Having trouble understanding what President Trump and Rep. Nunes are banging on about? Try putting the shoe on the other foot…
It’s 2020. Kamala Harris finishes a close second in New Hampshire, beating expectations that Elizabeth Warren would sweep her neighboring state (and its shared media market). Harris roars into South Carolina, where she suddenly leads in the polls with a message of repudiating what she calls the Trump administration’s dangerous foreign brinksmanship.
Whatever you call it, you can’t call it dull. President Trump has forced Iran to renegotiate the nuclear deal by the simple expedient of expanding US sanctions to include the seizure and impoundment of any tanker carrying Iranian oil. The oil market remains stable, buoyed by record US oil and gas production. But the move prompts a diplomatic rupture and some tense maritime confrontations with India and China. Undeterred, the President says North Korea is next in line for what he calls, “Sanctions that work. Unlike the last guy’s. Not a leader!”
But it will only take one foreign mishap to make Harris tough to beat. She’s fresh and virtually untouched by Warren’s surprised oppo research team. The Trump team vows that it won’t be caught similarly flat-footed.
In July, the intelligence community picks up rumors that intelligence services from Iran, North Korea, and China are working together to ensure a Harris victory in November.
The President erupts at an NSC meeting. “This is intolerable! I want to know everything about foreign interference in our election – and whether any Americans are colluding with Iran. This is a top priority for all of our counterintelligence agencies.”
Attorney General Sessions approves FISA wiretap applications for every known or suspected Iranian foreign agent, with special focus on anyone known to have contacted the Harris campaign. The surveillance reveals that Harris campaign officials talked regularly to Iranian agents and even asked for help in formulating her famous “I will prosecute the President as a war criminal” speech.
The FBI circulates the transcripts to the National Security Council and high-ranking White House officials. The identities of Harris campaign staff are initially “masked”, but many officials, including Steve Bannon, insist on knowing the names “to determine how deeply Iran’s influence operation has penetrated the Harris organization.”
Within weeks, there is a swirl of public speculation about Harris and Iran, but she successfully rejects it as a “diehard Warren delusion.” With more passion than grammar, her top foreign policy adviser denies the rumors “categorically and irrefutably.“
The nominating convention is a love fest. Three weeks later, transcripts of the Harris foreign policy guru’s conversations with Iranian operatives are leaked by government sources. Within a day, bumper stickers appear, saying, “Was it treason? Categorically and irrefutably!”
With that as her introduction to the American public, Harris’s campaign sputters and collapses.
Faced with that scenario, who thinks the press would be mocking Harris’s claim that her campaign was wiretapped by its enemies? So why are reporters mocking Trump’s?
Fact is, there’s a very real problem at the bottom of President Trump’s complaints. The Obama administration decided to conduct what was bound to be one-sided surveillance. Any evidence the investigators turned up would hurt the President’s adversary, not his side. The same would be true of any leaks. And widespread distribution of intelligence from the investigation would dramatically increase the risk that his adversary will be hurt by leaks. If you’re the President, or anyone in his administration, what’s not to like?
Who made the decision to expose the Trump campaign to this scrutiny and the risks that came with it? Thanks to FISA, national security surveillance decisions must be made mainly by political appointees. This is meant to be a protection for civil liberties but it’s the reverse in a partisan context. I’m sure that the Trump campaign would rather have had the decision to launch a FISA tap made by the first two names in the DOJ phone book than by Loretta Lynch and Sally Yates. (I realize that Team Trump is now focusing more on surveillance of what might be called “institutional foreign agents” – people who don’t hide their allegiance to foreign nations. The Mike Flynn transcript may have come from such surveillance, as may much of the other “incidental” collection of Trump campaign contacts that Rep. Nunes briefed the President on. Such surveillance goes on with or without an investigation, but distribution of the product would likely be wider once an investigation is opened.)
All that said, appreciating the force of President Trump’s concerns does not mean we shouldn’t have done the investigation. In my view, we have no choice but to investigate and respond aggressively when other countries interfere with our elections. But we also ought to recognize and take action to limit the partisan temptations that such investigations will inevitably offer. Because if anything is utterly predictable about the 2020 election, it’s that foreign governments will try to influence it and that partisan passions will be high. So the surveillance shoe is going to be on someone’s foot in 2020. Ditto for 2024 and 2028 and 2032…
So we might as well try to draw some lessons from the Trump team’s unhappiness instead of pretending that their grievances are entirely illegitimate. Without being able to offer a grand solution, I can think of things that would ameliorate the risk. Maybe the government should be required to identify in advance national security investigations likely to have an impact on political officials or candidates and take special steps to depoliticize them. Perhaps political appointees should recuse themselves from the decision to launch such investigations. And the anonymity of US persons who are also surveilled in such investigations could be protected by special limits on distribution of the masked intelligence and by requiring special assurances from those who want to unmask US persons.
I can’t pretend that these are the only or the best ways to address the problem I see. Turning these decisions over to career people does nothing for those who buy the Deep State meme – or the presumption that civil servants mostly vote Democratic. And after all is said and done, these are minor tweaks, not strong protections against abuse. But at least they’d reduce the risk that Americans will end up in a circular surveillance firing squad every four years.
Episode 155 of the podcast offers something new: equal time for opposing views. Well, sort of, anyway. In place of our usual interview, we’re running a debate over hacking back that CSIS sponsored last week. I argue that US companies should be allowed to hack back; I’m opposed by Greg Nojeim, Senior Counsel at the Center for Democracy & Technology and Jamil Jaffer, Vice President for Strategy & Business Development of IronNet Cybersecurity. (Jeremy Rabkin, who was supposed to join me in arguing the affirmative, was trapped in Boston by a snowstorm.)
In the news, we can’t avoid the unedifying – and cynical on both sides – spat between press and White House over wiretapping. We then turn to legal news, where I note the DC circuit’s adoption of a cursory and unpersuasive reading of the Foreign Sovereign Immunities Act in the context of state-sponsored hacking of activists in the United States.
Maury Shenk next unpacks the latest ECJ opinion refusing to apply the “right to be forgotten” across the board to government databases. So far, the only clear application is to American tech giants. That’s also true of the latest German proposal to make the internet safe for censors, government and nongovernment alike. As Maury explains, the German Justice Minister is proposing fines up to $50 million for tech giants that don’t censor online speech fast enough or hire enough European private censors to keep up with the workload.
The Justice Department’s indictments in the Yahoo! hack show just how remarkably intertwined Russian intelligence and Russian cybercrime have become.
Alan Cohn and I chew over the latest developments in the new administration’s approach to cybersecurity – a determination to cripple botnets more effectively, and a willingness to exempt DHS cyber programs from what looks like a drastic set of budget cuts for nondefense agencies. Whether the administration can make progress on botnets while sticking to voluntary measures is uncertain; equally uncertain is whether the plus-ups for DHS cyber reflect real satisfaction with the agency’s performance of that mission in recent years.
Finally, Maury and I ask whether the German government is surrendering to reality in pursuing more effective video surveillance of possible criminals and terrorists.
As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
In this week’s episode, we ask two former NSA cybersecurity experts, Curtis Dukes and Tony Sager, both now from the Center for Internet Security, what advice they give family members about how to keep computers, phones, and doorbells safe from hackers.
Joining us for the news round-up is Carrie Cordero, a Washington lawyer and adjunct professor of Law at Georgetown University who focuses on national security law, homeland security law, cybersecurity and data protection issues.
Topping the news is the Wikileaks Vault7 release, including Assange’s mischievous offer to work with Silicon Valley to fix vulnerabilities before they’re disclosed. Carrie, Markham Erickson, and I comment.
Stephanie Roy reports that the FCC is investigating a 911 outage at AT&T; so far the agency has been tight-lipped about the details.
Home Depot is nearing the finish line in its data breach ordeal, Jennifer Quinn-Barabanov reports. The banks that had to reissue credit cards were among the last holdouts; they’re getting $25 million, which sounds like a lot until you do the math and realize it’s two bucks a card.
Jennifer tells us that another defense effort to moot a TCPA class action by picking off a named plaintiff has been thwarted – this time by the Second Circuit.
Tom Graves (R-GA) has introduced a hackback defense to CFAA liability. Markham and I trade barbs over the wisdom of allowing hackback defenses, but we reach agreement on the depth of Uber’s greyballing problems – and the risk that more companies will use big data to disfavor some customers without telling them.
Carrie reports on developments in the FBI-Geek Squad imbroglio, and I mock the reporters who bought the deeply unappealing defendant’s claim to be a civil liberties victim.
Last, and well worth the wait, Jennifer and I update our listeners on the latest in CyberSexToy privacy. Turns out the records of your, er, interactions with your internet-enabled vibrator can be compromised for a surprisingly low settlement price. Maybe today is the day we really ought to call time of death for internet privacy.
As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
In this episode, Matt Tait, aka @PwnAllTheThings, takes us on a tour of Russia’s cyberoperations. Ever wonder why there are three big Russian intel agencies but only two that have nicknames in cybersecurity research? Matt has the answer to this and all your other Russian cyberespionage questions.
In the news, we mourn the loss of Howard Schmidt, the first cyber czar and one of the most decent men in government. Then we descend into the depths of the Trump wiretap story. I reprise some of my views from Lawfare. Michael Vatis is not persuaded.
After Microsoft’s refusal to provide data stored in the cloud outside the US was upheld in the Second Circuit, things looked rosy for its position. But now two magistrates in a row have rejected it. Michael and I discuss the latest ruling.
Maury Shenk is now our official commentator on the legal consequences of Internet-enabled toys. This time it’s teddy bears, whose interactions with children and parents were exposed by hackers.
More seriously, Maury praises an impressive new analysis of China’s 50c army of tweeters. It turns out that everything we thought we knew about the 50c army is wrong.
Just in time for an early spring, we have harbingers of the coming fight over reauthorization of the 702 intercept program. Director of National Intelligence candidate Coats promises to put a number on the US persons whose communications are caught up in the program; the Electronic Frontier Foundation (EFF) and other NGOs turn on both the US government and Silicon Valley to urge that Privacy Shield be held hostage to changes in the program. And the incoming Commerce Secretary, Wilbur Ross, endorses Privacy Shield, a move that may validate EFF’s tactics.
As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785
Download the 153rd episode (mp3).
Our guest for episode 152 is Paul Rosenzweig. In the news roundup, Stephanie Roy outlines the deregulatory tangle around ISPs, privacy, security, and the FCC. Maury Shenk briefs us on the European legislation authorizing the quashing of terrorist advocacy on line. Jennifer Quinn-Barabanov explains when standing is a defense against privacy claims and when it isn’t. Together, we remark on the latest example of formerly stodgy banks embracing their inner plaintiffness.
Maury explains why the Germans have banned Cayla the talking (and listening!) doll. I ask whether the Germans next plan to ban speakerphones. (Likely answer: only if they come from America.)
Paul and I dig into the Amazon claim that the first amendment prevents enforcement of a criminal discovery order seeking Amazon Echo recordings. Hey, the suspect might have been ordering books, and that’s a first amendment activity, says Amazon, and anyway, what Alexa said back to the suspect was an exercise of Amazon’s first amendment rights. These arguments cry out for the command most frequently heard by my music-playing Echo: “Alexa, that’s enough.”
Almost as unpersuasive to Paul and me is magistrate judge David Weisman’s refusal to issue an order allowing the police to search a home and make anyone on the premises put their fingers on their iPhones to unlock them. That act is testimonial in Weisman’s opinion because, well, because he says it is. (His fourth amendment analysis is better, but hardly compelling.)
Paul explains the dramatic clash of cultures hidden in the otherwise esoteric battle between the GSA’s inspector general and “18F,” an Obama-meets-Silicon-Valley effort to streamline government IT development. Like any good tragedy, you knew from the start that this trainwreck was coming, but you still can’t look away.
The draft cyber executive order still isn’t out, despite what looks like a much more disciplined vetting process than other EOs went through. What’s the reward for running a good interagency process in a White House not noted for such discipline? The Homeland Security Council may get folded under the National Security Council.
No one has heard of the National Association of Secretaries of State in 50 years. And if you want to know why, we say, look no further than NASS’s foolish resolution objecting to the designation of electoral systems as "critical infrastructure."
Finally, Paul and I noodle over DHS’s request that Chinese visitors to the US voluntarily disclose their social media handles. I predict that this puts the frog in the pot and the stove on simmer. Meanwhile, Paul finds one border security measure that even I wouldn’t adopt.
In this episode, Stewart Baker goes to RSA and interviews the people that everyone at RSA is hoping to sell to – CISOs. In particular, John “Four” Flynn of Uber, Heather Adkins of Google, and Troels Oerting of Barclays Bank. We ask them what trends at RSA give them hope for the future, which make them weep, what’s truly new in cybersecurity, and what kind of help they would like from government.
While Stewart’s traveling, Alan Cohn takes over the news roundup. We start with some news from the RSA Conference keynotes. Brad Smith, President of Microsoft, called for a cyber “Geneva Convention” on behalf of the sovereign nation of Microsoft. And Rep. Michael McCaul (R-TX), chair of the House Committee on Homeland Security, announced his opposition to backdoors in encryption, lining up with former Secretary of Homeland Security Michael Chertoff and former NSA and CIA Director Michael Hayden but against current Attorney General Jeff Sessions and current FBI Director Jim Comey.
In news from across the pond, Maury walks us through the EU’s efforts to take on robots. We coin the term #EURobotHammer in the process (it’s complicated). Maury also tells us whether the Russians are hacking the French elections (it’s complicated).
Back stateside, Alan asks what the cyber implications are of "out like Flynn, in with McMaster" at the National Security Council. Alan also confides in us about White House staffers’ use of confidential messaging apps like Confide (see what we did there?).
As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
Our interview features a classic buzzkill headline: “Worthwhile Canadian Initiatives.” We explore multiple worthwhile Canadian initiatives with Dominic Rochon, deputy chief of policy and communications for CSE, Canada’s version of the NSA and with Patricia Kosseim, general counsel and director general for policy at the Office of Canada’s Privacy Commissioner. Among other things, we take a close look at Canada’s oversight regime for intelligence, in which a retired judge gets to exercise executive authority over the CSE – in contrast to the US system where active judges do the same but pretend they’re carrying out a judicial function.
In the news roundup, Judge Robart is doing his best to hog the judicial headlines, not only blocking the Trump administration’s immigration policy but giving support to Microsoft’s suit to overturn discovery gag orders en masse. His opinion allows Microsoft to proceed with a lawsuit claiming that gag orders violated the First Amendment.
The Trump Administration could soon begin asking foreigners coming to the United States — particularly from some Muslim-majority countries — to turn over their social media accounts and passwords. This is a policy begun under the Obama administration and supported by bipartisan homeland security groups. I predict that it will nonetheless soon be trashed by the press as an Evil Trump Initiative.
Tallinn 2.0 is out. It applies international law to cyber activity at and below the threshold of armed conflict. Color me skeptical.
The cybersecurity Executive Order that’s been hanging fire for weeks is still hanging fire. A new draft has been leaked, though, and it’s better.
Hal Martin is indicted for stealing massive amounts of data from NSA and perhaps others. According to a Washington Post report, US officials think Martin may have stolen 75%of the NSA’s hacking tools. Ouch.
In other news, Rick Ledgett, the No. 2 official at the NSA is leaving but not because of Trump. And Google has told several prominent journalists that state-sponsored hackers are trying to break into their inboxes.
Our guest for episode 149 of the podcast is Jason Healey, whose Atlantic Council paper, “A Nonstate Strategy for Saving Cyberspace,” advocates for an explicit bias toward cyber defense and the private sector. He responds well to my skeptical questioning, and even my suggestion that his vision of “defense dominance” would be more marketable if paired with thigh-high leather boots and a bull whip. #50ShadesofCyber.
In the news roundup, we experiment with, uh, actual legal discussion. The Microsoft Ireland case has company; Google recently lost a similar argument before a magistrate judge – maybe because it couldn’t say where the data it wanted to protect from disclosure actually was. Michael Vatis explains.
Meredith Rathbone and I take a victory lap over CNN and its reporters, noting that if they’d listened to the podcast, they’d have known a month early that US sanctions had unexpectedly prevented US companies from filing license applications with Russian intelligence agencies – and that allowing companies to make such filings wasn’t an opportunity for hyperventilating about President Trump’s bromance with Putin.
Michael and I also deconstruct Supreme Court nominee Neil Gorsuch’s opinion in US v. Ackerman. The opinion calmly and clearly puts a hole below the waterline in a longstanding approach to collecting evidence in child porn cases. If this case gives a clue to his jurisprudence, it seems unlikely that a Justice Gorsuch will be a pushover for government arguments.
Can American companies sue governments that hack them in the US? I hope so, but that depends on whether the Foreign Sovereign Immunities Act provides protection for malware sent from abroad that does its damage here. In an unlikely-bedfellows moment, I’m depending on EFF to make that argument to the DC Circuit.
And, to follow up on two stories we covered earlier, Brexit authority slips quickly through the House of Commons, while Google’s penny-pinching settlement of a massive “wiretapping” class action is approved over objections to the cy pres payments to the usual NGOs.
Our guest for episode 148 of the podcast is Corin Stone, the Executive Director of the National Security Agency. Corin handles some tough questions – should the new team dump PPD-28, how is morale at the agency after the Snowden and Shadowbroker leaks, and will fully separating Cyber Command from NSA mean new turf fights? I give Corin plenty of free advice and, more usefully, our first in-person award of the coveted Steptoe Cyberlaw Podcast coffee mug.
In the news, Alan Cohn and I cover the Second Circuit’s much-ado-about-nothing package of opinions on rehearing the Microsoft-Ireland case.
Maury and I discuss what the new White House executive order on the privacy rights of foreigners means – as well as Donald Trump’s meeting with Theresa May (including whether they talked about Russia sanctions). Also on the agenda: Has Donald Trump already surpassed Barack Obama’s lifetime record for holding hands with prominent White House visitors?
Speaking of Peter Thiel, Jennifer Quinn-Barabanov and I speculate about whether FTC commissioner Maureen Ohlhausen will pull the FTC back from the ledge on suing companies for security flaws that don’t cause demonstrable consumer harm. And whether Peter Thiel is looking for someone else to chair the FTC.
Our guest interview is with Jack Goldsmith, Shattuck Professor of Law at Harvard and co-founder of Lawfare. We explore his contrarian view of how to deal with Russian hacking, which leads to me praising (or defaming, take your pick) him as a Herman Kahn for cyberconflict. Except what’s unthinkable in this case are his ideas for negotiating, not fighting, with the Russians.
In the news roundup, I ask Michael Vatis whether the wheels are coming off the FTC’s business model, as yet another company refuses to succumb to the commission’s genteel extortion.
The Obama Administration came to an end last week, and its officials left behind a lot of paper to remind us why we’ll miss them — and why we won’t. A basically sympathetic review of the administration’s cyber policies ends with a harsh judgment on President Obama: “He did almost everything right and it still turned out wrong.”
Among the leftovers served up last week: a farewell statement on privacy that seems unlikely to prove relevant in the new administration, a workman-like report on cyber incident response, a wistful FCC public safety bureau report on the commission’s cybersecurity initiatives, and a zombie notice that showed up in the Federal Register three days into the Trump administration, implementing the Umbrella Agreement on data protection with the EU. Maury Shenk evaluates the agreement and its prospects.
And just to make sure we haven’t forgotten the new team’s rather different approach, it posted a policy statement on how good its cyber policy will be. It reads, in its entirety, “Cyberwarfare is an emerging battlefield, and we must take every measure to safeguard our national security secrets and systems. We will make it a priority to develop defensive and offensive cyber capabilities at our U.S. Cyber Command, and recruit the best and brightest Americans to serve in this crucial area.”
I try a quick explanation of the flap between security researchers and the Guardian over an alleged “back door” in WhatsApp messaging. Somehow, the Iran-Iraq war makes an appearance.
And, in a first for the Steptoe Cyberlaw Podcast, Alan Cohn reports as our roving foreign correspondent from -- where else? -- Davos. Want to know what the global 1% are worried about – other than you? Alan has the answers.
Would it violate the Posse Comitatus Act to give DOD a bigger role in cybersecurity? In episode 146, Michael Vatis and I call BS on the idea, which I ascribe to Trump Derangement Syndrome and Michael more charitably ascribes to a DOD-DHS turf fight.
Should the FDA allow hospitals to implant defibrillators with known security flaws in unknowing patients? I argue that that’s the question raised by the latest security flaw announcement from the FDA, DHS, and St. Jude Medical (now Abbot Labs).
Repealing the FCC’s internet privacy regulations is well within Congress’s power if it acts soon, says Stephanie Roy, who stresses how rare it is for Republicans to hold the presidency and both houses of Congress. (And who says President Obama didn’t leave a legacy?)
The European Commission isn’t done complaining about US security programs, Maury Shenk tells us. Vera Jourova wants to know more about the US request that Yahoo! screen for certain identifiers and hand over what it finds. That’s apparently too useful for finding terrorists to satisfy delicate European sensibilities. Speaking of which, Angela Merkel is in the bulls-eye for Russian doxing. And to hear Maury tell it, Russia has probably been collecting raw material for years.
Should we start treating Best Buy computer support as though its geeks work for the FBI? And would that be a defense if they find bad stuff on our computers without a warrant? Michael thinks it’s more complicated than that.
Speaking of overhyped stories, Michael and I unpack the claim that President Obama’s team is handing out access to raw NSA product with unseemly haste and enthusiasm. In fact, this proposal has been kicking around the interagency for years, and the access is heavily circumscribed. As for the haste, it could be the outgoing team is afraid its proposal will be unduly delayed by the new guys – or that all its circumscribing will be second-guessed. You make the call!
And for something truly new, we offer “call-in corrections,” as Nebraska law professor Gus Hurwitz tells us about the one time the FTC discussed the NIST Cyber Security Framework. It’s safe to say that this correction won’t leave the FTC any happier than my original charge that the agency can’t get past “Hey! I was here first!”
We interview two contributors to CSIS’s Cybersecurity Agenda for the 45th President. Considering the track record of the last three Presidents, it’s hard to be optimistic, but Davis Hake and Nico Sell offer a timely look at some of the most pressing policy issues in cybersecurity.
In the news roundup, it’s more or less wall to wall President-elect Trump. Michael Vatis, Alan Cohn, and I talk about Russian hacking, the American election, Putin’s longtime enthusiasm for insurgent movements from “Occupy Wall Street” to “Make America Great Again,” and the President-elect’s relationship with the intelligence community.
In other news, I’m forced to choose between dissing the New York Times and dissing Apple’s surrender to Chinese censorship. Tough call, but I make it. Speaking of censorship, Russia is rapidly following China’s innovation in app store regulation. For legal antiquarians, I suggest that the Foreign Agent Registration Act deserves a comeback.
It seems to be solidarity week. Lots of amici have leapt to support LabMD in court now that it looks like a winner. Meanwhile I stick up for Mike Masnick, the man who puts the dirt in Techdirt. He may be an colorfully opinionated jerk, but he doesn’t deserve to be a defendant. And I congratulate Lawfare for joining the Europocrisy campaign on Schrems and China.
We start 2017 the way we ended 2016, mocking the left/lib bias of stories about intercept law. Remember the European Court of Justice decision that undermined the UK’s new Investigatory Powers Act and struck down bulk data retention laws around Europe? Yeah, well, not so much. Maury Shenk walks us through the decision and explains that it allows bulk data retention to continue for "serious" crime, which is really the heart of the matter.
We can’t, of course, resist an analysis of the whole Russian election interference sanctions brouhaha. The FBI/DHS report on Russian indicators in the DNC hack is taking on water, and its ambiguities have not been helped by a Washington Post article on alleged Russian intrusion into Vermont Yankee’s network. That story had to be walked way back, from an implicit attack on the electric grid to an apparently opportunistic infection of one company laptop. No one is surprised that there’s an increasingly partisan split over who’s going to answer the phone now that the 1980s really have called to get their foreign policy back.
Meredith Rathbone walks us through the revamp of the Obama Administration’s cyber sanctions in an attempt to address election meddling. And we manage to find a legal twist to the new sanctions on the FSB. Turns out that large numbers of US tech firms have to deal with the FSB, not as a buyer of services but as a regulator, both of encryption and intercepts inside Russia. If the sanctions prohibit dealing with FSB as a regulator, Maury reports, they could end up imposing unintentionally broad restrictions on a lot of US companies doing business in Russia.
Meredith also updates us on the Wassenaar effort to control exports of “intrusion software” – which some European governments seem to want to regulate in a way that does maximum damage to cybersecurity. The overreaching was blunted in a recent Wassenaar meeting, but not nearly as much as the US government – and industry – had hoped. The issue won’t go away, but it will soon become an appropriate job for the author of “The Art of the Deal.”
Finally, Jennifer Quinn-Barabanov takes us on a tour of the dirtier back streets of privacy class action practice – otherwise known as cy pres awards and their challengers. It sounds like “genteel corruption” to me, but you be the judge.
Fresh off a redeye from Israel, I interview Matthew Green of the Johns Hopkins Information Security Institute. Security news from the internet of things grows ever grimmer, we agree, but I get off the bus when Matt and the EFF try to solve the problem with free speech law.
In the news roundup, Matt joins Michael and me to consider the difficulties of retaliating for Putin’s intrusion into the US election. There just aren’t that many disclosures that would surprise Russians about Vlad, though the Botox rumors are high on my list.
In other news, the EU’s cybersecurity agency, ENISA, issues a report on crypto policy that has a surprisingly musty air.
Two new settlements show the limits of privacy law. Michael Vatis covers them both. Ashley Madison settles with the FTC and is assessed a large fine that has to be partially forgiven because the company can’t pay. We all thought that adultery was a more durable business model. And Google settles a class action for unlawful wiretapping by agreeing to scan everyone’s email a few microseconds later than it used to. And to spike the football in its victory, Google offers most victims of the violation damages that amount to, well, nothing.
Ah, but Europe marches on, convinced that more privacy regulation will solve the twenty-first century for Europe. Given a choice between more privacy regulation or less, the EU of course chooses more. Maury Shenk explains. Meanwhile faced with the problem of “fake news” and the real risk that Vladimir Putin will use doxing and propaganda against Angela Merkel in her election next year, Europe has the answer: more regulation, especially regulation that puts all the blame on American social media companies. The first amendment rights of Americans look to be collateral damage.
Too busy to read the 100-page Presidential Commission on Enhancing National Security report on what the next administration should do about cybersecurity? No worries. Episode 142 features a surprisingly contentious but highly informative dialog about the report with Kiersten Todt, the commission’s executive director.
In the news, Lindsey Graham, John McCain, and a host of Dems want to investigate Russia’s role in the recent election, while the President-elect thinks it’s, well, fake news, to borrow a lefty trope. Michael Vatis presses me to pick a side. Long-time listeners won’t be surprised at my answer.
Gen. John Kelly is picked to head DHS. What does that say about its role in cybersecurity? Nothing, I venture. On crypto, though, we could finally see a commission. Chairman McCaul supports the idea, and it’s just possible that foreign government action and the Trump presidency will finally make Silicon Valley nervous enough to stop stonewalling and start talking.
We close with a definitive five-minute briefing on the future of net neutrality. The quick answer is that the dingoes are now running the child care center.
We begin by asking Rihanna to sum up the latest US-EU agreement:
That’s when you need me there
With you I’ll always share …
You can stand under my umbrella
RiRi’s got the theory right: The Umbrella Agreement was supposed to make sure the US and EU would always share law enforcement data. But when the Eurocrats were done piling on the caveats, it was clear what concessions that US had made but it wasn’t clear if the EU had made any at all. So if you're keeping score, that's US=Rihanna, EU=Chris Brown. But we're sure that down deep they really love us, and we'll be moving in together again soon.
Meanwhile, the Investigatory Powers Act has gained royal assent, Maury Shenk walks us through both developments.
The Trump administration is hinting at a change in responsibility for protecting critical infrastructure from cyberattack, and it’s consistent with the President-elect’s enthusiasm for turning hard jobs over to generals. Congress is doing its bit, elevating Cyber Command to full combatant command status.
In good news, DOJ and a boatload of other countries have sinkholed the Avalanche botnet. Michael Vatis has the details.
Kudos to Sen. Cornyn, who held off a series of left/lib attacks on the changes to Rule 41 that are needed to catch even moderately sophisticated child abusers and hackers.
Tom Donilon’s Commission on what the next administration should do about cybersecurity has delivered its recommendations. The response: crickets.
Lastly, Saudi Arabia suffers a major Iranian attack. The US response to this attack on an ally of sorts? Cue the crickets again.
We next turn to an interview with Scott Charney, Corporate Vice President for Trustworthy Computing at Microsoft. I’ve known Scott for 25 years and he’s an acute observer of the international cybersecurity scene. We discuss international pressures on technology companies including the conflicted roles of governments dealing with encryption.
Episode 140 features long-time New York Times reporter, John Markoff, on the past and future of artificial intelligence and its ideological converse – the effort to make machines that augment rather than replace human beings. Our conversation covers everything from robots, autonomous weapons, and Siri to hippie poetry of the 1960s and Silicon Valley’s short memory on use of the term “cyber.”
In the news, Maury Shenk reports that five EU members now say they want EU-wide crypto controls. And that’s not counting France and Germany. Maybe the real question is whether any EU countries oppose encryption regulation. We can’t find any. Tongue firmly in cheek, I thank Tim Cook for bringing the need for government crypto regulation to the attention of governments around the world.
It turns out that the FBI actually hacked more than 8,000 computers in 120 countries in a single child porn investigation. Wow. And the Justice Department is lecturing me on the risk that active defense could cause unexpected foreign relations problems? Well, I guess they would know.
We-Vibe’s undisclosed collection of data about users of its smart-phone enabled vibrators spurs a class action. Or should that be a “lacks class” action? I confess to being nonplussed by the uses to which an Internet-connected vibrator app can be put. And even more nonplussed when Jennifer Quinn-Barabanov explains how We-Vibe could contribute to the law of standing.
The Wages of Defeat, part one: Election hack fever seizes the left, and I ask Alan what the law should do about vulnerable election infrastructure. Jill Stein is almost certainly wrong about election hacking this year (or in it for the money), but now that everyone has some reason to question the integrity of our election process, Alan and I ask whether there’s room for bipartisan improvements in electoral systems?
Wages of Defeat, part two: Fake news fever seizes the left. For sure it’s a real problem, and Putin is part of it, but solutions are hard to find. Fake news is often in the eye of the beholder, and neither the mainstream media (see, e.g., here or here) nor the barons of social media (Milo Yiannapoulos, call your office) have been exactly even-handed in dealing with conservative views. If we want to go after foreign government sponsored fake news, I suggest, maybe an updated Foreign Agent Registration Act is worth looking at. Between the first amendment and a lack of trust in would-be fake news umpires, there aren’t a lot of other attractive solutions out there.
In this week’s episode, we guess at the near-term future with Betsy Cooper and Steve Weber of UC Berkeley’s Center for Long Term Cybersecurity. In all of their scenarios, the future is awash in personal data; the only question is how it’s used. I argue that it will be used to make us fall in love – with our machines.
In the news of the week, we explore the policy consequences of President-elect Trump’s personnel choices. I point out that the quickest route to the new administration’s short list seems to be an interview on the Steptoe Cyberlaw Podcast.
The internet advertising industry is trying to stamp out ad malware so that firms following a set of guidelines will earn a seal of approval Katie Cassel explains. Color me skeptical: would you buy an antivirus product that proclaimed that it scans “a reasonable percentage of” incoming code?
It’s apparently guidelines week in cybersecurity-land, as agencies rush to release their work before the transition. Two agencies issued guidelines on security practices. The Department of Homeland Security released the recommendations for internet-connected devices that Rob Silvers forecast on the podcast last month. Alan Cohn summarizes the principles, which include steps like security by design and regular vulnerability patches. Meanwhile, Katie tells us, NIST has released its guidance for small business network security. We compare its guidance to the FTC’s. NIST wins.
Two Chinese Android phone backdoors have emerged in one week. Researchers at Kryptowire have uncovered a secret backdoor in large numbers of Android phones that ships users’ personal data, including their SMS messages and location, back to China. The company responsible, Shanghai Adups Technology Company, says it was a mistake, and that the software wasn’t supposed to be installed on phones for sale in the US. Or perhaps the mistake was in getting caught. Investigations will follow, one hopes.
The second backdoor is an unsecured firmware upgrade channel that would allow a man-in-the-middle to add arbitrary code to an upgrade. I point out that Apple uses the same backdoor – just better secured – for the same purpose. So its claim that it’s fighting the FBI to protect us from backdoors and their security risks is balderdash.
The 1990s have called, and they want their competition policy back. At least that seems to be the gravamen of Kaspersky’s complaint that Microsoft Defender is killing third party antivirus companies.
In other news that isn’t new, the effort to override Rule 41 changes still looks as dead as General Franco. That doesn’t mean that a forlorn left-right coalition will give up, of course, since there is still sympathetic lib/left press coverage to be milked from the issue.
Finally, in a sign of just how serious the cybersecurity crisis is, almost 2 in 5 American adults said they would give up sex for a year in exchange for never having to worry about being hacked. And once the machines make us fall in love with them, that number will approach 100%.
We couldn’t resist. This week’s topic is of course President-elect Trump and what his election could mean for All Things Cyber. It features noted cybercommentator Paul Rosenzweig and Daily Beast reporter Shane Harris.
In the news, we’re reminded of the old Wall Street saying that bulls and bears can both make money in the market but pigs eventually get slaughtered. The same goes for the pigheaded, as the FTC has learned. Whatever modest satisfaction the FTC got from denying a stay of its order against LabMD surely evaporated when it forced the Eleventh Circuit to make an early call on the stay. The result: the court of appeals practically overrides the FTC decision on the motion. Or was the Commission just trying to make sure the proposed television series about LabMD had an ample supply of villains? If so, way to go, guys!
Katie Cassel announces her imminent retirement from the podcast. She also explains the DMCA’s new exemption for security researchers.
This is getting ugly: Yahoo now says that some of its employees knew about its massive data breach in 2014 – two years before it was disclosed. Why the delay? Yahoo says it’s investigating – and that it can’t be sure Verizon will follow through on the deal to buy the company.
Russia is putting some teeth in its data localization law. LinkedIn looks like the sacrificial goat, Maury Shenk tells us, and that’s just the camel’s nose under the tent.
How can section 230 immunity provide protection against one claim but not another based on the same facts? Katie makes it sound almost reasonable. Boy, are we going to miss her.
The Germans have revived an investigation of Facebook for not blocking Germany’s idea of hate speech, which probably includes hats that say “Make America Great Again.” Oh, this is going to be a fun four years.
Speaking of which, I wonder if the GRU woke up with the same hangover as the rest of the United States, suddenly realizing that they had no freaking clue what policies a Trump administration would follow. That would explain the rash of phishing attacks on Washington think tanks.
The episode features a vigorous and friendly debate between me and Frank Cilluffo over his new report on active defense, titled “Into the Gray Zone.” It’s a long and detailed analysis by the Center for Homeland and Cyber Security at GW University. My fear: the report creates gray zones for computer defense that should be seen as purely lawful — and turns far too many genuine gray zones black.
Maury Shenk returns after missing last week due to the British determination not to follow US daylight savings practice. After my rant in favor of Sunday Daylight Hoarding Time, he updates us on challenges to the Privacy Shield Agreement in EU courts by privacy true believers (two and counting) and EU court challenges to government data practices in China, Russia, Algeria, and Saudi Arabia (none in evidence). Speaking of which, China has actually adopted the cybersecurity law it’s been threatening Western tech companies with for months, if not years.
Congress is starting to notice the FDA’s hapless response to medical device security. I predict that the FDA will not take serious notice until heart implants start tweeting: “I’d give this guy cardiac arrest, but I’m too busy DDOSing the DNC.”
Michael Vatis tells us what’s in the FTC’s Business Guide to Data Breach Response. It’s pretty good, but even if it weren’t, no one can ignore it, since it’s as close to rulemaking as the FTC gets in this field.
A remarkable official leak says that US Cyber Command has pwned Russia’s IT infrastructure, from its power grid to its military command system, and is ready to strike if the Russians mess with the US election. Is it true? Clint Eastwood has the best answer.
Jonathan Zittrain, who holds a surfeit of titles at Harvard, is our guest for episode 136. Among other topics, we explore the implications of routine doxing of political adversaries. Along the way I extract kind words from Jonathan for Sarah Palin and welcome him to the club of those who think mass doxxers are evil punks. It’s a wide-ranging, informative, and unideological performance of the sort we’ve come to expect from Jonathan.
In the news, I note that the FBI seems to be getting reinforcements in the Great Crypto War, as European prosecutors prepare the battlefield with complaints about Islamic State use of Western encryption.
We’re seeing the rise of a new kind of security disclosure mandate, Katie Cassel tells us. First DOD and now Treasury are requiring their industry to disclose not just personal data breaches but the details of security breaches. But only Treasury was clever enough to do it without new regulatory authority.
NHTSA proposes some pretty thin cybersecurity guidance for vehicles, says Michael Vatis, and a couple of Senate Dems predictably call for tougher mandatory standards.
In more dog-bites-man news, European data protectionists have more hassles for US tech companies; this time it’s WhatsApp and Yahoo in the crosshairs.
Michael leads a tour of the FCC’s new “opt-in” privacy rules for ISPs. I make a bold prediction about how the privacy fight will shake out, and Michael -- remarkably – thinks I may be right.
Katie explains HHS’s latest fine for a company that allowed file-sharing of medical files on one of its servers. Mike Daugherty, time to call your office.
Would the revolting magistrates have scuppered the FBI's effort to extract Huma's emails from Weiner's computer? Michael and I debate Orin Kerr's suggestion that there's a legal problem with expanding the search (or the seizure) to a new and different investigation. We mostly disagree with Orin.
And in continuing Rule 41 news, I narrowly escape an NFL taunting penalty while reporting that a whopping 23 out of 535 lawmakers are whining about expanded searches of pedophile computers.
Our guest for the episode is Rob Silvers, the assistant secretary for cybersecurity policy at DHS. He talks about what the government can and should do about newly potent DDOS attacks and the related problem of the Internet of Things. The only good news: insecure debrillators and pacemakers may kill you, but they haven’t yet been implicated in any DDOS attacks.
In the news, Michael Vatis and I debate whether the netizen reaction to a search warrant that also allows the FBI to collect phone security fingerprints during the search is overheated or justified. Maury Shenk explains an unusual UK tribunal ruling, holding that GCHQ’s and MI5’s bulk collection of data was once a violation of the European Convention on Human Rights. Luckily for the UK government, that illegality was cured by the government’s acknowledgment of the collection.
The financial industry faces new cybersecurity regulations; Katie Cassel explains. Then, as the junior member of the podcast crew, Katie also finds herself called on to explain when defense contractors have to disclose cyberattacks to the Department.
In other news, NSA contractor Harold Martin is looking less like a hoarder and more like a serious threat to national security, thanks to the Justice Department motion opposing bail. Maury explains why the EU’s top court thinks that even dynamic IP addresses are personal data. And I explain (or try to) why Julian Assange is a first amendment cover boy when he blows national security secrets but apparently the second coming of Josef Stalin when he blows politically embarrassing secrets of the Clinton Global Initiative. Or is the real problem the risotto recipe?
Episode 134 features John Carlin’s swan song as assistant attorney general for national security. We review the highs and lows of his tenure from a cybersecurity point of view and then look to the future, including how the US should respond to Russia’s increasingly uninhibited use of cyberpower. I introduce John to Baker’s Law of Post-Government Policy Advice: “The good news about leaving government is that you can say what you want. The bad news is that you can say what you want because nobody cares.”
In the news roundup, we explore the Geofeedia flap, in which large Silicon Valley companies are claiming the right to deny law enforcement access to public postings, even when that access is limited to particular geographic areas, such as the location of an ongoing riot. Remarkably, they seem to think we ought to be praising them for this antisocial stand. Michael Vatis and I consider whether law enforcement can subpoena the same data from antisocial media.
Michael and I also mull over the troubling news that Carbanak is targeting SWIFT endpoints. The G7 has financial cybersecurity guidelines, but it seems unlikely that they’ll turn the tide of an increasingly at-risk banking system.
Michael and I also touch on an Akamai report confirming that the Internet of things isn’t exclusively used to launch DDOS attacks on Brian Krebs; sometimes it’s used to launch mass credential theft attacks as well. I volunteer to bring the first lawsuit.
Maury Shenk updates us on the UK’s new privacy guidelines – and China’s effort to make its internet more protective of children, and the state.
As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
In episode 133, our guest is The Grugq, famous in hacker circles but less so among Washington policymakers. We talk about the arrest of an NSA employee for taking malware and other classified materials home, the Shadow Broker leak of Equation Group tools, and the Grugq’s view that the United States has fundamentally misunderstood the nature of cyberconflict.
In the news, Alan Cohn and I discuss the DHS/DNI fingering of Russia – and Putin – for the DNC hack. We ask whether this means that sanctions will follow, and I characterize the administration’s stance so far as an updating of Groucho Marx’s position: “These are my red lines. If you cross them, well, I have others.”
I award “stupidest privacy scandal of the year” to the complaints that Yahoo! (gasp!) scanned email content in a search for a terror-related signature.
Continuing what will become a rant-filled episode, I nominate the Third Circuit for membership in a Hall of Judicial Shame. The court of appeals has joined the European Court of Justice in giving legal effect to the early Guardian articles claiming that PRISM allowed NSA to scan all emails in US webmail services. That might have been a mistake in 2013, but in 2016, it can only be characterized as a lie, and not one the judiciary should be party to. Katie Cassel hoses me down.
Maury Shenk, back from honeymoon in Jordan, explains why the TalkTalk case has such prominence in the UK – and why the company was lucky to be assessed one of the highest fines ever imposed by the UK data protection authority.
And, to end the roundup on a choleric note, Alan goads me with HHS’s latest and most astonishingly nit-picking fine ‒ $400,000 for having a supplier contract that hadn’t been updated since the HI-TECH Act modified HIPAA.
As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
In episode 132, our threepeat guest is Ellen Nakashima, star cyber reporter for the Washington Post. Markham Erickson and I talk to her about Vladimir Putin’s endless appetite for identifying ‒ and crossing ‒ American red lines, the costs and benefits of separating NSA from Cyber Command, and the chances of a pardon for Edward Snowden. Ellen also referees a sharp debate between me and Markham over the wisdom of changing Rule 41 to permit judges to approve search warrants for computers outside their district.
In the news roundup, Meredith Rathbone explains the remarkably aggressive, not to say foolish, European proposal to impose export controls on products that would enable state surveillance in cyberspace. Apparently locked in a contest with Brussels over who can propose the dumbest regulation of cyberspace, California has adopted a law that purports to prohibit entertainment sites like IMDb from publishing the true ages of actors and actresses. Markham and I debate the constitutionality of the measure.
In other California news, Markham brings us up to date on the surveillance lawsuit against Google. He also explains the deep Washington maneuvering over FCC Chairman Wheeler’s plan for cable set top boxes. I call for a rule that requires cable CEOs to wait at home for days of rescheduled calls to find out whether they’re going to get the result they want.
As always, the Cyberlaw Podcast welcomes feedback. Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.