The Cyberlaw Podcast

David Kris, Paul Rosenzweig and I dive deep on the big tech issue of the COVID-19 contagion: Whether (but mostly how) to use mobile phone location services to fight the virus. We cover the Israeli approach, as well as a host of solutions adopted in Singapore, Taiwan, South Korea and elsewhere. I’m a big fan of Singapore, which produced in a week an app that Nick Weaver thought would take a year.

In our interview, evelyn douek, currently at the Berkman Klein Center and an SJD candidate at Harvard, takes us deep into content moderation. Displaying a talent for complexifying an issue we all want to simplify, she explains why we can’t get live with social platform censorship and why we can’t live without it. She walks us through the growth of content moderation, from spam, through child pornography and on to terrorism and “coordinated inauthentic behavior”—the identification of which, evelyn assures me, does not require an existentialist dance instructor. Instead, it’s the latest and least easily defined category of speech to be suppressed by Big Tech.

Returning to the News Roundup, Nate Jones and evelyn mull the head-spinning change the virus has made in the public reputation of Big Tech, but Nate wonders if Silicon Valley's PR glow will last.

Meanwhile, China is celebrating its self-proclaimed victory over COVID-19 by borrowing Russian tactics to spread coronavirus disinformation. I argue that any country adopting Russia’s patented “Who knows what’s true?” tactics probably has something to hide.

We take advantage of evelyn’s Aussie ties to get a translation (and an apology) for Australia’s latest venture into the business of blocking graphic violent content.

David and Paul review the White House’s National Strategy for 5G Security. They talk for two minutes, but they say more than the strategy.

The House of Representative has irresponsibly bolted for home without even a temporary reauthorization of expiring FISA authorities. Paul and David explain why that isn’t quite the disaster it sounds like. Quite.

David says the Justice Department has brought the first fraud case stemming from the coronavirus crisis, and I suggest that case itself has a whiff of false advertising about it.

Amazon is complaining that the Pentagon is trying to fix some of the contract award problems in the big Defense Department cloud procurement. Paul is more sympathetic than I am.

And Paul questions the wisdom of failing to delay CCPA enforcement while the coronavirus rages across California.

Download the 308th Episode (mp3).

 

Take our listener poll at steptoe.com/podcastpoll. You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Direct download: TheCyberlawPodcast-308.mp3
Category:general -- posted at: 5:42pm EDT

That’s the question I debate with David Kris and Nick Weaver as we explore the ways in which governments are using location data to fight the spread of COVID-19. Phone location data is being used to enforce quarantines and to track contacts with infected people. It’s useful for both, but Nick thinks the second application may not really be ready for a year – too late for this outbreak.

 

Our interview subject is Jason Healey, who has a long history with Cyber Command and a deep recent oeuvre of academic commentary on cyber conflict. Jay explains Cyber Command’s doctrine of “persistent engagement” and “defending forward” in words that I finally understand. It makes sense in terms of Cyber Command’s aspirations as well as the limitations it labored under in the Obama Administration, but I end up wondering whether it’s going to be different from “deterrence through having the best offense.” Nothing wrong with that, in my view – as long as you have the best offense by a long shot, something that is by no means proven.

 

We return to the news to discover the whole idea of national security sunsets looking dumber than it did when it first saw the light of day (which is saying something). Several important FISA authorities have fallen to the floor, Matthew Heiman reports. Thanks to Sens. Rand Paul and Mike Lee, I might add (Nick blames President Trump, who certainly stepped in at a bad time). Both the House and the Senate passed measures to keep FISA authorities alive, but the measures were completely different and out of sync. Maybe the House will fix that this week, but only for a couple months. Because of course we’ll be rested and ready in the middle of a contagion and a presidential campaign for a debate over Sen. Paul’s proposal to make it harder to wiretap and prosecute Americans who spy for foreign governments. 

Maybe some aiming should have come before naming and shaming? The US has dropped the Mueller team’s charges against a sponsor of Russian electoral interference, Matthew tells us.

There’s another major leak about government skullduggery in cyberspace, David tells us, and WikiLeaks is, uh, nowhere to be seen. That’s because the skulldugging government in question is Vladimir Putin’s, and WikiLeaks is looking more and more like it is in cahoots with Putin. So it falls to a group called Digital Revolution to publish internal FSB documents showing Russia’s determination to acquire a huge DDOS network, maybe enough to take whole nations offline. 

 

Alan Cohn makes a guest appearance to discuss the role that DHS’s CISA is playing in the COVID-19 crisis. And it has nothing to do with cybersecurity. Instead, CISA is ensuring the security of critical infrastructure around the country by identifying facilities that need to keep operating, notwithstanding state lockdown orders. We talk about the federalism crisis that could come from the proliferation of critical infrastructure designations, but neither of us expects it soon. 

 

Here’s a surprise: Russia is deploying coronavirus disinformation, claiming that it is a US bioweapon. Uncharacteristically, I find myself praising the European Union for flagging the campaign.

Nick talks about the ambiguity of the cyberattack on Norsk Hydro, and I raise the risk that companies may stop releasing attribution information pointing to nation states because doing so may undercut their insurance claims. 

Finally, we wrap up the story of ex-Uber autonomous driving executive Anthony Levandowski, who has pled guilty to trade-secret theft and is likely headed to prison for a year or three. 

Direct download: TheCyberlawPodcast-307.mp3
Category:general -- posted at: 5:36pm EDT

If your podcast feed has suddenly become a steady diet of more or less the same COVID-19 stories, here’s a chance to listen to cyber experts talk about what they know about – cyberlaw. Our interview is with Elsa Kania, adjunct senior fellow at the Center for a New American Security and one of the most prolific researchers of China, technology, and national security. We talk about the relative strengths and weaknesses of the artificial intelligence ecosystems in the two countries.

In the news, Maury Shenk and Mark MacCarthy describe the growing field of censorship-as-a-service and the competition between US and Chinese vendors. 

Elsa and I unpack the report of the Cyberspace Solarium Commission. Bottom line: The report is ambitious but constrained by political reality. And the most striking political reality is that there hasn’t been a better time in 25 years to propose cybersecurity regulation and liability for the tech sector. Seizing the Zeitgeist, the report offers at least a dozen such proposals.

Nick Weaver explains the joys of trojanizing the trojanizers, and we debate whether that is fourth-party or fifth-party intelligence collection.

In a shameful dereliction, Congress has let important FISA authorities lapse, but perhaps only for a day or two (depending on the president’s temperature when the reauthorization bill reaches his desk). The bill isn’t good for our security, but it mostly consists of new ornaments hung on the existing FISA Christmas tree. 

Mark covers a Swedish ruling that deserves to be forgotten a lot more than the crimes and embarrassments protected by the “right to be forgotten.” This one fines Google for failing to cover up Sweden’s censorship with sufficient zeal.

Nick explains how Microsoft finds itself taking down an international botnet instead of leaving the job to the world’s governments.

Maury reports that a federal trial is exposing the seamy ties between the FSB and criminal Russian hackers. Now we know why Russia fought extradition of the singing hacker to the U.S.

Elsa helps me through recent claims that US chipmakers face long-term damage from the U.S.-China trade fight. That much is obvious to all; less obvious is what the U.S. can do to avoid it.

Nick and I talk about Facebook’s suit against NSO Group. I claim that NSO won this round in court but lost in the media, which has finally found a company it hates more than Facebook. Nick thinks Facebook is quite happy to swap a default judgment for a chance at discovery.

In other quick hits, the Department of Defense is wisely seeking a quick do-over in the cloud computing litigation involving Amazon Web Services and Microsoft. House and Senate committees have now okayed a bill to give the Cybersecurity and Infrastructure Security Agency much-needed and uncontroversial subpoena authority to identify at-risk Internet users. Rebooting my "Privacy Kills" series, I break the injunction against COVID-19 news to point out that dumb privacy laws likely delayed for weeks discovery of how widespread COVID-19 was in Seattle. And Joshua Schulte’s trial ends in a hung jury; I want to know where the post-trial jury interview stories are.

Download the 306th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-306.mp3
Category:general -- posted at: 6:08pm EDT

The NSA’s use of call detail records to spot cross-border terror plots has a long history. It began life in deepest secrecy, became public (and controversial) after Edward Snowden’s leaks and was then reformed in the USA Freedom Act. Now it’s up for renewal, and the Privacy and Civil Liberties Oversight Board, or PCLOB, has weighed in with a deep report on how the program has functioned – and why NSA has suspended it. In this episode, I interview Travis LeBlanc, a PCLOB Member, about the report and the program. Travis is a highly effective advocate, bringing me around on several issues, including whether the program should be continued and even whether the authority to revive it would be useful. It’s a superb guide to a program whose renewal is currently being debated (against a March 15 deadline!) in Congress.

Direct download: TheCyberlawPodcast-305.mp3
Category:general -- posted at: 12:31pm EDT

Our interview in this episode is with Glenn Gerstell, freed at last from some of the constraints that come with government service. We cover the Snowden leaks, how private and public legal work differs (hint: it’s the turf battles), Cyber Command, Russian election interference, reauthorization of FISA, and the daunting challenges the US (and its Intelligence Community) will face as China’s economy begins to reinforce its global security ambitions. 

In the news, Nate Jones and Nick Weaver talk through the new legal and technical ground broken by the United States in identifying two Chinese nationals and the $100 million in cryptocurrency they laundered for North Korean hackers.

Paul Rosenzweig lays out the challenge posed for the Supreme Court’s Carpenter decision by LocateX, which provides detailed location data commercially. This is exactly the quagmire I expected the Court to find itself in when it abandoned the third-party doctrine on a one-off basis. Nick points out that the data is only pseudonymized and tries with mixed success to teach me to say “de-pseudonymized.” 

Nate and I conclude that facial recognition has achieved a new level of infamy. Kashmir Hill at the New York Times adds a new drop of poison in a story that could just as well have repeated “I hate Clearview AI” 50 times for all it told us about the company. And Anna Merlan of Vice published a story about Clearview’s practices.

Direct download: TheCyberlawPodcast-304.mp3
Category:general -- posted at: 7:27pm EDT

This is a bonus episode of the Cyberlaw Podcast – a freestanding interview of Noah Phillips, a Commissioner of the Federal Trade Commission. The topic of the interview is whether privacy and antitrust analysis should be merged, especially in the context of Silicon Valley and its social media platforms. Commissioner Phillips, who has devoted considerable attention to the privacy side of the FTC’s jurisdiction, recently delivered a speech on the topic and telegraphed his doubts in the title: “Should We Block This Merger? Some Thoughts on Converging Antitrust and Privacy.” Subject to the usual Cyberlaw Podcast injunction that he speaks only for himself and not his institution or relatives, Commissioner Phillips lays out the very real connections between personal data and industry dominance as well as the complexities that come from trying to use antitrust to solve privacy problems. Among the complexities: the key to more competition among social media giants could well be more sharing between companies of the personal data that fuels their network effects, and corporate sharing of personal data is what privacy advocates have spent a decade crusading against. It’s a wide-ranging interview, touching on, among other things, whether antitrust can be used to solve Silicon Valley’s censorship problem (he’s skeptical) and what he thinks of suggestions in Europe that perhaps the Schrems problem can be solved by declaring that post-CCPA California meets EU data privacy standards. Commissioner Phillips is bemused; I conclude that this is just Europe seeking revenge for President Trump’s Brexit support by promoting “Calexit.”

Download the 303rd Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-303.mp3
Category:general -- posted at: 9:58am EDT

This episode features a lively (and—fair warning—long) interview with Daphne Keller, Director of the Program on Platform Regulation at Stanford University’s Cyber Policy Center. We explore themes from her recent paper on regulation of online speech. It turns out that more or less everyone has an ability to restrict users’ speech online, and pretty much no one has both authority and an interest in fostering free-speech values. Conservatives may be discriminated against, but so are Black Lives Matter activists. I serve up one solution to biased moderation after another, and Daphne methodically shoots them down. Transparency? None of the companies is willing, and the government may have a constitutional problem forcing them to disclose how they make their moderation decisions. Competition law? A long haul, and besides, most users like a moderated Internet experience. Regulation? Only if we take the First Amendment back to the heyday of broadcast regulation. As a particularly egregious example of foreign governments and platforms ganging up to censor Americans, we touch on the Europe Court of Justice’s insufferable decision encouraging the export of European defamation law to the U.S.—with an extra margin of censorship to keep the platform from any risk of liability. I offer to risk my Facebook account to see if that’s already happening.

In the news, the FISA follies take center stage, as the March 15 deadline for reauthorizing important counterterrorism authorities draws near. No one has a good solution. Matthew Heiman explains that another kick-the-can scenario remains a live option. And Nick Weaver summarizes the problems that the PCLOB found with the FISA call detail record program. My take: The program failed because it was imposed on NSA by libertarian ideologues who had no idea how it would work in practice and who now want to blame NSA for their own shortsightedness.

Another week, another couple of artificial intelligence ethics codes: The two most recent ones come from DOD and … the Pope? Mark MacCarthy sees a lot to like. I offer my quick and dirty CTRL-F “bias” test for whether the codes are serious or flaky, and both fail.

In China news, Matthew covers China’s ever-spreading censorship regime—now reaching Twitter users whose accounts are blocked by the Great Firewall. We also ask whether and how much the U.S. “name and shame” campaign has actually reduced Chinese cyberespionage. And whether China is stealing tech from universities for the same reason Willie Sutton robbed banks—that’s where the IP is.

Nick recounts with undisguised glee the latest tribulations suffered by Clearview and its facial recognition system: Its app has been banned from Android and Apple, and both its customers and its data collection methods have been doxed.

Mark notes the success of threats to boycott Pakistan on the part of Facebook, Google and Twitter. I wonder if that will simply incentivize Pakistan to drive its social media ecosystem toward the Chinese giants. Nick gives drug dealers a lesson in how not to store the codes for €53.6 million in Bitcoin; or is he offering a lesson in what to say to the police if you want that €53.6 million waiting for you when you get out of prison?

Finally, in a few quick hits, we cover new developments in past stories: It turns out, to the surprise of no one, that removing a GPS tracking device from your car isn’t theft. West Virginia has apparently recovered from a fit of insanity and now does not plan to allow voting by insecure app. And the FCC is taking it slow in its investigation of mobile carriers for selling customer location data; now we know who’ll be charged (pretty much everyone) and how much it will cost them ($200 million), but we still don’t know the theory or whether the whole inquiry is going to kill off legitimate uses of location data.

 

Download the 302nd Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll!

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Direct download: TheCyberlawPodcast-302.mp3
Category:general -- posted at: 5:02pm EDT

1