buren case, about the Computer Fraud and Abuse Act. The solicitor general’s footwork in making up quasi textual limitations on the more sweeping readings of the act is admirable, and it may well be enough to keep van Buren in jail, where he probably belongs for some crime, if not this one. 

And more.

Download the 341st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-341_.mp3
Category:general -- posted at: 2:35pm EDT

Our interview in this episode is with Michael Daniel, formerly the top cybersecurity adviser in the Obama administration’s National Security Council and currently the CEO of the Cyber Threat Alliance (CTA).  Michael lays out CTA’s mission. Along the way he also offers advice to the Biden cyber team—drawing in part on the wisdom of Henry Kissinger.

In the news roundup, Michael joins Jamil Jaffer and Nate Jones to mull the significance of Bruce Reed’s appointment to coordinate technology issues in the Biden White House.  Reed’s tough take on Silicon Valley companies and Section 230 may form the basis of a small-ball deal with Republicans on things like child sex abuse material, but none of us think a broader reconciliation on content moderating obligations is in the offing.

When it comes to regulating the tech sector, Brussels is a fount of proposals. The latest, unpacked by Jamil and Maury Shenk, is intended to build on the dubious success of GDPR in jumpstarting the EU’s technology industry.

Maury and I puzzle over exactly how a Russian divorcee won a court order allowing access to her estranged son’s Gmail account. Our guess: the court stretched a point to conclude that the son had consented.

Another day, another China-punishing measure from the Trump administration: Jamil explains the administration’s vision of a bloc of countries that will unite in resistance to China’s punitive trade retaliation against inconvenient Western countries, most notably Australian, now getting hit hard by China.

Meanwhile, Maury reports that the administration has identified nearly 90 Chinese companies that are too closely tied to the Chinese military for purposes of export control licenses. The only good news for U.S. exporters is that the list eliminates some ambiguity about the status of some companies.

Maury also gives an overview of what most of us think is an oxymoron: Privacy in China. In fact, there is growing attention to protecting privacy at least from commercial companies. And harsh enforcement, as always, makes observers wonder “who did that company piss off?” before they wonder “what did that company do wrong?”

Maury also reports on the effort to revive Privacy Shield—and on just how little the negotiators have to work with.

Jamil comments on the ever-rising cost of cybersecurity, and possible implications for bank consolidation.

Nate reviews the privacy and security doubts about Amazon’s Sidewalk feature, which turns Alexa devices into neighborhood WiFi networks.

Maury and I note that the deadline for a TikTok sale is still a week away and maybe always will be.

Jamil wonders why ZTE asked the Federal Communications Commission (FCC) to reconsider its exclusion of the company from the U.S. telecoms infrastructure. The FCC order denying the request was not exactly a marketing triumph.

Jamil and I have fun asking how much snooping will go on in a proposed new fiber-optic network linking Saudi Arabia and Israel.

Nate is not surprised that France is pushing its tax for the (U.S.) tech sector, but we debate whether the timing will turn out to be good for France or bad. I claim that the White House’s short attention span is France’s best friend.

Maury and I try to figure out whether there’s a public policy case in favor of the Rivada plan to take over a bunch of the Department of Defense spectrum and rent out whatever is excess to the department needs. Maybe there is, but we can’t find it.

And more.

Download the 340th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets.

Direct download: TheCyberlawPodcast-340.mp3
Category:general -- posted at: 8:55am EDT

This is my favorite story of the episode. David Kris covers a report from the Privacy and Civil Liberties Oversight Board on the enormous value that European governments get in fighting terrorism from the same American surveillance programs that European institutions have been fighting for twenty years to shut down.  It’s a delightful takedown of European virtue-signaling, and I hope the Biden Administration gives the PCLOB a new name and mission in honor of the report.

But we begin the news roundup with a review of the U.S.-China tech relationship and how it might change under a Biden administration. The Justice Department has issued itself a glowing report card for its contribution to decoupling—the opening of new China-related counterintelligence case every 10 hours. I wonder how long this can go on before China starts arresting American businessmen—and kicks off another round of decoupling.

Speaking of decoupling, the latest legislation aimed at prison labor in China may be getting uncomfortably close to hitting Apple, which is quietly lobbying to water down a bill that most of us expect to pass soon by overwhelming majorities. Megan Stifel and I conclude that the provision that probably scares Apple most is an obligation to make representations about whether the company’s products include parts made with prison labor. That is increasingly difficult to figure out as China has limited audits for such purposes, putting Apple in an increasingly tight spot. Sympathy for Tim Cook is in short supply.

Speaking of legacy burnishing, the Trump White House has issued its own set of guidelines for federal agencies using artificial intelligence (AI). Nick Weaver thinks it’s actually not bad—light touch on most topics—which may be the nicest thing he’s said about a product of this White House in four years. Sticking with AI, Nick comments on the prospect for putting humans in the loop of AI decision making.  He thinks that’s a recipe for lousy AI, and that campaigns to get a “Human in the Loop” for lethal systems have already lost the technology fight. At best, we can hope to have our poky old brains “on the loop” in future AI conflicts.

More good news: There is an IOT security bill that Megan and I both like (Megan more than I) and that Congress has passed and sent to the President for signature. It only sets standards for IOT that the federal government buys, but that’s a good first step.

As a former NSAer, I explain “GCHQ envy” to David, and he provides the latest reason why it must be rampant at the Fort this year, as the agency introduces a new offensive cyber unit to take on organized crime and hostile states.

David also takes on the question whether there’s a legal problem with the U.S. military buying location data from apps companies.  Short answer: Nope.

Megan explains a now-patched Facebook Messenger bug that would have allowed hackers to listen in on users. Nick tells us why the FBI needed to hire robots to retrieve sensitive files. Megan gives us some staggering statistics about the prevalence of ransomware. Hint: if you thought COVID-19 was a pandemic, you ain’t seen nothin’ yet. I give a quick summary of the TikTok and WeChat ban litigation, where the government is unlimbering a host of new technical arguments.

I give a shoutout to Sean Joyce, whose principles led him to walk away from what is probably going to be serious money when Airbnb goes public. The company’s leadership let him argue against giving data about individual users to the Chinese government before the users actually move in.  But the debate ended when one of the execs opined, “We’re not here to promote American values.” That may not be a good look for Airbnb, but it is for Joyce, who left the company within weeks over the principle.

And, finally, it turns out that the FCC is in its last weeks of Trump legacy burnishing; facing a deadline in January 2020, it had to choose between starting to write regulations about the scope of section 230 and dealing with foreign products in the 5G infrastructure.  It chose 5G.

And more.

Download the 339th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-339.mp3
Category:general -- posted at: 8:57am EDT

Another week, another Trump administration initiative to hasten the decoupling from China. As with MIRV warheads, the theory seems to be that the next administration can’t shoot them all down.  Brian Egan lays out this week’s initiative, which lifts from obscurity a DoD list of Chinese military companies and excludes them from U.S. capital markets.

Our interview is with Frank Cilluffo and Mark Montgomery. Mark is a senior fellow at the Foundation for Defense of Democracies and senior advisor to the congressionally mandated Cyberspace Solarium Commission. Previously, he served as policy director for the Senate Armed Services Committee under Sen. John S. McCain—and before that served for 32 years in the U.S. Navy as a nuclear trained surface warfare officer, retiring as a rear admiral in 2017. Frank is director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security. He also chaired the Homeland Security Advisory Council’s subcommittee on economic security. We talk about the unexpected rise of the industrial supply chain as a national security issue. Both Frank and Mark were moving forces in two separate reports highlighting the issue, as was I. So, if we seem suspiciously agreed on important issues, it’s because we are. Still, as an introduction to one of the surprise hot issues of the year, it’s not to be missed.

After our interview of a Justice Department official on how to read Schrems II narrowly, it was only a matter of time. Charles Helleputte reviews the EDPB’s effort to give more authoritative and less comfortable advice to U.S. companies that want to keep relying on the standard contractual clauses. Still, the Justice Department take on the topic manages to squeak through without a direct hit from the privacy bureaucrats.  Still, the EDPB (and the EDPS even more) makes clear that anyone following the DOJ’s lead is in for an uphill fight. For those who want more of Charles’s thinking on the topic, see this short piece.

Zoom has been allowed to settle a Federal Trade Commission (FTC) proceeding for deceptive conduct (claiming that its crypto was end to end when it wasn’t, and more). Mark MacCarthy gives us details. I rant about the FTC’s failure to ask any serious national security questions about a company that deserves some.

Brian brings us up to speed on TikTok.  Only one of the Trump administration penalties remains unenjoined. My $50 bet with Nick Weaver that CFIUS will overcome judicial skepticism that IEEPA could not is hanging by a thread. Casey Stengel makes a brief appearance to explain how TikTok might win.

Brian also reminds us that export control policymaking is even slower and less functional on the other side of the Atlantic, as Europe tries, mostly ineffectively, to adopt stricter limits on exports of surveillance tech.

Mark and I admire the new Aussie critical-infrastructure cybersecurity initiative, mostly for its clarity if not for its political appeal.

Charles explains and I decry the enthusiasm of European courts for telling Americans what they can say and read on line. Apparently, we aren’t allowed to use Facebook to call politicians “fascists”; but don’t worry about our liability.

So, in retrospect, how did we do in policing all the new cyber-ish threats to the 2020 election?  Brian gives the government credit for preventing foreign interference. I question the whole narrative of foreign interference (other than the hack and dump operation against the DNC) in 2016 and 2020, noting how conveniently it serves Democratic messaging (Hillary only lost because of the Russians! Ignore Trump’s corruption allegations because it’s more Russian interference!). Mark and I wonder what Silicon Valley thinks it’s accomplishing with its extended bans on political advertising after the election.  They’re going to find out it’s almost always election season somewhere (see, e.g., Georgia). DHS’s CISA produced a detailed rumor control site that may have corrected one too many of the President’s tweets.  Chris Krebs, familiar to Cyberlaw Podcast listeners, may be on the chopping block. That would be a shame for DHS and CISA; for Chris it’s probably a badge of honor. Frank Cilluffo and Mark Montgomery weigh in with praise for Chris as well.

And more.

Download the 338th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-338.mp3
Category:general -- posted at: 9:11am EDT

This episode’s interview with Dr. Peter Pry of the EMP Commission raises an awkward question: Is it possible that North Korea has already developed nuclear weapons that could cause the deaths of hundreds of millions of Americans by permanently frying the entire electrical infrastructure with a single high-altitude blast?  And if he doesn’t, could the sun accomplish pretty much the same thing?  The common factor in both scenarios is EMP—electro-magnetic pulse. And we explore the problem in detail, from the capabilities of adversaries to the controversy that has pitted Dr. Pry and the EMP Commission against the power industry and the Energy Department, which are decidedly more confident that the U.S. would withstand a major EMP event. And, for those disinclined to trust those sources, Dr. Pry offers a few tips on how to make it more likely that your systems will survive an EMP.

In the news, that the election turned out not to be hacked and not to be violence-plagued and not to be the subject of serious disinformation. That didn’t stop Twitter and YouTube from limiting Steve Bannon’s access to the platform when he used hyperbole (“heads on pikes”) to express his unhappiness with Dr. Fauci.

In legal tech news, Michael Weiner explains what’s at stake in the Justice Department’s antitrust lawsuit challenging Visa’s $5.3 billion acquisition of Plaid. I wonder if that means the department is out of antitrust-litigating ammo.  And it might, except you can buy a lot of ammo with $1 billion worth of Silk Road bitcoins, now being claimed by the U.S. Sultan Meghji says the real question is why it took the U.S. so long to lay claim to the coins.

Just when private companies have come up with plans to comply with California’s privacy law, the voters change everything. Well, maybe not everything. It looks, Dan Podair suggests, as though compliance with the new CPRA will mostly involve complying with the old CCPA plus a whole bunch more. I’m fascinated by the idea that the initiatives say, “Oh, and by the way, this law can’t be amended except to make it more privacy friendly.”

We bring Michael back to the conversation to brief us on the FTC’s plan to bring an antitrust case against Facebook using internal hearing procedure. Michael admits that some might call that a kangaroo court hearing; I suggest that LabMD’s Mike Dougherty be called as an expert witness.

Sultan and I note the ongoing failure of media and rights groups to toxify facial recognition; now it’s being used on “mostly peaceful” protestors. And it’s hard to argue with using face recognition when it confirms a picture ID left behind in Lafayette Square.

Next, Sultan and I take on Toxification II, the argument to make people believe that racist—as opposed to poorly trained—artificial intelligence is a thing.

Charles Helleputte analyzes the latest rumor that the EU is planning to prohibit end-to-end crypto. He notes that the EU is also pursuing more infrastructure security and wonders whether the two initiatives can be sustained together.

It turns out that other people on Zoom can, in theory and under the right conditions, guess what you’re typing.  It’s one more reason to be careful about webcams and security. I make the sort of cheap joke you’ve come to expect from me.

And more.

Download the 337th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-337.mp3
Category:general -- posted at: 10:39am EDT

Our interview this week is a deep dive into the mess created by the EU Court of Justice in Schrems II—and some pretty good ideas for how companies might avoid the mess as proposed in a U.S. Government white paper. I interview Brad Wiegmann, Senior Counselor for the National Security Division at the U.S. Department of Justice. We cover a host of arguments and new facts that may help companies navigate the wreckage of Privacy Shield and preserve the standard corporate clauses they’ve relied on for trans-Atlantic data transfers. And, yes, the phrase “hypocritical European imperialism” does cross my lips.

In the news, we can’t let election eve pass without a look at all the election security threats and countermeasures now being deployed.  I argue that the election security threat is the second coming of Y2K – a threat that is almost certainly an overhyped bogeyman, but one we can’t afford to ignore.  Jamil Jaffer and Pete Jeydel push back. Silicon Valley’s effort to ensure that no one questions the legitimacy of a Biden victory also comes in for some criticism on my end—and is defended by Nate Jones. My candidate for flakiest Silicon Valley technonostrum is banning post-election political ads. That just guarantees that speech about the election will default to the biggest “organic” voices on the internet and to the speech police at each platform.

Confused about all the TikTok and WeChat litigation? The cheat sheet guide is that the U.S. hasn’t won a single case, and it’s gone down hard in three separate opinions, the latest by U.S. District Judge Beetlestone of Philadelphia. This could be Trump Derangement at work, but the fact is that the Chinese platforms have a plausible argument that Congress prohibited IEEPA bans that indirectly regulate distribution of speech. Banning a social platform might seem to fit that exception, but the result is crazy: it implies that TikTok could replay all the Russian election interference memes from 2016, and the government would be helpless to stop it. On appeal, we may see the courts taking a broader view of the equities. Or they may be tempted to say, “Well, Congress screwed this up, let Congress unscrew it.” If Joe Biden wins the election, I can’t imagine an issue he’d most want to keep off his plate.

Nate and I try to sum up what we learned from the social media speech suppression hearing on the Hill. Nate sees no common ground emerging despite wide unhappiness with Silicon Valley’s role in regulating speech. I am more optimistic that a Congress looking to make progress could agree on first steps toward transparency in speech suppression practices on the platforms. The companies themselves seem to have decided that this is table stakes as they strive to avoid worse.

Nate gives us a quick view of the platform speech debate in Europe.  My summary: Silicon Valley is already incentivized by EU law to over-suppress; now they’re asking for immunity when they over-suppress, which means, of course, even less speech.

In quick hits, Pete talks about the ransomware threat to US health care. Nate explains the tensions between law enforcement and intelligence in Canada. And Pete tells us why fertility clinics are the latest national security concern for CFIUS.

And more!

Download the 336th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-336.mp3
Category:general -- posted at: 11:04am EDT

In this episode, I interview Rob Knake, Senior Fellow at the Council on Foreign Relations, about his recent report, “Weaponizing Digital Trade -- Creating a Digital Trade Zone to Promote Online Freedom and Cybersecurity.” The theme of the report is what the U.S. can salvage from the wreckage of the 1990s Magaziner Consensus about the democratizing and beneficent influence of Silicon Valley. I suggest that it really ought to be called “Digital Dunkirk,” rather than invoking a swaggering “weaponization” theme.  Rob and I disagree about the details but not the broad outlines of his proposal. 

In the news roundup, we finally have a Google antitrust complaint to pore over, and I bring Steptoe’s Michael Weiner on to explain what the complaint means. Bottom line: it’s a minimalist stub of a case, unlikely to frighten Google or produce structural changes in the market. Unless a new administration (or a newly incentivized Trump Justice Department) keeps adding charge after charge as the investigation goes on.

Speaking of Justice Department filings that may serve up less than meets the eye, DOJ has indicted GRU hackers for practically every bad thing that has happened on the internet in the last five years, other than the DNC hack. (In fact, I lost an unsaved Word document in 2017 that I’m hoping will be added to the charges soon.) The problem, of course, is that filing the charges is the easy part; bringing these state hackers to justice is unlikely in the extreme.  If so, one wonders whether a policy that requires an indictment for all the cyberattacks on the US and its allies is a wise use of resources. Maury Shenk thinks it might be, at least in demonstrating US attribution capabilities, which are indeed impressive.

While we are covering questionably effective U.S. retaliation for cyberattacks, Maury also notes that the Treasury Department has imposed sanctions on TsNIIKhM, a Russian institute that seems to have developed industrial control malware that caused massive outages in Saudi Arabia and may have been planted in U.S. energy systems as well. Again, no one doubts that heavy penalties should be imposed; the doubt is about whether these penalties will actually reach TsNIIKhM.

Nick Weaver celebrates the German government’s dawn raid on spyware exporter, FinFisher. Maury expresses modest hope for Facebook’s Oversight Board now that it has started reviewing content moderation cases. Color me skeptical.

Now that we’ve seen the actual complaint, Nick has his doubts about the Microsoft attack on Trickbot. It may be working, he says, but why is Microsoft doing something that the FBI could have done? I pile on, raising questions about the most recent legal theory Microsoft has rolled out in support of its proposed remedies.

Finally, in quick hits:  I hum a few bars from “John Henry” in response to a Bloomberg story suggesting that CEOs are successfully beating the AI engines parsing their analyst calls and trading on the results. Maury debunks the parts of the story that made it fun, but not before I’ve asked whether Spinal Tap was decades ahead of its time in repackaging failure. Maury also notes the ho-hum upcoming Judiciary Committee testimony of Twitter and Facebook CEOs about their suppression of the New York Post “laptop from hell” Hunter Biden story.  I’m much more interested in the Commerce Committee’s subpoenaing of contacts between the campaigns and those companies.  Because you just know the campaigns have a whole strategy for working the speech refs, and it would be an education to see how they do it.  Nick and I congratulate Edward Snowden on the confirmation that he’ll be in Russia forever. 

And more!

Download the 335th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-335.mp3
Category:general -- posted at: 3:09pm EDT

This episode features an interview with Ronald Deibert, Professor of Political Science, and Director of the Citizen Lab at the Munk School of Global Affairs & Public Policy, University of Toronto. We talk about his new book, “Reset: Reclaiming the Internet for Civil Society.” We also talk about the unique Canadian talent for debate that is both bare-fisted and unusually polite. Ron gets to use both talents in our discussion of what’s wrong with the technology ecosystem and whether it can be improved by imposing “restraint” on governments and the private sector.

In the news roundup, I urge Twitter to bring back the Fail Whale to commemorate its whale of a fail in trying to suppress a New York Post story that is bad news for Joe Biden. It’s a disaster on all fronts, with Twitter unable to offer a satisfactory explanation for its suppression of the news report, or to hold to any particular enforcement policy for more than a day, and ended with an embarrassing insistence that the Post can’t have its account back until it deletes tweets that Twitter would probably allow the Post to post today.  

And not surprisingly, the episode is encouraging everyone to think that they can do this better than Twitter. The FCC is going to start work on an effort to add an administrative gloss to section 230. Mark MacCarthy thinks the Commission lacks authority to interpret the provision; I disagree. We do agree that Justice Thomas’s thoughts on section 230 are surprisingly detailed—and make Supreme Court review of the provision a lot more likely.

Megan Stifel tells us that the ransomware business is getting even more specialized. Together we wonder if that specialization opens the door to new, even more creative ways to take down organized cybercrime.

David Kris notes the pearl-clutching over search warrants that identify a pattern of conduct rather than an individual. He almost agrees with me that this is just what probable cause looks like in the twenty-first century.

This Week in Europe’s Tough Privacy Talk and Slow Privacy Walk: David teams with Charles Helleputte to make sense of two data protection rulings in Europe that bring a lot more thunder than lightning to the debate: First, an attack on the privacy standards, such as they are, for online advertiser  Real Time Bidding. Second, the proclamations of France’s top court and its DPA about sending data to US cloud providers.

Megan notes two stories that deepen trends we knew were coming: hackers chaining VPN and ZeroLogon bugs to attack US government networks, maybe including election agencies and Iranian state hacker group resorting to ransomware attacks.

We cover a few updates of past weeks’ stories: The fallout continues from OFAC’s ransomware advisory. (Rumors that the agency will be renamed WTF OFAC are unconfirmed). And Tik/Chat seems to be settling in for a longer court battlebefore the government’s arguments start to take hold. (As a bonus, our Cyberlaw grammarian makes a surprise appearance to announce the rule of English usage that prevents TikTok from ever being TokTik).

In quick hits, we boldly predict that the government will launch an antitrust suit against Google, some day. We speculate on why Tesla’s autopilot AI might be fooled by projected images. And note New York’s claim that Twitter is systemically important to the nation’s financial system. Which, I must admit, is a about the most 2020 thing I’ve heard in a while.

And more!

Oh, and we have new theme music, courtesy of Ken Weissman of Weissman Sound Design.  Hope you like it!

                                                                                                                                                           

Download the 334th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-334.mp3
Category:general -- posted at: 1:41pm EDT

In this week’s episode I interview David Ignatius about the technology in his latest spy novel, The Paladin. Actually, while we do cover such tech issues as deepfakes, hacking back, Wikileaks and internet journalism, the interview ranges more widely, from the steel industry of the 1970s, the roots of Donald Trump’s political worldview and the surprisingly important role played in the Trump-Obama-Russia investigation by one of David Ignatius’s own opinion pieces.

Oh, and we have new theme music, courtesy of Ken Weissman of Weissman Sound Design.  Hope you like it!

Download the 333rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

Direct download: TheCyberlawPodcast-333.mp3
Category:general -- posted at: 1:59pm EDT

It’s a law-heavy tech news week, so this episode is all news. If you come for the interviews, though, do not fear.  We’ll be releasing episode 333 tomorrow, and it’s all interview, as I talk with David Ignatius about the tech issues in his latest spy novel, The Paladin.

To kick things off, Matthew Heiman returns to the podcast to analyze a new decision of the Court of Justice of the EU. The CJEU claims in the headline to put limits on government mass collection of mobile and internet data, but both Matthew and I think the footnotes take away much of the doctrine the headlines proclaim – and maybe in a way that will add another arrow to the US quiver as it tries to work around the CJEU’s foolhardy decision in Schrems II.

Sultan Meghji tells us that Trickbot has attracted the attention of both Cyber Command and Microsoft’s lawyers.  Unfortunately, even that combination isn’t proving fatal, and I wonder whether Microsoft’s creative lawyering has gone a step too far.

The Democratic-controlled House Judiciary Committee has released a blockbuster tech antitrust report. It’s hardly news that Democrats and Republicans on this most partisan of committees disagree about this issue, but Matthew and I are struck by how modest the disagreements are.  In contrast, despite our conservative leanings, Matthew and I manage to disagree pretty profoundly on how antitrust principles should apply to Big Tech.

Sultan, meanwhile, draws the short straw and has to explain the mother of all metaphor bombs that exploded in the Supreme Court when the court took oral argument in Google v. Oracle. It was a discouraging argument for those of us who admire the Justices, whose skills at finding apt metaphors completely failed them. I offer my past experience as a Supreme Court advocate to critique the argument and lay odds on the outcome. (Short version: Google has a nearly 50-50 chance of winning, and the Court has about the same chance of producing a respectable opinion.

Brian Egan joins us to talk about the Justice Department’s sober report on how law enforcement can combat terrorist and criminal use of cryptocurrency.

I claim to have caught Twitter and Facebook in a clear example of improper suppression of conservative (or at least Trumpist) speech, as they label as misleading a Trump tweet that turns out to be, well, true.

Brian and I dig into the latest litigation over banning TikChat from US markets. Short version: the Justice Department has filed a strong brief seeking to overturn WeChat’s first amendment protection from the ban. If you’re looking for raw disagreement, listen for Brian coming out of his chair when I start comparing Silicon Valley and Chinese Communist Party net censorship regimes.

Matthew explains why Sweden and Switzerland are fighting over a crypto company widely reported to have been compromised by US and German intelligence fifty years ago.

And for our sensitive male listeners, this may be the point where you turn the podcast off, as I explain the dire consequences of bad IOT security and male chastity devices.  Though, come to think of it, an angle grinder would make a pretty effective chastity device by itself.

And more!

Oh, and we have new theme music, courtesy of Ken Weissman of Weissman Sound Design.  Hope you like it!

Download the 332nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-332.mp3
Category:general -- posted at: 1:53pm EDT

In this episode, Jamil Jaffer, Bruce Schneier, and I mull over the Treasury announcement that really raises the stakes even higher for ransomware victim.  The message from Treasury seems to be that if the ransomware gang is the subject of OFAC sanctions, as many are, the victim needs to call Treasury and ask for a license to pay – a request that starts with a “presumption of denial.”   

Someone has been launching a series of coordinated attacks designed to disrupt Trickbot Bruce explains.

CFIUS is baring its teeth on more than one front. First comes news that a newly resourced CFIUS staff has begun retroactively scrutinizing past Chinese tech investments. This is the first widespread reconsideration of investments that escaped notice when they were first made, and it could turn ugly. Next comes evidence that the TikTok talks with CFIUS could be getting ugly themselves, as Nate Jones tells us that Treasury Secretary Mnuchin has laid down the elements the US must have if TikTok is to escape a shutdown. None of us think this ends well for TikTok, as China and the US try to prove how tough they are by asking for mutually exclusive structures.

The US government is giving US companies some free advice about how to keep sending their data to the U.S. despite the European Court of Justice decision in Schrems II: First-time participant Charles Helleputte offers a European counterpoint to my perspective, but we both agree that there’s a lot of value in the U.S. white paper. If nothing else, it offers a defensible basis for most companies to conclude that they can use the standard contractual clauses to send data to the US notwithstanding the court’s egregiously anti-American opinion. The court may not agree with the white paper, but the reasoning could buy everyone another three years and might be the basis of yet another U.S.-EU agreement.

The UK seems to be preparing to take Bruce’s advice on regulating IOT security plan, but he thinks that banning easy default passwords is just table stakes. 

Bruce and I once again review the bidding on voting by phone, and once again we agree: No. Just No. 

Nate questions the press stories (and FBI director testimony) claiming that the FBI is pivoting to a new strategy for punishing hackers by sending Cyber Command after them. He thinks it’s less a pivot and more good interagency citizenship, which I suspect is still a change of pace for the Bureau.

Bruce and I explore the possibility of attributing exploits to individuals based on their coding style. You might say that their quirks leave fingerprints for the authorities, except that at least one hapless hacker has one-upped them by leaving his actual fingerprints behind in an effort to get himself approved in a biometric authentication system. 

And in updates, we note that Microsoft has a new and unsurprising annual report on cyberattacks it has seen; the Senate will be subpoenaing the CEOs of Big Social to talk section 230 in an upcoming  hearing; and the House intel committee has a bunch of suggestions for improving the performance of the intelligence community against evolving threats from Beijing. 

And more! 

Oh, and we have new theme music, courtesy of Ken Weissman of Weissman Sound Design.  Hope you like it!

 

Download the 331st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-331-.mp3
Category:general -- posted at: 11:02am EDT

Our news roundup is dominated by the seemingly endless ways that the U.S. and China can find to quarrel over tech policy.  The Commerce Department’s plan to use an executive order to cut TikTok and WeChat out of the U.S. market have now been enjoined. But the $50 Nick Weaver bet me that TikTok could tie its forced sale up until January is still at risk, because the administration has a double-barreled threat to use against that company—not just the executive order but also CFIUS—and the injunction so far only applies to the first. 

I predict that President Xi is likely to veto any deal that appeals to President Trump, just to show the power of his regime to interfere with US plans. That could spell the end of TikTok, at least in the US. Meanwhile, Dave Aitel points out, a similar but even more costly fate could await much of the electronic gaming industry, where WeChat parent TenCent is a dominant player. 

And just to show that the U.S. is willing to do to U.S. tech companies what it’s doing to Chinese tech companies, leaks point to the imminent filing of at least one and perhaps two antitrust lawsuits against Google. Maury Shenk leads us through the law and policy options.

The panelists dismiss as PR hype the claim that it was a threat of “material support” liability that caused Zoom to drop support for a PFLP hijacker’s speech to American university students. Instead, it looks like garden variety content moderation aimed this time at a favorite of the far left.

Dave explains the good and the bad of the CISA order requiring agencies to quickly patch the critical Netlogon bug

Maury and I debate whether Vladimir Putin is being serious or mocking when he proposes an election hacking ceasefire and a “reset” in the cyber relationship. We conclude that there’s some serious mocking in the proposal. 

Dave and I also marvel at how Elon Musk, for all his iconoclasm, sure has managed to cozy up to both President Xi and President Trump, make a lot of money in both countries, and take surprisingly little flak for doing so.  The story that spurs this meditation is the news that Tesla is so dependent on Chinese chips for its autonomous driving engine that it’s suing the US to end the tariffs on its supply chain

 In quick hits and updates, we note a potentially big story: The Trump administration has slapped new restrictions on exports to Semiconductor Manufacturing International Corporation, China’s most advanced maker of computer chips. 

The press that lovingly detailed the allegations in the Steele dossier about President Trump’s ties to Moscow hasn’t been quite so loving in their coverage of the dossier’s astounding fall from grace. The coup de grace came last week when it was revealed that the main source for the juiciest bits was flagged by the FBI as a likely Russian foreign agent; he escaped a FISA order only because he left the country for a while in 2010. 

The FISA court has issued an opinion on what constitutes a “facility” that can be tapped with a FISA order. It rejected the advice of Cyberlaw Podcast regular David Kris in an opinion that includes all the court’s legal reasoning but remains impenetrable because the facts are all classified. Maury and I come up with a plausible explanation of what was at stake.

The Trump administration has proposed Section 230 reform legislation similar to the white paper we covered a couple of months ago. The proposal so completely occupies the reasonable middle of the content moderation debate that a Biden administration may not be able to come up with its own reforms without sounding fatally similar to President Trump. 

And in yet more China news, Maury and Dave explore the meaning of Nvidia’s bid for ARM and Maury expresses no surprise at all that WeWork is selling off a big chunk of its Chinese operations 

And more! 

Oh, and we have new theme music, courtesy of Ken Weissman of Weissman Sound Design.  Hope you like it!

Download the 330th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

Direct download: TheCyberlawPodcast-330.mp3
Category:general -- posted at: 11:54am EDT

John Yoo, Mark MacCarthy, and I kick off episode 329 of the Cyberlaw Podcast diving deep into what I call the cyberspace equivalent of a dumpster fire. There is probably a pretty good national security case for banning TikTok. In fact, China did a lot better than the Trump administration when it declared, “You know that algorithm that tells all your kids what to watch all day? That’s actually a secret national security asset of the People’s Republic.” But the administration’s process for addressing the national security issue was unable to keep up with President Trump’s eagerness to announce some kind of deal. The haphazard and easily stereotyped process probably also contributed to the casual decision of a magistrate in San Francisco to brush aside US national security interests in the WeChat case, postponing the order on dubious first amendment grounds that John Yoo rightly takes to task.

 

Megan Stifel tells us that the bill for decoupling from China is going to be high – up to $50 billion if you listen to the Semiconductor Industry Association. 

 

Speaking of big industry embracing big government, Pete Jeydel explains IBM’s slightly jarring suggestion that the government should slap export controls on a kind of face recognition technology that Big Blue doesn’t sell any more. Actually, when you put it like that, it kind of explains itself.

Megan tells us that the House has passed a bill on the security of IOT devices. The bill, which has also moved pretty far in the Senate, is pretty modest, setting only standards for what the federal government will buy, but Megan has hopes that it will prove to be the start of a broader movement to address IOT security.

I reprise three of the latest demonstrations of just how much Silicon Valley hates conservatives and how far it will go to suppress their speech.  My favorite is Facebook deciding that a political ad that criticizes transwomen competing in women’s sports must be taken down because it lacks context. Unlike every other political ad since the beginning of time. Although Twitter’s double standard for a “manipulated media” label is pretty rich too: Turns out that splicing Trump’s remarks to make him say what the Biden camp is sure he meant is fair comment, but splicing a Biden interview so he says what the Trump camp is sure he meant is Evil Incarnate. 

Finally, Megan rounds out the week with a host of hacker news. The North Koreans are in bed with Russian cybercrime gangs.  (I can’t help wondering who wakes up with fleas.) The Iranians are stealing 2FA codes and some of them were indicted, though not apparently for the 2FA exploit.  And a long-running Chinese cybergang is indicted too.  Not that that will actually stop them, but it could be hard on their Malaysian accomplices, who are in jail, contemplating the value of government top cover.

Our interview this week is with Michael Brown, a remarkably influential defense technologist. He’s been CEO of Symantec, cowrote the report that led to passage of FIRRMA and the transformation of CFIUS, and now runs the Defense Innovation Unit in Silicon Valley. He explains what DIU does and some of the technological successes it has already made possible.

And more!

Oh, and we have new theme music, courtesy of Ken Weissman of Weissman Sound Design.  Hope you like it!

Download the 329th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-329.mp3
Category:general -- posted at: 10:37pm EDT

In our 328th episode of the Cyberlaw Podcast, Stewart is joined by Bruce Schneier (@schneierblog), Sultan Meghji @sultanmeghji), and Nate Jones (@n8jones81). The Belfer Center has produced a distinctly idiosyncratic report ranking the world’s cyber powers – a kind of Jane’s Fighting Nerds report. Bruce Schneier and I puzzle over its oddities, but at least the authors provided the underlying assessments to led them to rank the Netherlands No. 5, and Israel nowhere in the top ten. The US is number one, but that’s partly due to the Center’s insistence that we’re a norms superpower. In my book, that would require a 20% discount off our offensive capabilities ranking.  Don’t agree? Download the report and pick your own fight!

 

Our interview today is with Cory Doctorow, diving deep on his pamphlet/book, “How to Destroy Surveillance Capitalism.” It’s a robust and entertaining three-cornered fight – me, Cory, and the absent Shoshana Zuboff, whose 700-page tome launched the surveillance capitalism meme. You’ll enjoy hearing me explain to Cory, a Red Diaper Baby born to Trotskyists, that his solution to tech’s overreach is surprisingly similar to Attorney General Bill Barr’s.

 

Elsewhere in the news roundup, Nate Jones and I unpack the Pandora’s Box of pain unleashed by the European Court of Justice in Schrems II

 

Facebook is fighting a multilevel rearguard action – in the courts, in two capitals, and in its terms of service -- to try to salvage its current business model.

 

I cover the latest Tok in the TikTok saga.  Oracle has won … something or other. Sultan Meghji and I puzzle over how the TikTok algorithm can stay in China while the dataset it’s training on remains in the United States. 

 

The Justice Department's antitrust lawsuit against Google is getting nearer and nearer, judging from the thrashing in the underbrush. But we still don’t have a good idea what part of Google’s business will be targeted. Sultan explains the state of play. 

 

In a news flash that I liken in shock value to the report that the weather in San Diego will be sunny and fair, Microsoft has confirmed that the Chinese, Iranians, and Russians have launched cyber-attacks on Biden and Trump campaigns. For reasons unknown, the press can’t get enough of this thin gruel.

 

Bruce and Sultan chart the reasons and tactics behind the rise of ransomware and the importance of being a reliable criminal if you want to make money in extortion. 

 

Nate unpacks China’s global data security initiative so you don’t have to waste your time. The tl;dr is that other countries shouldn’t do any of the things China is doing or aspiring to do. 

 

Speaking of things you don’t have to read because we took the hit, Bruce tells us what’s in the new White House cyber-security policy for space systems. Really, it’s all “shoulds” and puts nobody in charge of enforcement. It would be kind to call it the beta version of a space cybersecurity policy.

 

Sultan argues that there may after all be a limit to the EU’s ability to get every company on the internet to enforce its speech codes, and the domain name registries hope they’re on the other side of that line. 

 

You probably saw the “op-ed” that AI “wrote,” explaining why humans need not fear it.   Bruce, Sultan, and I have plenty of fun mocking Open AI’s penchant for Open Hype.  But Bruce reminds us that sooner or later the hype will be real, and more than half of Twitter will be machines talking to other machines.  Judging from my Twitter feed, that will be an improvement. 

 

Finally,  This Week in Sore Losing: In honor of Jeff Bezos’s AWS and its brief complaining that it should have beat Microsoft to the lucrative JEDI contract, I update an old lawyer’s motto: If you’ve got the law on your side, pound the law. If you’ve got the facts, pound the facts. And if you’ve got neither, pound the Orange Man.

 

And more!

                                                   

 

Download the 328th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-328.mp3
Category:general -- posted at: 12:27pm EDT

In our 327th episode of the Cyberlaw Podcast, Stewart is joined by Nick Weaver (@ncweaver), David Kris (@DavidKris), and Dave Aitel (@daveaitel). We are back from hiatus, with a one-hour news roundup to cover the big stories of the last month.  Pride of place goes to the WeChat/Tiktok mess, which just gets messier as the deadline for action draws near. TikTok is getting all the attention but WeChat is by far the thorniest policy and technical problem. I predict delays as Commerce wrestles with them. Nick Weaver predicts that TikTok’s lawsuit will push resolution of its situation into January.  I’ve got fifty bucks that says it won’t. Lawfare wins either way.

Dave Aitel digs into the attempted Tesla hack. Second best question in the segment: Who’s the insider that enabled an attack on his employer and is still working there three years later?  Best question: How many CSO’s can say with confidence that none of their employees would take $1 million to plug a USB stick into the company network? 

This Month in Overhyped Judicial Decisions about FISA: David Kris lays out the seven-years-late Ninth Circuit decision that has been billed as striking at the FISA warrantless surveillance law. Talk about overtaken by events. The opinion grumbles about the Fourth Amendment but doesn’t actually rule (and its analysis is so partial that it isn’t even persuasive dicta). It boldly finds that the collection violated a statute that has been repealed anyway. And then it says that doesn’t matter because suppression of the evidence isn’t a remedy and the violation didn’t taint the trial.  The only really good news for the civil liberties community is that Justice can’t appeal to the Supreme Court because, well, it won.

David also takes on the other overhyped FISA decision, a lengthy FISA court review of agencies’ minimization practices with respect to Americans’ data collected under section 702. The court approved practically everything but was predictably and not improperly upset at the FBI’s inability to design social and IT systems that prevent dumb violations of the rules. 

Speaking of FISA, important national security provisions remain unsettled, in large part because of Trump’s misguided opposition. Who, David asks, could possibly persuade GOP members that there’s a FISA reform that responds to their sense of grievance over the Russian collusion investigation?  I volunteer, with lengthy testimony to the PCLOB and a shorter piece in Lawfare.

Dave Aitel asks why we’re surprised that Iranian hackers are monetizing access to networks that don’t offer national security value to their government. Or that hackers are following their targets into specialized software markets. If you know your target is a law firm, he suggests, you’d be better off looking for flaws in Relativity than in Windows…. Excuse me, I just felt someone walk over my grave.

Nick and Dave are both critical of the Justice Department’s indictment of Joe Sullivan for obstruction of justice and misprision of felony. That is beginning to look like a case Sullivan can win, and he just might take it to trial. 

Nick thinks the Justice Department is playing a long game in pretending it can seize 280 cryptocurrency accounts used by hackers. It can’t get the funds, but it sure can make it hard for the hackers to get them. 

U.S. Agencies Must Adopt Vulnerability-Disclosure Policies by March 2021. 

And more!

Download the 327th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: 327-ill-take-hacking-tesla-for-one-million-dollars-alex.
Category:general -- posted at: 10:56am EDT

In our 326th episode of the Cyberlaw Podcast, Stewart Baker interviews Lauren Willard, who serves as Counsel to the Assistant Attorney General. Stewart is also joined Nick Weaver (@ncweaver), David Kris (@DavidKris), and Paul Rosenzweig (@RosenzweigP).

Our interview this week focuses on section 230 of the Communications Decency Act and features Lauren Willard, counsel to the Attorney General and a moving force behind the well-received Justice Department report on section 230 reform. Among the surprises: Just how strong the case is for FCC rule-making jurisdiction over section 230.

In the news, David Kris and Paul Rosenzweig talk through the fallout from Schrems II, the Court of Justice decision that may yet cut off all data flows across the Atlantic.

Paul and I speculate on the new election interference threat being raised by House Democrats. We also pause to praise the Masterpiece Theatre of intelligence reports on Russian cyber-attacks.

Nick Weaver draws our attention to a remarkable lawsuit against Apple. Actually, it’s not the lawsuit, it’s the conduct by Apple that is remarkable, and not in a good way. Apple gift cards are being used to cash out scams that defraud consumers in the US, and Apple’s position is that, gee, it sucks to be a scam victim but that’s not Apple’s problem, even though Apple is in the position to stop these scams and actually keeps 30% of the proceeds. I point out the Western Union–on better facts than that–ended up paying hundreds of millions of dollars in an FTC enforcement action–and still facing harsh criminal sanctions.

Paul and David talk us through the 2021 National Defense Authorization Act, which is shaping up to make a lot of cyber-security law, particularly law recommended by the Cyber Solarium Commission. On one of its recommendations – legislatively creating a White House cyber coordinator – we all end up lukewarm at best.

David analyzes the latest criminal indictment of Chinese hackers, and I try to popularize the concept of crony cyberespionage.

Paul does a post-mortem on the Twitter hack. And speaking only for myself, I can’t wait for Twitter to start charging for subscriptions to the service, for reasons you can probably guess.

David digs into the story that gives this episode its title – an academic study claiming that face recognition systems can be subverted by poisoning the training data with undetectable bits of cloaking data that wreck the AI model behind the system. How long, I wonder, before Facebook and Instagram start a “poisoned for your protection” service on their platforms?

In quick takes, I ask Nick to comment on the claim that US researchers will soon be building an “unhackable” quantum Internet. Remarkably his response is both pithy and printable.

And more!

Direct download: TheCyberlawPodcast-326.mp3
Category:general -- posted at: 12:01pm EDT

The big news of the week was the breathtakingly arrogant decision of the European Court of Justice, announcing that it would set the rules for how governments could use personal data in fighting crime and terrorism.

Even more gobsmacking, the court decided to impose those rules on every government on the planet – except the members of the European Union, which are beyond its reach. Oh, and along the way the court blew up the Privacy Shield, exposing every transatlantic business to massive liability, and put the EU on a collision course with China over China’s most sensitive domestic security operations. This won’t end well. Paul Hughes helps me make sense of the decision.

In the interview, I talk to Darrell West, co-author of Turning Point—Policymaking in the Era of Artificial Intelligence. We mostly agree on where AI is already making a difference, where it’s still hype, and how it will transform war. Where we disagree is over the policy prescriptions for avoiding the worst outcomes. I disagree with the relentless focus of the book (and every other book in recent years) on the questionable claim of AI bias, and Darrell and I have a spirited disagreement over my claim that his prescription will hide numerical racial and gender quotas in every aspect of life that AI touches.

Iranian cyberspies make pretty good training videos, Sultan Meghji tells us, but they’re not taking any bows after leaving the videos exposed online.

If you thought Twitter’s content resembled middle school, wait until you see their security measures in action. Nate Jones has the details, but my takeaway is that middle school science projects are usually handled a lot more responsibly than Twitter’s “god mode” dashboard.

BIPA, the Illinois biometric privacy act, has inspired lawsuits against users of a database assembled to reduce AI bias. Mark MacCarthy explains that the law prohibits the use of biometrics (like pictures of your face) without consent. I observe that this makes BIPA the COVID-19 of privacy law.  Anyone who touches this database will be infected with liability, at least if the plaintiff’s surprisingly plausible theory holds up.

Sultan reminds us that the PRC has now been caught twice requiring companies in China to use tax software with built-in malware. You know what they say: “Once is happenstance. Twice is coincidence. Three times is enemy action.”  I don’t think we’ll need to wait long to see number three.

Nate gives us a former government lawyer’s take on the CIA’s new authority to conduct cyber covert action. (YahooLawfare) Ordinarily he’d be skeptical of keeping those decisions away from the White House, but in this case, he’ll make an exception. My take: If unshackling the CIA has produced the APT34 and FSB hacks and data dumps, what’s not to like?

In short hits, I mock the Justice Department spokesperson who claimed that Ghislaine Maxwell was engaged in “a misguided effort to evade detection” when she wrapped her cellphone in tin foil. And Mark and I cross swords over Reddit’s capture by the Intolerant Left. You make the call: When Reddit declares that exposing fake hate crimes as hoaxes is a form of hate speech, is that anecdotal evidence of left-wing bias or stone-cold proof of epistemic closure?

Download the 325th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunesGoogle PlaySpotifyPocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-325.mp3
Category:general -- posted at: 2:06pm EDT

Our interview is with Bruce Schneier, who has co-authored a paper about how to push security back up the Internet-of-things supply chain: The reverse cascade: Enforcing security on the global IoT supply chain.  His solution is hard on IOT affordability and hard on big retailers and other middlemen, who will face new liabilities, but we conclude that it’s doable. In fact, the real question is who’ll get there first, a combination of DHS’s CISA and the FTC or the California Secretary of State.

In the News Roundup Megan Stifel (@MeganStifel), Nate Jones (@n8jones81), and David Kris (@DavidKris) and I discuss how it must feel to TikTok as though the shot clock is winding down.  Administration initiatives that could hurt or kill its US business are proliferating.  Nate Jones, Megan Stifel, and I explore the government’s options. The most surprising, and devastating, of them is a simple ban on TikTok as a threat to national security or the security of Americans. That’s the standard under Executive Order 13873, a brand-new (the regs aren’t yet final) implementation of the well-tested tools under IEEPA. A straightforward application of IEEPA remedies would cut TikTok off from the US market, I argue.

Meanwhile, another little-advertised but equally sweeping rule for government contractors is on its way to implementation. It will deny federal contracts, not just to certain Chinese products but to contractors who themselves use those products.

Not to be outdone by the contracting officers, the Federal Trade Commission and Justice Department are attacking TikTok from a different direction — investigating claims that the company failed to live up to last year’s consent decree on the privacy of children using the app. 

And, on top of everything, private sector CISOs are drawing a bead on the app, as Wells Fargo and (briefly) Amazon tell their employees to take the app off their work phones

It’s no surprise in the face of these developments that TikTok is working overtime to decouple itself in the public’s mind from China, including going so far as to join the rest of Silicon Valley in signaling discomfort with Hong Kong’s new security rules (and ruler). Megan and I question whether this strategy will succeed.

If Chief Justice Roberts were running for office, he couldn’t have produced a better result than the Court’s latest tech decision – upholding most of a law that makes robocalls illegal while striking down the one part of the law that authorizes robocalls.  David Kris explains.

Nate unpacks a new Florida DBA privacy law prohibiting life, disability and long-term care insurance companies from using genetic tests for coverage purposes. I express skepticism.

Nate also explains the mysteriously quiet launch of the UK-US Bilateral Data Access Agreement. Four years in the making, and neither side wanted to announce that it was in effect – what’s with that, I wonder? 

FBI Director Wray gives a compelling speech on the counterintelligence and economic espionage threat from China. 

He says the bureau opens a new such case every ten hours.  And right on schedule come charges against a professor charged with taking $4M in US grant money to conduct research — for China.

David and I puzzle over the surprisingly lenient sentence handed to a former Yahoo engineer for hacking the personal accounts of more than 6,000 Yahoo Mail users to search and collect sexually explicit images and videos. 

Direct download: TheCyberlawPodcast-324.mp3
Category:general -- posted at: 9:24pm EDT

In the News Roundup, Dave Aitel (@daveaitel), Mark MacCarthy (@Mark_MacCarthy), and Nick Weaver (@ncweaver) and I discuss how French and Dutch investigators pulled off the coup of the year this April, when they totally pwned a shady “secure phone” system used by massive numbers of European criminals. Nick Weaver explains that hacking the phones of Entrochat users gave them access to large troves of remarkably candid criminal text conversations. And, I argue, it shows the flaw in the argument of encryption defenders. They are right that restricting Silicon Valley encryption will send criminals to less savory companies, but those companies are inherently more prone to compromise, as happened here.

The EARN IT Act went from Washington-controversial to Washington consensus in the usual way.  It was amended into mush. Indeed, there’s an argument that, by guaranteeing nothing bad will happen to social platforms who adopt end-to-end encryption, the Leahy amendment has actually made e2e crypto more attractive than it is today. That’s my view, but Mark MacCarthy still thinks the twitching corpse of EARN IT might cause harm by allowing states to adopt stricter rules for liability in the context of child sex abuse material. He also thinks that it won’t pass.  I have ten bucks that says it will, and by the end of the year.    

Dave Aitel, new to the news roundup, discusses the bad week TikTok had in its second biggest market.  India has banned the app. And judging from some of the teardowns of the code, its days may be numbered elsewhere as well.   Dave points to reports that Angry Birds was used to collect user information as well when it was at the height of its popularity. We wax philosophic about why advertising and not national security agencies are breaking new ground in building our Brave New World.

Mark once worked for a credit card association, so he’s the perfect person to comment on claims that being labeled a “hate speech” platform won’t just get you boycotted in Silicon Valley but by the credit card associations as well. And once we’re in this vein, we mine it, covering Silicon Valley’s concerted campaign to make sure Donald Trump can’t repeat 2016 in 2020. He’s been deplatformed at Twitch this week for something he said in 2016.  And Reddit dumped his enormous subreddit for failure to observe its censorship rules – which I point out are designed to censor only the majority. I argue it’s time to go after the speech police.  

Nick takes us to a remarkable Washington story. He thinks it’s about a questionable Trump administration effort to redirect $10 million in “freedom tool” funding from cryptolibertarians to Falun Gong coders. I point out that US government funds going to the cryptolibertarians were paying the salary of the notorious Jake Applebaum and buying tools like TAILS that have protected appalling sextortionist criminals. Really, the money would be better spent if we burned it on cold days.

Returning to This Week in Hacked Phones, Nick explains the latest man in the middle attack that requires the phone user to do nothing but visit a website. Any website.  Dave sets out the strikingly sophisticated and massive international surveillance system now aimed by China at Uighers all around the world.  And Nick warns of two bugs that, if you haven’t spent the weekend fixing, may already be exploited on your network.                       

Download the 323rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

Direct download: TheCyberlawPodcast-323.mp3
Category:general -- posted at: 10:14pm EDT

For the first time in twenty years, the Justice Department is finally free to campaign for the encryption access bill it has always wanted.  Sens. Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.), and Marsha Blackburn (R-Tenn.) introduced the Lawful Access To Encrypted Data Act. (Ars Technica, Press Release) As Nick Weaver points out in the news roundup, this bill is not a compromise. It’s exactly what the Justice Department wants – a mandate that every significant service provider or electronic device maker build in the ability to decrypt any data it has encrypted when served with a lawful warrant.

In our interview, Under Secretary Chris Krebs, head of the Cybersecurity and Infrastructure Security Agency, drops in for a chat on election security, cyber espionage aimed at coronavirus researchers, why CISA needs new administrative subpoena authority, the value of secure DNS, and how cybersecurity has changed in the three years since he took his job.

Germany’s highest court has ruled that the German competition authority can force Facebook to obtain user consent for internal data sharing, to prevent abuse of a dominant position in the social networking market. Maury Shenk and I are dubious about the use of competition law for privacy enforcement. Those doubts could also send the ruling to a still higher forum – the European Court of Justice.

You might think that NotPetya is three years in the rear-view mirror, but the idea of spreading malware via tax software, pioneered by the GRU with NotPetya, seems to have inspired a copycat in China. Maury reports that a Chinese bank is requiring foreign firms to install a tax app that, it turns out, has a covert backdoor. (Ars Technica, Report, NBC)

The Assange prosecution is looking less like a first amendment case and more like a garden variety hacking conspiracy thanks to the government’s amended indictment. (DOJ, Washington Post) And, as usual, the more information we have about Assange, the worse he looks.

Jim Carafano, new to the podcast, argues that face recognition is coming no matter how hard the press and NGOs work to demonize it. And working hard they are. The ACLU has filed a complaint against the Detroit police, faulting them for arresting the wrong man based on a faulty match provided by facial recognition software. (Ars Technica, Complaint)

The Facebook advertiser moral panic is gaining adherents, including Unilever and Verizon, but Nick and I wonder if the reason is politics or a collapse in ad budgets. Whatever the cause, it’s apparently led Mark Zuckerberg to promise more enforcement of Facebook’s policies.

In short hits, the U.S. Department of Homeland Security sent a letter to chief executives of five large tech companies asking them to ensure social media platforms are not used to incite violence. Twitter has permanently suspended the account of leak publisher DDoSecrets. (Ars Technica, Cyber Scoop). Rep. Devin Nunes (R-Calif.) was told what he must have known when he filed his case: he cannot sue Twitter for defamation over tweets posted by a parody account posing as his cow. (Ars Technica, Ruling) Nick explains why it’s good news all around as Comcast partners with Mozilla to deploy encrypted DNS lookups on the Firefox browser. And Burkov gets a nine-year sentence for his hacking.

Download the 322nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-322.mp3
Category:general -- posted at: 11:50am EDT

This is the week when the movement to reform Section 230 of the Communications Decency Act got serious. The Justice Department released a substantive report suggesting multiple reforms. I was positive about many of them (my views here). Meanwhile, Sen. Josh Hawley (R-MO) has proposed a somewhat similar set of changes in his bill, introduced this week. Nate Jones and I dig into the provisions, and both of us expect interest from Democrats as well as Republicans. 

The National Security Agency has launched a pilot program to provide secure domain name system (DNS) resolver services for US defense contractors. If that’s such a good idea, I ask, why doesn’t everybody do it, and Nick Weaver tells us they can. Phil Reitinger’s Global Cyberalliance offers Quad9 for this purpose. 

Gus Hurwitz brings us up to date on a host of European cyberlaw developments, from terror takedowns (Reuters, Tech Crunch) to competition law to the rise of a disturbingly unaccountable and self-confident judiciary. Microsoft’s Brad Smith, meanwhile, wins the prize for best marriage of business self-interest and Zeitgeist in the twenty-first century.

Hackers used LinkedIn’s private messaging feature to send documents containing malicious code which defense contractor employees were tricked into opening. Nick points out just what a boon LinkedIn is for cyberespionage (including his own), and I caution listeners not to display their tattoos on LinkedIn.

Speaking of fools who kind of have it coming, Nick tells the story of the now former eBay executives who have been charged with sustained and imaginatively-over-the-top harassment of the owners of a newsletter that had not been deferential to eBay. (Wired, DOJ)

It’s hard to like the defendants in that case, I argue, but the law they’ve been charged under is remarkably sweeping. Apparently it’s a felony to intentionally use the internet to cause substantial emotional distress. Who knew? Most of us who use Twitter thought that was its main purpose. I also discover that special protections under the law are extended not only to prevent internet threats and harassment of service animals but also horses of any kind. Other livestock are apparently left unprotected. PETA, call your office.

Child abusers cheered when Zoom buckled to criticism of its limits on end-to-end encryption, but Nick insists that the new policy offers safeguards for policing misuse of the platform. (Ars Technica, Zoom)

I take a minute to roast Republicans in Congress who have announced that no FISA reauthorization will be adopted until John Durham’s investigation of FISA abuses is done, which makes sense until you realize that the FISA provisions up for reauthorization have nothing to do with the abuses Durham is investigating. So we’re giving international terrorists a break from scrutiny simply because the President can’t keep the difference straight.

Nate notes that a story previewed in April has now been confirmed: Team Telecom is recommending the blocking of a Hong Kong-US undersea cable over national security concerns.

Gus reminds us that a bitter trade fight between the US and Europe over taxes on Silicon Valley services is coming. (Politico, Ars Technica)

Nick and I mourn the complete meltdown of mobile phone contact tracing. I argue that from here on out, some portion of coronavirus deaths should be classified as mechanogenic (caused by engineering malpractice). Nick proposes instead a naming convention built around the Therac-25

And we close with a quick look at the latest data dump from Distributed Denial of Secrets. Nick thinks it’s strikingly contemporaneous but also surprisingly unscandalizing.

Download the 321st Episode (mp3). 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-321.mp3
Category:general -- posted at: 3:58pm EDT

Our interview this week is with Chris Bing, a cybersecurity reporter with Reuters, and John Scott-Railton, Senior Researcher at Citizen Lab and PhD student at UCLA. John coauthored Citizen Lab’s report last week on BellTroX and Indian hackers for hire, and Chris reported for Reuters on the same organization’s activities – and criminal exposure – in the United States. The most remarkable aspect of the story is how thoroughly normalized hacking legal and lobbying opponents seems to have become, at least in parts of the US legal and investigative ecosystem. I suggest that instead of a long extradition battle, the US give the head of BellTroX a ticket to the US and a guaranteed income for the next few years as a witness against his customers. 

 

In the news roundup, Nick Weaver tells the remarkable story of how Facebook funded an exploit aimed at taking down a particularly vile online abuser of young girls who was nearly invulnerable because he was using TAILS, the secure, thumb drive-based communication system (Vice, Gizmodo). This is a great story because it really doesn’t fit into any of the stilted narratives into which most internet security stories are usually jammed.

 

Nick also notes Big Tech’s pledge to do more to stop child abuse online. I suggest that only Dr. Evil would be impressed by the amounts of money being invested in the campaign.

 

Well, another week, another Zoom bomb.  Now the company is taking heat because it terminated several Tiananmen Square commemorative Zoom sessions after China complained (NYT, Zoom). David Kris and I don’t think Zoom had much choice about cutting off the Chinese customers.  Terminating the US account holder who organized a session, however, was a bad move – and one that’s since been corrected by the company. 

 

Nate Jones and I square off again for Round 545 on content moderation, spurred this time by reports that Sen. Josh Hawley is drafting legislation inspired by the Trump Administration’s Section 230 EO. Meanwhile several Republican senators are pushing the FCC to act on the order. Nate and I find rare bipartisan common ground on the idea that Congress should require social media companies to take down foreign government online messaging – and maybe work with the US government to stop it at the source.

 

David reports on a fairly (and deservedly) obscure EU cloud independence project. It seems to have been embraced by Microsoft, which I accuse of going full AT&T – embracing government regulation as a competitive differentiator. As if to prove my point, Microsoft announces that it’s getting out of the business of doing facial recognition for the police – until it can persuade Congress to regulate its competitors.  

Why are spies targeting vaccine research? Nate highlights the excellent Risky Biz newsletter analysis of what drives COVID-19 cyberespionage. 

Nick flags the potential significance of ARM wrestling, as the UK chip designer ARM fights its JV partner for control of its Chinese joint venture. Nick also assigns a “moderate” threat label to the latest Universal Plug n Pwn exploit. It’s only moderate because there are so many pwned IOT devices already in a position to DDOS targets of opportunity.

 

In quick hits, I note that Israel has halted its controversial use of intelligence capabilities to monitor the spread of the coronavirus, but the government reserves the right to revive monitoring if a second wave shows up (JPost, Yahoo). Poor Brewster Kahle is looking like an internet hippie who fell asleep at Woodstock and woke up at Altamont. The Internet Archive is ending its program of offering free, unrestricted copies of e-books, but the publishers who sued over that program may decide to keep suing until they’ve broken his entire “digital library” model, and maybe the Internet Archive as well (NYT, Ars Technica). That would be a shame. Finally, you can have a thousand talents, but honesty may not be one of them. Charles Lieber, the Harvard University professor arrested for lying about his lucrative China contracts, has now been indicted on false statement charges. 

Download the 320th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-320.mp3
Category:general -- posted at: 10:03pm EDT

Our interview with Ben Buchanan begins with his report on how artificial intelligence may influence national and cybersecurity. Ben’s quick takes: better for defense than offense, and probably even better for propaganda. The best part, in my view, is Ben’s explanation of how to poison the AI that’s trying to hack you—and the scary possibility that China is already poisoning Silicon Valley’s AI.

By popular request, we’ve revisited a story we skipped last week to do a pretty deep dive on the decision (for now) that Capital One can’t claim attorney-client work product privilege in a Mandiant intrusion response report prepared after its breach. Steptoe litigator Charles Michael and I talk about how IR firms and CISOs should respond to the decision, assuming it stands up on appeal.

Maury Shenk notes the latest of about a hundred warnings, this time from Christopher Krebs, the director of DHS’s cybersecurity agency and the head of Britain’s GCHQ, that China’s intelligence service—and every other intelligence service on the planet—seem to be targeting COVID-19 research.

Maury takes us through the week in internet copyright fights. Ideological copyright enforcement meets the world’s dumbest takedown bots as Twitter removes a Trump campaign video tribute to George Floyd due to a copyright claim. The video is still available on Trump’s YouTube channel.

We puzzle over Instagram’s failure to provide a license to users of its embedding API. The announcement could come as an unwelcome surprise to users who believed that embedding images, rather than hosting them directly, provides insulation against copyright claims.

Finally, much as I love Brewster Kahle, I’m afraid that Kahle’s latest move marks his transition from internet hippie to “holy fool”—and maybe a broke one. His Internet Archive, the online library best known for maintaining the Internet Wayback Machine makes scanned copies of books available to the public on terms that resemble a library’s. The setup was arguably legal—and no one was suing—until Kahle decided to let people download more books than his company had paid for. Now he faces an ugly copyright lawsuit.

Speaking of ugly lawsuits, Mark MacCarthy and Paul Rosenzweig comment on the Center for Democracy and Technology’s complaint that Trump violated tech companies’ right to free speech with his executive order on section 230. (Reuters, NYT) I question whether this lawsuit will get far.

This Week in Working the Ref: Facebook and Mark Zuckerberg are facing criticism from users, competitors, civil rights organizations for failing to censor the people those groups hate. (Ars Technica, Politico). Meanwhile, Snap scores points by ending promotion of Trump’s account after concluding his tweets incited violence.

Where is Nate Jones when you need him? He would love this story: A Twitter user sacrificed a Twitter account to show that Trump is treated differently than others by the platform. Of course, the panel notes, that’s pretty much what Twitter says it does.

In quick hits, I serve notice that no one should be surprised if Justice brings an adtech antitrust suit against Google. The Israeli government announces an attack on its infrastructure so late that the press has already identified and attributed its retaliatory cyberattack on Iran’s ports. And somebody pretty good—probably not the Russians, I argue—is targeting industrial firms.

Download the 319th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

Direct download: TheCyberlawPodcast-319.mp3
Category:general -- posted at: 3:50pm EDT

This episode features an in-depth (and occasionally contentious) interview with Bart Gellman about his new book, Dark Mirror: Edward Snowden and the American Surveillance State, which can be found on his website and on Amazon. I’m tagged in the book as having been sharply critical of Gellman’s Snowden stories, and I live up to the billing in this interview. He responds to my critique in good part. Gellman offers detailed insights into Edward Snowden’s motives and relationships to foreign governments, as well as how journalism – and journalistic lawyering – is done in the Big Leagues.

Our news roundup focuses heavily on the Trump Administration’s executive order on section 230 of the Communications Decency Act (Wall Street Journal Washington Post). I end up debating all three of my co-panelists – Nate Jones, Nick Weaver, and Evelyn Douek, rejoining us on a particularly good day, given her expertise. We agree to disagree on whether Silicon Valley applies its rules in a fashion that discriminates against conservatives. More interesting is the rough consensus that Silicon Valley’s heavy influence over our speech is worth worrying about and that transparency is one of the better ways to discipline that influence. No one but me is willing to consider the possibility that the executive order represents a good step toward transparency. 

Nate and I find much room to agree, though, on the tragicomedy emerging from the reauthorization of three relatively straightforward FISA provisions. Stay tuned for a House-Senate conference, plus heavy lobbying of the President. 

Nick explains NSA’s outing of Russian military hackers targeting mail relay software (CyberScoop NSA). 

Nate and I cover the latest in US-China decoupling – the FCC and Justice Department enthusiasm for kicking Chinese telecom firms out of the country and, in a possible new front, heavy scrutiny being given to Chinese-built transformers

Evelyn tells us that, as a visa holder, she’s definitely hoping that the courts overturn US rules forcing visa applicants to disclose their social media handles. I predict that her hopes will be dashed.

Finally, Nick explains who needs a “quantum holographic catalyzer” to protect against 5G telecom emissions.  Quick answer: No one.  It’s a fake cure for fake malady

Download the 318th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-318.mp3
Category:general -- posted at: 10:51am EDT

Our interview is with Mara Hvistendahl, an investigative journalist at The Intercept and author of a new book, The Scientist and the Spy: A True Story of China, the FBI, and Industrial Espionage, as well as a deep WIRED article on the least known Chinese AI champion, iFlytek. Mara’s book raises questions about the expense and motivations of the FBI’s pursuit of commercial spying from China. 

In the News Roundup, Gus Hurwitz, Nick Weaver, and I wrestle with whether Apple’s lawsuit against Corellium is really aimed at the FBI. The answer looks to be affirmative since an Apple victory would make it harder for contractors to find hackable flaws in the iPhone.

Germany’s top court ruled that German intelligence can no longer freely spy on foreigners – or share intelligence with other western countries. The court seems to be trying to leave the door open to something that looks like intelligence collection, but the hurdles are many. Which reminds me that I somehow missed the 100th anniversary of the Weimar Republic.

There’s Trouble Right Here in Takedown City. Gus lays out all the screwy and maybe even dangerous takedown decisions that came to light last week. YouTube censored epidemiologist Knut Wittkowski for opposing lockdown. It suspended and then reinstated a popular Android podcast app for the crime of cataloging COVID-19 content. We learned that anyone can engage in a self-help right to be forgotten with a bit of backdating and a plagiarism claim. Classical musicians are taking it on the chin in their battle with aggressive copyright enforcement bots and a sluggish Silicon Valley response.

In that climate, who can blame the Supreme Court for ducking cases asking for a ruling on the scope of Section 230? They’ve dodged one already, and we predict the same outcome in the next one. 

Finally, Gus unpacks the recent report on the DMCA from the Copyright Lobbying Office – er, the Copyright Office.

With relief, we turn to Matthew Heiman for more cyber and less law. It sure looks like Israel launched a disruptive cyberattack on Iranian port facility. It was probably a response to Iranian cybe-rmeddling with Israeli water systems.

Nick covers Bizarro-world cybersecurity: It turns out malware authors now can hire their own black-market security pentesters

I ask about open-source security and am met with derisive laughter, which certainly seems fair after flaws were found in dozens of applications

I also cover new developments in AI. And the news from AI speech imitation is that Presidents Trump and Obama have fake-endorsed Lyrebird. 

Gus reminds us that most of privacy law is about unintended consequences, like telling Grandma she’s violating GDPR by posting her grandchildren's photos without their parents' consent.

Beerint at last makes its appearance, as it turns out that military and intelligence personnel can be tracked with a beer enthusiast app. 

Finally, in the wake of Joe Rogan’s deal with Spotify, I offer assurances that the Cyberlaw Podcast is not going to sell out for $100 million. 

Download the 317th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-317.mp3
Category:general -- posted at: 11:18am EDT

Peter Singer continues his excursion into what he calls “useful fiction” – thrillers that explore real-world implications of emerging technologies – with Burn-In: A Novel of the Real Robotic Revolution, to be released May 26, 2020. This interview explores a thoroughly researched (and footnoted!) host of new technologies, many already in production or on the horizon, all packed inside a plot-driven novel. The book is a painless way to understand what these technologies make possible and their impact on actual human beings. And the interview ranges widely over the policy implications, plus a few plot spoilers.

In the News Roundup, David Kris covers the latest Congressional FISA Follies, leading me into a rant on the utter irresponsibility of subjecting national security authorities to regular expiration – and regular ransom demands from the least responsible elements of Congress. Speaking of FISA, it turns out that the December Pensacola shootings were hatched by al-Qaeda’s Yemen franchise. Why are we only learning this in May? Because the evidence comes from an iPhone whose security Apple refused to find a way around. The FBI’s self-help solution worked in the end, but not until the trail had gone cold. 

Decoupling is in overdrive this week. Nick Weaver talks about the move by the Trump Administration to achieve semiconductor self-sufficiency – and the not-coincidental announcements that TSMC will build a chip factory in Arizona and that the Commerce Department has drafted a new export rule aimed at making it much harder for TSMC to build chips for Huawei. In response, China is preparing a list of unreliable US suppliers of technology. I wonder whether putting companies on the list for diversifying their supply chain out of China will have the long-term effect of making companies more reluctant to open new supply relationships with Chinese companies.

David and I note that recent U.S. accusations of Chinese and Iranian cyber intrusions on COVID-19 research may be more than just the usual imprecations. 

And Nick explains why so many US professors are going to jail for undisclosed China ties. The key word is “undisclosed.”

Mark MacCarthy previews France’s (and Germany’s and the EU’s and the UK’s) increasingly tough sanctions for US social media firms that fail to remove "hate speech" and other bad content within 24 hours (or sometimes one hour). More and more, it seems, Section 230 immunity is just a local U.S. ordinance.

Mark and Nick review the latest trial balloon from Europe’s technocrats: How about a Chinese firewall for Europe?  Some apparently respectable policy thinkers working for the European Parliament seem interested in such an idea. 

David and Nick find themselves agreeing with the latest release from DHS’s CISA pouring cold water on online voting

In quick hits, David notes the Trump administration’s now routine extension of the "telecom national security" Executive Order, Nick brings us This Week in NSO Bashing, I touch on a ransomware and doxing threat that has tripped up a celebrity law firm, and Nick and I muse on why cell phone contact tracing seems about to jump the shark.

We close with a surprising catfishing story.

Download the 316th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-316.mp3
Category:general -- posted at: 11:07am EDT

J.P. Morgan once responded to President Teddy Roosevelt’s charge that he’d violated federal antitrust law by saying, “If we have done anything wrong, send your man to see my man, and we’ll fix it up.” That used to be the gold standard for monopolist arrogance in dealing with government, but Google and Apple have put J.P. Morgan in the shade with their latest instruction to the governments of the world: You can’t use our app to trace COVID-19 infections unless you promise not to use it for quarantine or law enforcement purposes. They are only able to do this because the two companies have more or less 99 percent of the phone OS market. That’s more control than Morgan had of U.S. railways, and their dominance apparently allows them to say, “If you think we’ve done something wrong, don’t bother to send your man; ours is too busy to meet.” Nate Jones and I discuss the question of Silicon Valley overreach in this episode. (In that vein, I apologize unreservedly to John D. Rockefeller, to whom I mistakenly attributed the quote.) The sad result is that a promising technological adjunct to contact tracing has been delayed and muddled by ideological engineers to the point where it isn’t likely to be deployed and used in a timely way.

Another lesson we draw in today’s episode is for authoritarian governments: Worry less about Cyber Command and more about NGOs. Citizen Lab has released a great paper making the case that WeChat monitors its users outside China, not to suppress their speech but to flag documents and images for later suppression inside China. Ironically, Matthew Heiman notes, Western users of WeChat who circulate human rights material are giving China’s censors the ability to hash and block that material as soon as it crosses the Great Firewall.

Meanwhile, Nate points out, Bellingcat has done for Russia’s GRU what Citizen Lab did for China. Perhaps inspired by Germany’s indictment of Dmitry Badin for hacking the Bundestag, Bellingcat doxes him to a fare-thee-well, finding his phone number, car registration, GRU office address and preposterously bad password.

David Kris explains the intersection of export control law and the Law of Unintended Consequences, as the U.S. Commerce Department finds that its efforts to isolate Huawei may be excluding U.S. firms from some standards bodies.

Anthony Anscombe joins us from Steptoe’s class action practice to unpack the recent Seventh Circuit decision on Article III standing and Illinois’s Biometric Information Privacy Act.

Israel’s passive-aggressive Supreme Court, meanwhile, has found a second way to say, “Meh,” to the Israeli government’s use of intelligence tools to do contact tracing.

Matthew lays out what’s at stake as the Senate tries again to pass its FISA bill. That may happen as early as today.

In short hits, everybody’s government hackers are adding COVID-19 to their targets, going after everyone from the WHO to coronavirus researchers. I make an effort to explain why Apple has brought a DMCA copyright lawsuit against Corellium. It’s all about the “chilling effect” on security research. And maybe one particular Five Eyes researcher. I make the case for Justice Department intervention on Corellium’s behalf—or at least Azimuth’s. Banjo’s CEO steps down. And where is Jean-Paul Sartre when you need him? He’s the only one who can resolve the odd dispute over “authenticity” between Twitter and the U.S. State Department.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets.

Direct download: TheCyberlawPodcast-315.mp3
Category:general -- posted at: 4:47pm EDT

We begin with a new US measure to secure its supply chain for a critical infrastructure – the bulk power grid. David Kris unpacks a new Executive Order restricting purchases of foreign equipment for the grid.

Nick Weaver, meanwhile, explains the remarkable extent of surveillance built into Xiaomi phones and questions the company’s claim that it was merely acquiring pseudonymous ad-related data like others in the industry.

It wouldn’t be the Cyberlaw Podcast if we didn’t wrangle over mobile phones and the coronavirus. Mark MacCarthy says that several countries – Australia, the UK, and perhaps France – are deviating from the Gapple model for using phones for infection tracing. Several have bought in. India, meanwhile, is planning a much more government-driven approach to using phone apps to combat the pandemic.

Mark ventures into even more contested territory in response to an article in The Atlantic by Jack Goldsmith and Andrew Woods, who argue that China has won the debate with John Perry Barlow over whether the Internet will be a force for free speech. Mark and I more or less agree, which sends me off on a rant about the growing self-confidence and ham-handedness of Big Tech as they get comfortable in their role as Guardians of What You Can’t Say on the Internet. Things you can’t say include plausible arguments about the still highly unsettled question of how best to deal with COVID-19 and descriptions of treatment options that have been entertained by President Trump without establishment approval, not to mention “unverified” statements (not, notably, false ones) that could cause social unrest. Just reading such things, it turns out, will lead at least Facebook to track you down and tell you that it noticed and wants to correct your flirtation with thoughtcrime – a practice that earned it praise from Rep. Adam Schiff.

Nick and I note the difficulty Facebook is having getting out of FOSTA cases in Texas, and I ask why FOSTA hasn’t already spelled doom for end-to-end encryption since it basically does what the EARN IT Act does, and all right-thinking Americans have been told that EARN IT is The End of End-to-End Encryption.

David explains why Amazon is facing tough new scrutiny from both parties: A Wall Street Journal article that questioned the accuracy of Amazon testimony before Congress has turned into claims of perjury, a demand that Jeff Bezos testify, and suggestions that the administration open a criminal antitrust probe.

“You can’t decouple from me! I’m decoupling from you!” That’s the sentiment from China anyway as they push forward with their own remarkably familiar supply chain security regulations. David explains that while the rules are similar to those in the United States, they’re tougher and more likely to be implemented in a slow, inexorable way.

Download the 314th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

Direct download: TheCyberlawPodcast-314.mp3
Category:general -- posted at: 6:43pm EDT

In today’s interview, I spar with Harriet Moynihan over the application of international law to cyberattacks, a topic on which she has written with clarity and in detail. We disagree politely but profoundly. I make the case that international law is distinct from what works in cyberspace and is inconsistent with either clarity or effectiveness in deterring cyberattacks. Harriet argues that international law has been a central principle of the post-1945 international system and one that has helped to keep a kind of peace among nations. It’s a good exchange.

In the News Roundup, David Kris and I discuss the state of Team Telecom, which is taking unwonted (but probably welcome) fire for not being tough enough on state-owned Chinese telecom firms. Predictably, Team Telecom is going with the flow and reportedly seeking to knock four such firms out of the US market.

Maury Shenk reports that Vietnam is suspected of hacking Chinese health authorities. In response to the accusations, the Vietnamese released what looks to me like a word-for-word clone of Chinese cyber espionage boilerplate denials.

Gapple’s design for a COVID-19 tracing app isn’t the best way to track infections, I claim, but it’s all that Google and Apple are willing to let governments do because of their exquisitely refined and self-evidently superior sense of privacy. Nick Weaver disagrees, arguing that the Gapple system preserves privacy and allows health authorities all the information that they really need. Governments are mostly falling in line, either because they buy Nick’s argument or because they have decided that their Silicon Valley overlords have the ability to wreck any more centralized system. France is still fighting for its vision of contact tracing. But Australia seems to be adopting a lightly tweaked version of the Gapple model to add some centralization. And Germany seems to be surrendering as well.

Several senators want Cyber Command and the Cybersecurity and Infrastructure Security Agency (CISA) to do more to deter coronavirus hackers, David reports. More importantly, he points out that sending a military organization to attack a civilian criminal gang will raise a host of legal issues that should be sorted out before rather than after the attack begins.

Failure to protect your client from Chinese government hackers might be malpractice, a DC court rules. But as Maury points out, there’s a long road from winning a motion to dismiss and winning at trial, so the lesson to be drawn from this case won’t be certain for some time.

Three years later, the Shadow Brokers leak is making news, and still providing challenges for private security researchers. Nick reports on how a three-year-old leak led to the latest revelation of an unknown advanced persistent threat (APT) group.

Nick and I touch on the confused reporting about the latest filing in the mud fight between Facebook and NSO Group over NSO’s hacks of WhatsApp customers. NSO, Facebook says, has used a lot of US servers in those attacks. That matters for the technical question of whether NSO can be sued in the United States, but the volume (several hundred instances) also suggests to Nick that NSO did more than throw exploits over the wall to its customers – it was arguably offering espionage as a service.

David dings IBM for its handling of a researcher’s disclosure of four zero-days – and that leads to a dive into what a good bug bounty program can and can’t do.

Maury notes that Amazon is getting new scrutiny for its handling of third-party sales data, including suspicions on Congress’s part that it may have been lied to. This isn’t the last we’ll hear of this story.

In quick hits, I am nonplussed by Vimeo’s willingness to outsource its definition of “hate group” to the controversial Southern Poverty Law Center.

Nick celebrates the end to Crown Sterling’s “defamation” lawsuit against BlackHat, which has finally been settled.

And Nick and I mark the surprising ouster of Marc Rotenberg, EPIC’s long-time director, after Rotenberg continued to go to work and failed to notify staffers after he was diagnosed with COVID-19.

Download the 313th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-313.mp3
Category:general -- posted at: 9:06pm EDT

In this episode, I interview Thomas Rid about his illuminating study of Russian disinformation, Active Measures: The Secret History of Disinformation and Political Warfare. It lays out a century of Soviet, East European, and Russian disinformation, beginning with an elaborate and successful operation against the White Russian expatriate resistance to Bolshevik rule in the 1920s. Rid has dug into recently declassified material using digital tools that enable him to tell previously untold tales – the Soviets’ remarkable success in turning opposition to US nuclear missiles in Europe into a mass movement (and the potential shadow it casts on the legendary Adm. Hyman Rickover, father of the US nuclear navy), the unimpressive record of US disinformation compared to the ruthless Soviet version, and the fake American lobbyist (and real German agent) who persuaded a German conservative legislator to save Willy Brandt’s leftist government. We close with two very different predictions about the kind of disinformation we’ll see in the 2020 campaign.

In the news, David Kris, Nick Weaver, and I trade perspectives on the Supreme Court’s grant of certiorari on the question when it’s a crime to access a computer “in excess of authority.” I predict that the Justice Department’s reading of the Computer Fraud and Abuse Act will lose, but it’s far from clear what will replace the Justice Department’s interpretation.

Remember when the House left town without acting on FISA renewal? That’s looking like a worse and worse decision, as Congress goes weeks without returning and Justice is left unable to use utterly uncontroversial capabilities in more and more cases. Matthew Heiman explains.

In Justice Department briefs, all the most damaging admissions are down in the footnotes, and it looks like that’s true for the inspector general’s report on the Carter Page FISA. Recently declassified footnotes from the report make the FBI’s pursuit of the FISA order look even worse, in my view. But at the end of the day, the footnotes don’t add much to suspicions of a partisan motivation in the imbroglio.

Speaking of IG reports, the DOD inspector general manages to raise the possibility of political skullduggery in the big DOD cloud computing award and then to offer a way to stick it to Amazon anyway. Meanwhile, the judge overseeing the bid protest gives the Pentagon a chance for a do-over

Matthew covers intel warnings about China-linked ‘Electric Panda’ hackers and that the Syrian government is spreading surveillance malware via coronavirus apps. And David notes that a Zoom zero-day is being offered for $500,000.Nick and I mix it up, first over the Gapple infection tracing plan and their fight with the UK National Health Service and then over Facebook’s decision to suppress posts about demonstrations that protest the lockdown by violating the lockdown.

Download the 312th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: 201782.mp3
Category:general -- posted at: 9:18pm EDT

The Cyberspace Solarium Commission’s report was released into the teeth of the COVID-19 crisis and hasn’t attracted the press it probably deserved. But the commissioners included four sitting Congressmen who plan to push for the adoption of its recommendations. And the Commission is going to be producing more material – and probably more press attention – over the coming weeks. In this episode, I interview Sen. Angus King, co-chair of the Commission, and Dr. Samantha Ravich, one of the commissioners.

We focus almost exclusively on what the Commission’s recommendations mean for the private sector. The Commission has proposed a remarkably broad range of cybersecurity measures for business. The Commission recommends a new products liability regime for assemblers of final goods (including software) who don’t promptly patch vulnerabilities. It proposes two new laws requiring notice not only of personal data breaches but also of other significant cyber incidents. It calls for a federal privacy and security law – without preemption. It updates Sarbanes-Oxley to include cybersecurity principles. And lest you think the Commission is in love with liability, it also proposed liability immunities for critical infrastructure owners operating under government supervision during a crisis. We cover all these proposals, plus the Commission’s recommendation of a new role for the Intelligence Community in providing support to critical US companies.

In the news, Nick Weaver and I dig deep into the Google and Apple proposals for tracking COVID-19 infections. I’ve got a separate post in the works on the topic, but the short version is that I think Google and Apple have dramatically overvalued privacy interests and downgraded, you know, actually tracking infections. Nick and I agree that the app should operate on an opt-out basis, not opt-in.

The Great Decoupling, part 278: It looks as though China Telecom will be getting the boot from US telecom markets, at least if Team Telecom has anything to say about it. And speaking of Team Telecom, Brian Egan tells us that it has a new charter and a new, catchy acronym: CAFPUSTTSS!

Nick and I dig into a Ninth Circuit decision that may be bound for the Supreme Court. It holds that Facebook can be held liable for wiretapping when it gets information from its widely deployed “like” buttons on third-party sites.

Fish gotta swim, birds gotta fly, and the EU has to regulate tech, coronavirus or not. Maury Shenk reports, bemusedly.

Matching him bemusement for bemusement, Nick tries to explain a French ruling that Google must pay news outlets for content (and can’t stop linking to the outlets).

Maury explains the 5G-coronavirus conspiracy that has Brits burning cellular masts.

Nick explains how to make a “smart” lock spill its secrets, and how to fall foul of the FTC.

And in quick takes, the COVID-19 cyber threat has the US and UK authorities joining hands against cyberattacks, the Australian government is hacking criminals who are exploiting coronavirus, and it turns out that IoT devices may defect to work for foreign intelligence agencies.

Download the 311th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-311.mp3
Category:general -- posted at: 11:29am EDT

Nate Jones and I dig deep into Twitter’s decision to delete Rudy Giuliani’s tweet (quoting Charlie Kirk of Turning Point) to the effect that hydroxychloroquine had been shown to be 100% effective against the coronavirus and that Gov. Whitmer (D-MI) had threatened doctors prescribing it out of anti-Trump animus. Twitter claimed that it was deleting tweets that “go directly against guidance from authoritative sources” and separately implied that the tweet was an improper attack on Gov. Whitmer. 

So where did Twitter find the “authoritative guidance” that Giuliani was supposed to be “going directly against”? Of course, Twitter isn’t explaining itself, which raises questions about the basis for its action. (I offered two of its representatives a chance to come on the podcast to offer a defense; they didn’t respond.)

In short, all the people who’ve been telling us our freedoms are at risk as a result of the health emergency might be right, but the source of the danger isn’t government. It’s Silicon Valley.

Nate thinks (probably correctly) that Kirk and Giuliani were wrong about the “100% effective” claim, and that people like them and the president are going to get people to take dangerous drugs without medical advice if they aren’t policed. It’s a spirited exchange.

In contrast, Paul Rosenzweig and I find a fair amount of common ground outside this week’s media consensus that Zoom is either evil or stupid, maybe both, for its handling of privacy and security of users. No doubt there are a staggering number of privacy and security holes in the product, and the company will get sued for several of them. But we suspect that many of the problems would have been exposed and fixed over the course of the three years it would have taken Zoom to reach the levels of use it’s instead reached in three weeks. One error, exposing LinkedIn data to unrelated users with the same Internet domain, seems to have hit Dutch users especially hard

The DOJ inspector general has found widespread gaps in the FBI’s compliance with its now-famous Woods procedures. Matthew Heiman and I try to put the damaging report in perspective. It’s hard to know at this point how serious the gaps are, though the numbers suggest that some will be serious. Meanwhile, the FISA court has ordered a rush evaluation from Justice of more or less exactly the same questions the IG is asking. We manage to agree that the court’s June 15 deadline is not realistic given everything else the same group of lawyers will be doing between now and November. 

Matthew tells us that the Saudis are suspected of a phone spying campaign in the United States. I point out that foreign location collection is pretty much built into the SS7 phone system, so the worst that can be said about the event is that the Saudis were caught doing “too much” spying in the US.

Paul comes down agreeing with a new court ruling that violating a site’s terms of service isn’t criminal hacking. And now that that’s settled, I have a research proposal for the Hewlett Foundation.

Washington State has adopted a facial recognition law that Microsoft likes, Nate tells us. No surprise, I suggest, since the law will only regulate governments, not the private sector. I’m not a fan; it looks like a law that virtually guarantees that any facial recognition system will be forced to “correct” empirical results in favor of quotas for “protected subpopulations.” This leads, in light of Zoom’s problems, to the question of whether that includes the Dutch.

Who is hacking the WHO? Who isn’t? Matthew notes that Iran has joined what must be a crowd of eavesdroppers in WHO networks.

Nostalgic for the days before the coronavirus? How about this blast from the past: Marriott has revealed a data breach exposing (some) personal data for up to 5.2 million customers.

I close the episode with the good news that some coders seem to be taking up the challenge I offered in the last episode and on Lawfare to construct an infection tracing system using mobile phones that will work in the US.

Download the 310th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll. You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-310.mp3
Category:general -- posted at: 10:32am EDT

In this bonus episode, we present a lightly edited interview about Israel’s technology- and surveillance-heavy approach to the COVID-19 pandemic. In it, Matthew Waxman, Liviu Librescu Professor of Law at Columbia University, and I talk to Yuval Shany, a noted Israeli human rights expert and professor at Hebrew University. We cover the particularly fraught political crisis that the virus exacerbated, the Israeli government’s use of counterterrorism tools to trace contacts of infected individuals, and the significance of locational privacy in the face of a deadly contagion. Our thanks to both Nachum Braverman of Academic Exchange and Benjamin Wittes of Lawfare for making the interview possible.

Download the 309th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-309.mp3
Category:general -- posted at: 10:00am EDT

David Kris, Paul Rosenzweig and I dive deep on the big tech issue of the COVID-19 contagion: Whether (but mostly how) to use mobile phone location services to fight the virus. We cover the Israeli approach, as well as a host of solutions adopted in Singapore, Taiwan, South Korea and elsewhere. I’m a big fan of Singapore, which produced in a week an app that Nick Weaver thought would take a year.

In our interview, evelyn douek, currently at the Berkman Klein Center and an SJD candidate at Harvard, takes us deep into content moderation. Displaying a talent for complexifying an issue we all want to simplify, she explains why we can’t get live with social platform censorship and why we can’t live without it. She walks us through the growth of content moderation, from spam, through child pornography and on to terrorism and “coordinated inauthentic behavior”—the identification of which, evelyn assures me, does not require an existentialist dance instructor. Instead, it’s the latest and least easily defined category of speech to be suppressed by Big Tech.

Returning to the News Roundup, Nate Jones and evelyn mull the head-spinning change the virus has made in the public reputation of Big Tech, but Nate wonders if Silicon Valley's PR glow will last.

Meanwhile, China is celebrating its self-proclaimed victory over COVID-19 by borrowing Russian tactics to spread coronavirus disinformation. I argue that any country adopting Russia’s patented “Who knows what’s true?” tactics probably has something to hide.

We take advantage of evelyn’s Aussie ties to get a translation (and an apology) for Australia’s latest venture into the business of blocking graphic violent content.

David and Paul review the White House’s National Strategy for 5G Security. They talk for two minutes, but they say more than the strategy.

The House of Representative has irresponsibly bolted for home without even a temporary reauthorization of expiring FISA authorities. Paul and David explain why that isn’t quite the disaster it sounds like. Quite.

David says the Justice Department has brought the first fraud case stemming from the coronavirus crisis, and I suggest that case itself has a whiff of false advertising about it.

Amazon is complaining that the Pentagon is trying to fix some of the contract award problems in the big Defense Department cloud procurement. Paul is more sympathetic than I am.

And Paul questions the wisdom of failing to delay CCPA enforcement while the coronavirus rages across California.

Download the 308th Episode (mp3).

 

Take our listener poll at steptoe.com/podcastpoll. You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-308.mp3
Category:general -- posted at: 5:42pm EDT

That’s the question I debate with David Kris and Nick Weaver as we explore the ways in which governments are using location data to fight the spread of COVID-19. Phone location data is being used to enforce quarantines and to track contacts with infected people. It’s useful for both, but Nick thinks the second application may not really be ready for a year – too late for this outbreak.

 

Our interview subject is Jason Healey, who has a long history with Cyber Command and a deep recent oeuvre of academic commentary on cyber conflict. Jay explains Cyber Command’s doctrine of “persistent engagement” and “defending forward” in words that I finally understand. It makes sense in terms of Cyber Command’s aspirations as well as the limitations it labored under in the Obama Administration, but I end up wondering whether it’s going to be different from “deterrence through having the best offense.” Nothing wrong with that, in my view – as long as you have the best offense by a long shot, something that is by no means proven.

 

We return to the news to discover the whole idea of national security sunsets looking dumber than it did when it first saw the light of day (which is saying something). Several important FISA authorities have fallen to the floor, Matthew Heiman reports. Thanks to Sens. Rand Paul and Mike Lee, I might add (Nick blames President Trump, who certainly stepped in at a bad time). Both the House and the Senate passed measures to keep FISA authorities alive, but the measures were completely different and out of sync. Maybe the House will fix that this week, but only for a couple months. Because of course we’ll be rested and ready in the middle of a contagion and a presidential campaign for a debate over Sen. Paul’s proposal to make it harder to wiretap and prosecute Americans who spy for foreign governments. 

Maybe some aiming should have come before naming and shaming? The US has dropped the Mueller team’s charges against a sponsor of Russian electoral interference, Matthew tells us.

There’s another major leak about government skullduggery in cyberspace, David tells us, and WikiLeaks is, uh, nowhere to be seen. That’s because the skulldugging government in question is Vladimir Putin’s, and WikiLeaks is looking more and more like it is in cahoots with Putin. So it falls to a group called Digital Revolution to publish internal FSB documents showing Russia’s determination to acquire a huge DDOS network, maybe enough to take whole nations offline. 

 

Alan Cohn makes a guest appearance to discuss the role that DHS’s CISA is playing in the COVID-19 crisis. And it has nothing to do with cybersecurity. Instead, CISA is ensuring the security of critical infrastructure around the country by identifying facilities that need to keep operating, notwithstanding state lockdown orders. We talk about the federalism crisis that could come from the proliferation of critical infrastructure designations, but neither of us expects it soon. 

 

Here’s a surprise: Russia is deploying coronavirus disinformation, claiming that it is a US bioweapon. Uncharacteristically, I find myself praising the European Union for flagging the campaign.

Nick talks about the ambiguity of the cyberattack on Norsk Hydro, and I raise the risk that companies may stop releasing attribution information pointing to nation states because doing so may undercut their insurance claims. 

Finally, we wrap up the story of ex-Uber autonomous driving executive Anthony Levandowski, who has pled guilty to trade-secret theft and is likely headed to prison for a year or three. 

Direct download: TheCyberlawPodcast-307.mp3
Category:general -- posted at: 5:36pm EDT

If your podcast feed has suddenly become a steady diet of more or less the same COVID-19 stories, here’s a chance to listen to cyber experts talk about what they know about – cyberlaw. Our interview is with Elsa Kania, adjunct senior fellow at the Center for a New American Security and one of the most prolific researchers of China, technology, and national security. We talk about the relative strengths and weaknesses of the artificial intelligence ecosystems in the two countries.

In the news, Maury Shenk and Mark MacCarthy describe the growing field of censorship-as-a-service and the competition between US and Chinese vendors. 

Elsa and I unpack the report of the Cyberspace Solarium Commission. Bottom line: The report is ambitious but constrained by political reality. And the most striking political reality is that there hasn’t been a better time in 25 years to propose cybersecurity regulation and liability for the tech sector. Seizing the Zeitgeist, the report offers at least a dozen such proposals.

Nick Weaver explains the joys of trojanizing the trojanizers, and we debate whether that is fourth-party or fifth-party intelligence collection.

In a shameful dereliction, Congress has let important FISA authorities lapse, but perhaps only for a day or two (depending on the president’s temperature when the reauthorization bill reaches his desk). The bill isn’t good for our security, but it mostly consists of new ornaments hung on the existing FISA Christmas tree. 

Mark covers a Swedish ruling that deserves to be forgotten a lot more than the crimes and embarrassments protected by the “right to be forgotten.” This one fines Google for failing to cover up Sweden’s censorship with sufficient zeal.

Nick explains how Microsoft finds itself taking down an international botnet instead of leaving the job to the world’s governments.

Maury reports that a federal trial is exposing the seamy ties between the FSB and criminal Russian hackers. Now we know why Russia fought extradition of the singing hacker to the U.S.

Elsa helps me through recent claims that US chipmakers face long-term damage from the U.S.-China trade fight. That much is obvious to all; less obvious is what the U.S. can do to avoid it.

Nick and I talk about Facebook’s suit against NSO Group. I claim that NSO won this round in court but lost in the media, which has finally found a company it hates more than Facebook. Nick thinks Facebook is quite happy to swap a default judgment for a chance at discovery.

In other quick hits, the Department of Defense is wisely seeking a quick do-over in the cloud computing litigation involving Amazon Web Services and Microsoft. House and Senate committees have now okayed a bill to give the Cybersecurity and Infrastructure Security Agency much-needed and uncontroversial subpoena authority to identify at-risk Internet users. Rebooting my "Privacy Kills" series, I break the injunction against COVID-19 news to point out that dumb privacy laws likely delayed for weeks discovery of how widespread COVID-19 was in Seattle. And Joshua Schulte’s trial ends in a hung jury; I want to know where the post-trial jury interview stories are.

Download the 306th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-306.mp3
Category:general -- posted at: 6:08pm EDT

The NSA’s use of call detail records to spot cross-border terror plots has a long history. It began life in deepest secrecy, became public (and controversial) after Edward Snowden’s leaks and was then reformed in the USA Freedom Act. Now it’s up for renewal, and the Privacy and Civil Liberties Oversight Board, or PCLOB, has weighed in with a deep report on how the program has functioned – and why NSA has suspended it. In this episode, I interview Travis LeBlanc, a PCLOB Member, about the report and the program. Travis is a highly effective advocate, bringing me around on several issues, including whether the program should be continued and even whether the authority to revive it would be useful. It’s a superb guide to a program whose renewal is currently being debated (against a March 15 deadline!) in Congress.

Direct download: TheCyberlawPodcast-305.mp3
Category:general -- posted at: 12:31pm EDT

Our interview in this episode is with Glenn Gerstell, freed at last from some of the constraints that come with government service. We cover the Snowden leaks, how private and public legal work differs (hint: it’s the turf battles), Cyber Command, Russian election interference, reauthorization of FISA, and the daunting challenges the US (and its Intelligence Community) will face as China’s economy begins to reinforce its global security ambitions. 

In the news, Nate Jones and Nick Weaver talk through the new legal and technical ground broken by the United States in identifying two Chinese nationals and the $100 million in cryptocurrency they laundered for North Korean hackers.

Paul Rosenzweig lays out the challenge posed for the Supreme Court’s Carpenter decision by LocateX, which provides detailed location data commercially. This is exactly the quagmire I expected the Court to find itself in when it abandoned the third-party doctrine on a one-off basis. Nick points out that the data is only pseudonymized and tries with mixed success to teach me to say “de-pseudonymized.” 

Nate and I conclude that facial recognition has achieved a new level of infamy. Kashmir Hill at the New York Times adds a new drop of poison in a story that could just as well have repeated “I hate Clearview AI” 50 times for all it told us about the company. And Anna Merlan of Vice published a story about Clearview’s practices.

Direct download: TheCyberlawPodcast-304.mp3
Category:general -- posted at: 7:27pm EDT

This is a bonus episode of the Cyberlaw Podcast – a freestanding interview of Noah Phillips, a Commissioner of the Federal Trade Commission. The topic of the interview is whether privacy and antitrust analysis should be merged, especially in the context of Silicon Valley and its social media platforms. Commissioner Phillips, who has devoted considerable attention to the privacy side of the FTC’s jurisdiction, recently delivered a speech on the topic and telegraphed his doubts in the title: “Should We Block This Merger? Some Thoughts on Converging Antitrust and Privacy.” Subject to the usual Cyberlaw Podcast injunction that he speaks only for himself and not his institution or relatives, Commissioner Phillips lays out the very real connections between personal data and industry dominance as well as the complexities that come from trying to use antitrust to solve privacy problems. Among the complexities: the key to more competition among social media giants could well be more sharing between companies of the personal data that fuels their network effects, and corporate sharing of personal data is what privacy advocates have spent a decade crusading against. It’s a wide-ranging interview, touching on, among other things, whether antitrust can be used to solve Silicon Valley’s censorship problem (he’s skeptical) and what he thinks of suggestions in Europe that perhaps the Schrems problem can be solved by declaring that post-CCPA California meets EU data privacy standards. Commissioner Phillips is bemused; I conclude that this is just Europe seeking revenge for President Trump’s Brexit support by promoting “Calexit.”

Download the 303rd Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-303.mp3
Category:general -- posted at: 9:58am EDT

This episode features a lively (and—fair warning—long) interview with Daphne Keller, Director of the Program on Platform Regulation at Stanford University’s Cyber Policy Center. We explore themes from her recent paper on regulation of online speech. It turns out that more or less everyone has an ability to restrict users’ speech online, and pretty much no one has both authority and an interest in fostering free-speech values. Conservatives may be discriminated against, but so are Black Lives Matter activists. I serve up one solution to biased moderation after another, and Daphne methodically shoots them down. Transparency? None of the companies is willing, and the government may have a constitutional problem forcing them to disclose how they make their moderation decisions. Competition law? A long haul, and besides, most users like a moderated Internet experience. Regulation? Only if we take the First Amendment back to the heyday of broadcast regulation. As a particularly egregious example of foreign governments and platforms ganging up to censor Americans, we touch on the Europe Court of Justice’s insufferable decision encouraging the export of European defamation law to the U.S.—with an extra margin of censorship to keep the platform from any risk of liability. I offer to risk my Facebook account to see if that’s already happening.

In the news, the FISA follies take center stage, as the March 15 deadline for reauthorizing important counterterrorism authorities draws near. No one has a good solution. Matthew Heiman explains that another kick-the-can scenario remains a live option. And Nick Weaver summarizes the problems that the PCLOB found with the FISA call detail record program. My take: The program failed because it was imposed on NSA by libertarian ideologues who had no idea how it would work in practice and who now want to blame NSA for their own shortsightedness.

Another week, another couple of artificial intelligence ethics codes: The two most recent ones come from DOD and … the Pope? Mark MacCarthy sees a lot to like. I offer my quick and dirty CTRL-F “bias” test for whether the codes are serious or flaky, and both fail.

In China news, Matthew covers China’s ever-spreading censorship regime—now reaching Twitter users whose accounts are blocked by the Great Firewall. We also ask whether and how much the U.S. “name and shame” campaign has actually reduced Chinese cyberespionage. And whether China is stealing tech from universities for the same reason Willie Sutton robbed banks—that’s where the IP is.

Nick recounts with undisguised glee the latest tribulations suffered by Clearview and its facial recognition system: Its app has been banned from Android and Apple, and both its customers and its data collection methods have been doxed.

Mark notes the success of threats to boycott Pakistan on the part of Facebook, Google and Twitter. I wonder if that will simply incentivize Pakistan to drive its social media ecosystem toward the Chinese giants. Nick gives drug dealers a lesson in how not to store the codes for €53.6 million in Bitcoin; or is he offering a lesson in what to say to the police if you want that €53.6 million waiting for you when you get out of prison?

Finally, in a few quick hits, we cover new developments in past stories: It turns out, to the surprise of no one, that removing a GPS tracking device from your car isn’t theft. West Virginia has apparently recovered from a fit of insanity and now does not plan to allow voting by insecure app. And the FCC is taking it slow in its investigation of mobile carriers for selling customer location data; now we know who’ll be charged (pretty much everyone) and how much it will cost them ($200 million), but we still don’t know the theory or whether the whole inquiry is going to kill off legitimate uses of location data.

 

Download the 302nd Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll!

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-302.mp3
Category:general -- posted at: 5:02pm EDT

We interview Ben Buchanan about his new book, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. This is Ben’s second book and second interview on the podcast about international conflict and cyber weapons. It’s safe to say that America’s strategic posture hasn’t improved since his first appearance. We face more adversaries with more tools and a considerably greater appetite for cyber adventurism. Ben recaps some of the stories that were undercovered in the US press when they occurred. The second large attack on Ukraine’s grid, for example, was little noticed during the US election of 2016, but it appears more ominous after a recent analysis of the tools used, and perhaps most importantly, those available to the GRU but not used. 

In the news, Nick Weaver, Gus Hurwitz, and I take a quick pass at the Internet content regulation problem and Section 230 of the Communications Decency Act. I’ve written that Section 230 needs to be reconsidered, and I predict that the Justice Department, which held a workshop on Section 230 last week, will propose reforms. Gus and I offer two different takes on Facebook’s recent white paper about content moderation. Gus is more a fan of Twitter’s approach. And Nick reminds us that there are some communities on the Internet whose content causes real harm, including to innocent children.

The debate in the US is taking a distinctly European turn, I suggest, which makes Europe’s determination to regulate its way to digital innovation a little less implausible than usual. Maury Shenk outlines the very tentative (and almost certainly out of date before it’s launched) plan for building a European data lake to foster a European AI and digital economy.

Speaking of AI regulation, Elon Musk hasn’t given up on his concerns about the technology’s risks. But the real action in media circles is attacking fairly simple machine learning tools as used by law enforcement and the justice system. I think the attack is wrongheaded and will either result in abandoning tools that can discipline true outliers. Nick thinks the institutionalization of bias is bad enough that giving up such tools may be the better course.

In quick hits, Nick explains how Google’s effort to stamp out ad click fraud can generate a secondary form of criminal extortion. Maury explains the latest flap over Australia’s encryption law; the tl;dr is that nothing is likely to change soon. Gus makes a down payment on an emerging issue: Whether ISPs can defeat Internet privacy laws that affect them by pleading their First Amendment rights. Nick calls BS on the simplest forms of “anonymization” for credit card data now being sold. I highlight a ransomware attack on a US natural gas operator that actually affected operations and is thus a forerunner of future attacks. Nick reminds us that Julian Assange is in court to stop a US extradition bid. And Europe’s data protection advisor is questioning Google’s acquisition of Fitbit.

Download the 301st Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-301.mp3
Category:general -- posted at: 6:28pm EDT

In breaking news from 1995, the Washington Post takes advantage of a leaked CIA history paper to retell the remarkable tale of Crypto AG, a purveyor of encryption products to dozens of governments – and allegedly a wholly controlled subsidiary of US and German intelligence. Nick Weaver, Paul Rosenzweig, and I are astonished at the derring-do and unapologetic enthusiasm for intelligence collection. I mean, really: The Pope?

This week’s interview is with Jonathan Reiber, a writer and strategist in Oakland, California, and former Chief Strategy Officer for Cyber Policy and Speechwriter at the Department of Defense, currently senior advisor at Technology for Global Security and visiting scholar at the UC Berkeley Center for Long-Term Cybersecurity. His recent report offers a candid view of strained relations between Silicon Valley and the Pentagon. The interview explores the reasons for that strain, the importance of bridging the gap and how that can best be done.

Nick reports that four PLA members have been indicted over the Equifax breach. He speculates that the US government is sending a message by disclosing a photo of one soldier that appears to have been taken by his own webcam. Paul and I note that China’s motivation for the hack was very likely the assembly of records on Americans not dissimilar to the records we know the Chinese keep on Uighurs – which are extraordinarily detailed and surprisingly artisanal

The arrest of a Bitcoin mixer allows Nick to explain how Bitcoin mixing services work and why they’re illegal.

Paul lays out the potentially serious impact of Amazon’s lawsuit to stop a $10 billion Microsoft-DOD cloud contract. We note that Amazon wants to take testimony from President Trump. Thanks to his Twitter habit, we conclude, that’s not out of the question.

I preview my remarks at a February 19 Justice Department workshops on Section 230. I will reprise my article in Lawfare and the encryption debate with Nick Weaver that inspired it. And I hope to dig as well into the question whether Section 230 provides too much protection for Silicon Valley’s censors. Speaking of which, Jeff Bezos’s company has joined the censors but won’t tell us which books it’s suppressing.

Nick and I give a favorable review to CISA’s new #Protect2020 election strategy. We search for deeper meaning in the Internet Assigned Numbers Authority’s (IANA’s) failure to complete its Domain Name System Security Extensions (DNSSEC) root key signing ceremony because of… a physical safe. And we all take a moment to mock the latest vote-by-phone snake-oil app seller, Voatz.

Download the 300th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-300.mp3
Category:general -- posted at: 11:48am EDT

The next trade war will be over transatlantic data flows, and it will make the fight with China look like a picnic. That’s the subject of this episode’s interview. The European Court of Justice is poised to go nuclear – to cut off US companies’ access to European customer data unless the US lets European courts and data protection agencies refashion its intelligence capabilities according to standards no European government has ever been required to meet. Maury Shenk and I interview Peter Swire on the Schrems cases that look nearly certain to provoke a transatlantic trade and intelligence crisis. Actually, Maury interviews Peter, and I throw bombs into the conversation. But if ever there were a cyberlaw topic that deserves more bomb-throwing, this is it.

In the News Roundup, David Kris tells us that the trial of alleged Vault7 leaker Joshua Schulte is under way. And the star of the first day is our very own podcast regular, Paul Rosenzweig

If you’re wondering whether more cybersecurity regulation is what the country needs, you should be paying attention to the Pentagon, which has embraced cybersecurity regulation for its contractors. Matthew Heiman reports that DOD isn’t finding the path easy. DOD has released its final cybersecurity plan for contractors, but the audit process needed to enforce it remains a mystery.

That’s SNAKE spelled backwards: David tells us about a new strain of ransomware; ominously, it is targeting industrial control systems. I manage to find a very modest silver lining.

Nate Jones sums up the cybersecurity lessons from the voting debacle in Iowa

Nate also reports on the FCC’s latest half-step toward suing one or more telcos for selling phone-location data.

Matthew covers the Maze ransomware that has ravaged law firms in recent weeks. He argues that it’s only a matter of time before such attacks become dog-bites-man stories.

Matthew also notes that Google and Facebook have apparently dropped plans to terminate their transpacific cable in Hong Kong. US national security concerns seem to have driven the decision. Looks like the Great Decoupling could be spurring a very real physical decoupling.

Nate makes the best of the 2020 version of a Worthwhile Canadian Initiative: The Senate Intel Committee’s third volume of its Russian electoral interference report. It’s sober and responsible and bipartisan – and disappeared from the news cycle overnight.

And to bring you up to speed on past stories: 

  • A Brazilian judge has declined to accept charges against Glenn Greenwald, “for now.” 
  • The poster child for the facial recognition moral panic can’t catch a break: Clearview AI has been hit with cease-and-desist from Google and Facebook.
  • Tag-teaming with Bill Barr, child-welfare activists are attacking Facebook over its encryption plans and what that means for exploited kids. 
  • One of the first CCPA lawsuits has been filed, against Salesforce.
  • And This Week in Silicon Valley content moderation:
    • Letterboxd banned a black libertarian film critic’s reviews.
    • James O’Keefe’s Twitter account was suspended after he named a Bernie Sanders staffer who spoke fondly of gulags and electoral violence.
    • And Twitter banned the widely popular Zero Hedge account after it named a Chinese researcher who it thought might have a role in coronavirus.

Download the 299th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-299.mp3
Category:general -- posted at: 11:36am EDT

Nick Weaver and I debate Sens. Graham and Blumenthal’s EARN IT Act, a proposal to require that social media firms follow best practices on preventing child abuse. If they don’t, they won’t get full Section 230 immunity from liability for recklessly allowing the abuse. Nick thinks the idea is ill-conceived and doomed to fail. I think there’s a core of sense to the proposal, which simply asks that Silicon Valley firms who are reckless about child abuse on their networks pay for the social costs they’re imposing. Since the bill gives the attorney general authority to modify the best practices submitted by a commission of industry, academic, and civic representatives, critics are sure that the final product will reduce corporate incentives to offer end-to-end encryption. 

But before we get to that debate, Gus Hurwitz and I unpack the law and tactics behind Facebook’s decision to pay $550 million to settle a facial recognition class action. And Klon Kitchen and Nick ponder the shocking corruption and coverup alleged in the case of a Harvard chemistry chairman being prosecuted for hiding the large sums he was getting from the Chinese government to boost its research into nanomaterials. 

Klon gives us a feel for just how hard it can be to enforce Iranian sanctions, and the creativity that went into one app developer’s evasion scheme. 

Gus and Nick offer real hope that robocalling will start to get harder, and soon: DOJ has requested restraining orders to stop telephone companies from facilitating fraudulent robocalls; the FTC has put 19 VoIP providers on notice for facilitating robocalls; and SHAKEN/STIR is slowly making it harder to spoof a phone number.

Gus asks a question that had never occurred to me, and certainly not to millions of homeowners who may have committed inadvertent felonies by installing Ring doorbell cameras. It turns out that Ring recordings may be illegal intercepts in states with all-party consent laws. At least that’s what one enterprising New Hampshire defense lawyer is arguing.

First they cock a snook at Brussels, and now this: The UK government is on a roll. It’s proposing an IoT security law that Nick endorses with enthusiasm.

Maryland, not so much: Klon critiques a proposed state law that would make ransomware illegal – and maybe ransomware research, too.

In dog-bites-man news, the United Nations has suffered a breach – probably by a semi-competent government. Which doesn’t narrow things down much, since as Nick observes, everyone but the Germans has probably pwned the UN. And the Germans are just being polite.

A lot of old stories have come back for one more turn on stage: The Russian hacker that the Russian government was afraid would sing if extradited to the US has pleaded guilty here and is probably singing already. Avast has killed Jumpshot, its much-criticized data collection operation. The Bezosphone Saga continues, as Sen. Chris Murphy calls on the DNI and FBI to investigate the hacking allegations, and Bezos’s girlfriend’s brother is suing for defamation. Charges against the Iowa courthouse penetration testers have finally been dropped. LabMD’s Mike Daugherty should probably hang up his cleats. He won a great victory over the FTC, but his racketeering suit against Tiversa and lawyers is officially time-barred. Finally, it turns out that the FBI has been investigating NSO Group since 2017, though without bringing charges, so far. 

Download the 298th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-298.mp3
Category:general -- posted at: 11:59am EDT

This episode features an interview on the Bezos phone flap with David Kaye and Alex Stamos. David is a UN Special Rapporteur and clinical professor of law at UC Irvine who first drew attention to an FTI Consulting report concluding that the Saudis did hack Bezos’ phone. Alex is director of the Stanford Internet Observatory and was the CSO at Facebook; he thinks the technical case against the Saudis needs work, and he calls for a supplemental forensic review of the phone. 

In the news, Nate Jones unpacks the US-China “phase one” trade deal and what it means for the tech divide.

Nick Weaver and I agree that the King County (Seattle) Conservation District’s notion of saving postage by having everyone vote by phone is nuts. Nick in particular reacts as you’d expect him to. 

Nate talks about the profound hit the credibility of the FISA process has taken as a result of the Justice Department admitting that two of four Carter Page warrants were invalid. Among other things, it opens FISA to a kitchen sink full of proposals for handcuffing national security wiretaps. Like this one from Sen. Ron Wyden and Sen. Steve Daines.

Brazil has charged Glenn Greenwald with “cybercrimes” on evidence that would be thin at best in the US, Nate argues. Nick agrees and is only sad that the Bolsonaro government has put him in the position of defending Greenwald.

Google is redesigning its search results again, blurring even further the line between ads and organic results. Living up to its new motto (“Don’t be caught being evil”), Google announces that it’s just testing its design, and everyone should chill. Nick and I are skeptical that A/B testing will tell Google anything other than which redesign fools consumers most effectively and thus makes more protection money for Google.

And speaking of protection money, this episode was not brought to you by Avast, the company that probably would have paid the most not to be mentioned on the Cyberlaw Podcast this week. Because they’ve been caught getting largely uninformed consent to the monitoring of their customers’ Web activities. 

Download the 297th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-297.mp3
Category:general -- posted at: 3:01pm EDT

This week’s episode includes an interview with Bruce Schneier about his recent op-ed on privacy. Bruce and I are both dubious about the current media trope that facial recognition technology was spawned by the Antichrist. He notes that what we are really worried about is a lot bigger than facial recognition and offers ways in which the law could address our deeper worry. I’m less optimistic about our ability to write or enforce laws designed to restrict use of information that gets cheaper to collect, to correlate, and to store every year. It’s a good, civilized exchange.

The News Roundup is a little truncated due to a technical failure. (It was a glitch in Zencastr for those of you keeping score, and I definitely am). As a result, we lost Nick Weaver’s audio for about half the program, including a hammer and tongs debate over Apple’s fight with the FBI. (But never fear, opportunities for that fight come by about as often as the Red Line comes to Dupont Circle.)

That said, it’s still a feisty episode. It begins with Michael Vatis teeing off on the California Consumer Privacy Act, the worst-drafted law he’s worked with in over 30 years of practice—and not much better on policy grounds.

We then return to Illinois’s recent law regulating AI hiring interviews systems like HireVue, and sparks fly again as Mark MacCarthy and I mix it up over allegations of AI “bias.” (I’m a skeptic, to put it mildly.)

Matthew Heiman covers the surprisingly thin claim that the GRU has phished its way into Burisma Holdings. And Nick comments on (yet another!) Italian surveillance tech firm getting into trouble by misusing its capabilities.

Not-so-Big Tech has begun asking Congress for antitrust help against Big Tech. Mark is skeptical; I’m a little less so.

Matthew and I compliment frequent contributor David Kris on his speed in delivering an amicus report on the FBI’s Horowitz reforms between one episode and the next – and before his Congressional critics can finish a letter questioning his appointment. One lingering, and possibly salutary, effect of the kerfuffle is that questions are being directed at the FISA Court itself, asking why it didn’t do a better job of policing the Carter Page excesses.

Mark reports on an unusual effort by Europe’s chief privacy officer to exempt academic researchers from strict compliance with data protections laws.

In quick hits, Matthew notes that Erdogan has bowed to the Turkish Supreme Court and has reinstated access to Wikipedia. He also reports on the Department of the Interior permanently grounding its drone fleet over spying concerns. Nick chuckles over China’s APT 40 getting doxed, and we both give credit to NSA’s Anne Neuberger for disclosing and enabling the patch by Microsoft of a major vulnerability in the Crypt32 library. And I note the likelihood that Clearview will be sued for violating terms of service to obtain the facial recognition data it uses to provide identification services to law enforcement.

 

Download the 296th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-296.mp3
Category:general -- posted at: 3:48pm EDT

There’s a fine line between legislation addressing deepfakes and legislation that is itself a deep fake. Nate Jones reports on the only federal legislation addressing the problem so far. I claim that it is well short of a serious regulatory effort—and pretty close to a fake law.

In contrast, India seems serious about imposing liability on companies whose unbreakable end-to-end crypto causes harm, at least to judge from the howls of the usual defenders of such crypto. David Kris explains how the law will work. I ask why Silicon Valley gets to impose the externalities of encryption-facilitated crime on society without consequence when we’d never allow tech companies to say that society should pick up the tab for their pollution because their products are so cool. In related news, the FBI may be turning the Pensacola military terrorism attack into a slow-motion replay of the San Bernardino fight with Apple, this time with more top cover.

Poor Nate seems to draw all the fake legislation in this episode. He explains a 2020 appropriations rider requiring the State Department to report on how it issues export licenses for cyber espionage capabilities; this is a follow-up to investigative reporting on the way such capabilities in the UAE ended up being used against human rights activists. As we agree, it’s an interesting and likely unsolvable policy problem, so the legislation opts for the most meaningless of remedies, requiring the Directorate of Defense Trade Control to report “on cybertools and capabilities licensing, including licensing screening and approval procedures as well as compliance and enforcement mechanisms” within 90 days.

Nate also gets to cover some decidedly un-fake requirements in the 2019 NDAA, limiting how defense contractors can use Chinese technology. The other shoe is about to drop, and if the first one was a baby shoe, the second is a Clydesdale’s horseshoe.

It’s hard to call it fake, but the latest export control rule restricting sales of AI could hardly be narrower. Maury Shenk and I speculate that this is because a long-term turf war has broken out again in export control policy circles. Maury’s money is on the business side of that fight, and the narrowness of the AI rule gives weight to his views.

And here’s some Christmas cheer for DOJ and national security officials: A federal district court presented Edward Snowden with a lump of coal—the only royalties it thought he deserved from a book that violated his nondisclosure agreement. Nate thinks it’s time for me to buy one, but I’m waiting for appellate confirmation.

Less festive news comes from the European Court of Justice’s advocate general opinion in Schrems II, a case that could greatly complicate EU-US data transfers by purporting to put Europeans in charge of how the US defends itself from terrorism. Maury explains; I complain.

David unpacks with clarity a complex Second Circuit decision on the constitutionality of FISA 702 collection. On the whole, Judge Lynch did a creditable job with a messy and unprecedented set of claims, though I question the wisdom of erecting a baroque mansion of judge-made procedures on a slippery foundation like the Fourth Amendment’s requirement that searches be “reasonable.”

And in short hits, Maury tells us that Italy has imposed a French-style revenue tax on Internet companies, and Russia claims that it has successfully tested the ability to disconnect from the Internet. Now if we could only get them to stay that way. Illinois has a new, mostly fake law imposing modest regulations on the use of AI in video job interviews. The TRACED Act rises above fakeness in attacking robocalls but just barely. And the FAA released an NPRM calling for a pretty serious requirement for remote ID of drones.

And to put everyone back in the Christmas spirit, LabMD won nearly a million dollars in fees from the Federal Trade Commission for the FTC’s bullheaded pursuit of the company despite the many flaws in its case. The master’s opinion makes clear just how badly the FTC erred in hounding LabMD.

 

Download the 295th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-295.mp3
Category:general -- posted at: 2:19pm EDT

For this special edition of the Cyberlaw Podcast, we’ve convened a panel of experts on intelligence and surveillance legal matters. We take a look at the Department of Justice Inspector General’s report on the FBI’s use of FISA applications – and the many errors in those applications. We also touch on FBI Director Wray’s response, as well as a public order issued by the Foreign Intelligence Surveillance Court. We wrap up with thoughts on how to resolve some of the issues identified by the IG’s report and suggestions for improving the FISA process.

Joining me on the panel:

  • Bob Litt, former general counsel of the Office of the Director of National Intelligence.
  • David Kris, who wrote the book on FISA and previously headed the DOJ’s National Security Division, which is responsible for FISA warrants.
  • Bobby Chesney of the University of Texas School of Law, as well as a founder of Lawfare and co-host of the National Security Law Podcast.

The Cyberlaw Podcast is going on hiatus for the holidays. We’ll be back in January with more insights into the latest events in technology, security, privacy, and government.

Download the 294th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-294.mp3
Category:general -- posted at: 10:40am EDT

This week Maury Shenk guest hosts the podcast.

Even with a "phase one" trade deal with China apparently agreed upon, there's, of course, plenty still at stake between China and the US in the tech space. Nate Jones reports on the Chinese government order for government offices to purge foreign software and equipment within three years and the plans of Arm China to develop chips using “state-approved” cryptography. Nick Weaver and I agree that, while there are some technical challenges on this road, there's a clear Chinese agenda to lose dependency on US suppliers. 

In the Department of Hacking, the aptly-named Plundervolt allows hackers to steal data using the power supply of Intel chips. The immediate hole has been closed, but Nick thinks the hack suggests bigger problems for Intel down the road. We also discuss Apple's flirtation with the using DMCA to get Twitter to de-tweet an encryption key compromising a less-than-critical aspect of iPhone 11 security, and I report on an 11th Circuit decision on insurance coverage for losses from spear-phishing.

With Stewart Baker away, I point out that it's not just the EU that is going after Big Tech. Amazon's new-ish Ring subsidiary seems to have scored a couple of own-goals with privacy and security practices for its smart doorbells – Nick explains in detail. And I relate the Wall Street Journal report that the FTC is considering seeking an injunction of Facebook app integration, and the big 7.5% tax that Turkey will levy on digital services beginning in March.

Finishing up in the Gulf, we look at a “very big” cyberattack on Iranian banks that the Iranian government claims is state-sponsored. Nate doubts intimations that the US is involved, and we agree that political and commercial motives are difficult to disentangle in this type of attack. Across the Strait of Hormuz, we explore the involvement of former counterterrorism czar Richard Clarke in helping the United Arab Emirates build its DREAD (who thought that was a good name?) counterterrorism unit and the policy implications and slippery slope of allowing US expertise to be used for such efforts.

Download the 293rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-293.mp3
Category:general -- posted at: 8:24pm EDT

The apparent terror attack at Naval Air Station Pensacola spurs a debate among our panelists about whether the FISA Section 215 metadata program deserves to be killed, as Congress has increasingly signaled it intends to do. If the Pensacola attack involved multiple parties acting across US borders, still a live possibility as we talked, then it would be just about the first such attacks since 9/11 – and exactly the kind of attack the metadata program was designed to identify in advance. 

Nick Weaver tells us that China has resurrected the Great Cannon to attack a popular Hong Kong forum for protesters. I ask why Google hasn’t started issuing warnings to Web browsers who cross the Great Firewall into China without enabling HTTPS to foil the Great Cannon. Meanwhile, Microsoft is working hard to make GitHub, an early Great Cannon victim, an essential part of China’s IT infrastructure. GitHub was attacked because it hosted some content that China hated, including the New York Times, and we verify in real-time that, despite the lure of the Chinese market, Microsoft has not told GitHub to dump the offending content.

In more China news, the trial lawyers are circling TikTok like a wounded wildebeest on the veldt. A California class action alleges that TikTok harvested and sent data to China, and an Illinois class action charges the company with violating COPPA by marketing to children without sufficient privacy safeguards.

Paul Rosenzweig and I dig deep into the 20-year history behind the now-abandoned proposal to conduct airport facial scans on US citizens leaving the country. We reach broad agreement that this is one of the rare privacy versus national security debates in which there’s precious little privacy or national security at stake.

Matthew Heiman provides an overview of the remarkable international food fight over taxes on digital business. USTR is threatening big tariffs on French wine to counter France’s digital tax. Spain is apparently eager to join France in the fight. And the effort to work everything out at the OECD, where the EU has a 20-1 voting advantage over the US, has predictably not worked out well from the US point of view.

Cue the white cat: The United States has actually imposed sanctions on “Evil Corp.” Nick explains that this is part of criminal charges against two highly effective Russian bank hackers – and arguably a confession of weakness on the US government’s part.

Meanwhile, Amazon’s efforts to avoid tort liability for third-party sales on its site look to be suffering a long strategic defeat in the courts. The latest example is a Sixth Circuit ruling allowing plaintiffs to pursue product tort claims against the Internet giant.

I offer a quick update and some kind words for Nancy Pelosi, who is calling for modification of the North American free trade deal to drop the provision turning Section 230 of the Communications Decency Act into international law. This is a genuinely bipartisan complaint, so perhaps she’ll prevail. 

Paul gets stuck explaining two dog-bites-man stories. The FBI says any Russian app could be a counterintelligence threat. What else could they say? And the European Commission, when asked what US regulation of encryption would mean for Europe, says more or less that it may have to move from eyebrow-lifting to throat-clearing

And Nick closes the program with advice about the new Android exploit that works (in the right circumstances) to compromise apps running on a fully patched and up-to-date Android phone

Download the 292nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-292.mp3
Category:general -- posted at: 11:36am EDT

Algorithms are at the heart of the Big Data/machine learning/AI changes that are propelling computerized decision-making. In their book, The Ethical Algorithm, Michael Kearns and Aaron Roth, two Computer Science professors at Penn, flag some of the social and ethical choices these changes are forcing upon us. My interview with them touches on many of the hot-button issues surrounding algorithmic decision-making. Michael and Aaron may not agree with my formulation, but the conversation provides a framework for testing it – and leaves me more skeptical about “bias hacking” of algorithmic outputs.

Less controversial, but equally fun, is a dive into the ways in which Big Data and algorithms defeat old-school anonymization – and the ways in which that problem can be solved. Our guests from Philadelphia help me understand the value of differential privacy. And if you wondered why, say, much of the social science and nutrition research of the last 50 years doesn’t hold up to scrutiny, blame Big Data and algorithms that reliably generate significant correlations once in every 20 tries.

Michael and Aaron also take us deep into the unexpected social costs of algorithmic optimization. It turns out that a recommendation engine that produces exactly what we want, even when we didn’t know we wanted it, is great in the moment but maybe not so great for society. Creating markets in areas once governed by social norms can optimize individual choice but at a considerable social cost, and it turns out that algorithms can do the same – optimize individual gratification in the moment while roiling our social and political order in unpredictable ways. We would react badly to a proposal that dating choices become microeconomic transactions (otherwise known as prostitution) but we don’t feel the same way about reducing them to algorithms. Maybe we should.

Direct download: TheCyberlawPodcast-291.mp3
Category:general -- posted at: 11:12am EDT

This Week in the Great Decoupling: The Commerce Department has rolled out proposed telecom and supply chain security rules that never once mention China. More accurately, the Department has rolled out a sketch of its preliminary thinking about proposed rules. Brian Egan and I tackle the substance and history of the proposal and conclude that the government is still fighting about the content of a policy it’s already announced. And to show that decoupling can go both ways, a U.S.-based chip-tech group is moving to Switzerland to reassure its Chinese participants. Nick Weaver and I conclude that there’s a little less here than Reuters seems to think.

Mark MacCarthy tells us that reports of the University of Chicago’s weather turning sunny and warm for hipster antitrust plaintiffs are probably overdone. Even so, Silicon Valley should be at least a little nervous that even Chicago School enforcers are taking a hard look at personal data and free services as sources of anti-competitive conduct.

Mark also highlights my favorite story of the week, as the Right to be Forgotten discredits itself in, where else, Germany. Turns out that you can kill two people and wound a third on a yacht in the Atlantic, get convicted, serve 20 years, and then demand that everybody just forget it happened. The doctrine hasn’t just jumped the shark. It’s doubled back and put a couple of bullets in the fish for good measure.

Nick explains why NSA is so worried about TLS inspection. And delivers a rant on bad cybersecurity software along the way.

It’s been a bad week for TikTok, which was caught blocking an American Muslim teen who posted about Uighurs in China and offered an explanation that was believable only because US social media companies have offered explanations that were even less credible. I suggest that all the criticism will just lead to more and sneakier ways to block disfavored content without getting caught. And Brian tells us how the flap might affect TikTok’s pending CFIUS negotiation.

Nick ladles out abuse for the bozo who thought it was a good idea to offer cryptocurrency advice on avoiding sanctions to Kim Jong Un’s cyber bank robbers. And Brian explains that the government’s prosecution of the bozo might have to tiptoe past the First Amendment.

Senate Democrats have introduced the Consumer Online Privacy Rights Act, an online privacy bill with an unfortunate acronym (think fossilized dinosaur poop). Mark and I conclude that the bill is more a sign that Washington isn’t going to do privacy before 2021.

Who can resist GPS crop circle spoofing by sand pirates? Not Nick. Or me. Arrr.

I update our story on DHS’s CISA, which has now issued in draft a binding operational directive on vulnerability disclosure policies for federal agencies. It’s now taking comments on GitHub.

And in quick hits: The death of the Hippie Internet, part 734: Apple changes its map to show Crimea as Russian, but only for Russians; Facebook accepts correction notice from the Singapore government; our own Paul Rosenzweig will be an expert witness in the government’s prosecution of the Vault 7 leaker; and Apple’s bad IT cost it $467,000 for sanctions violations. I ask whether we should be blaming Scooby-Doo for the error.

Join Steptoe for a complimentary webinar on Tuesday, December 10. We’ll be talking about the impacts on retailers of the newly implemented California Consumer Privacy Act and the EU’s General Data Protection Regulation. This is a fast-moving area of the law; we can keep you up to date. You can find out more and register here.

Download the 290th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-290.mp3
Category:general -- posted at: 12:39pm EDT