Skating on Stilts

The backlash against Big Tech dominates this episode, as we cover new regulatory initiatives in the US, EU, Israel, Russia, and China. The misbegotten link tax and upload filter provisions of the EU copyright directive have survived the convoluted EU legislative gantlet. My prediction: the link tax will fail because Google wants it to fail, but the upload filter will succeed because Google wants YouTube’s competitors to fail.

Rumors are flying that the FTC and Facebook will agree on a billion-dollar-plus fine on the company for failure to adhere to its consent decree. My guess? This is not so much about law as about the climate of hostility around the company since it took the blame for Trump’s election.

And, in yet another attack on Big Tech, the EU is targeting Google and Amazon for unfair practices as sales platforms. Uncharacteristically, I refuse to criticize the EU over this policy.

Artificial intelligence is so overworked a tech theme that it has even attracted the attention of the White House and DOD. We ask a new contributor, Jessica “Zhanna” Malekos Smith, to walk us through the President’s Executive Order on AI. I complain that it’s a cookie-cutter order that could as easily apply to alien abductions. DOD’s AI strategy, in contrast, is somewhat more substantive.

If you can’t beat ‘em, ban ‘em. Instead of regulating Big Tech, Russia is looking to take its own Internet offline in an emergency. The real question is whether Russia is planning to cause the emergency it’s protecting itself against. If so, the West is profoundly unready.

CFIUS is contagious! Brian Egan tells us that under US pressure Israel is considering restrictions on Chinese investment as the world keeps choosing sides in the new cold war.

China’s Ministry of Public Security is now authorized to conduct no-notice penetration testing of Internet businesses operating in China. I must say, it was nice of them to offer the service in beta to OPM, Anthem, and Equifax. Speaking of which, this  mayspell (more) trouble for Western firms doing business in China.

Brian touches on Treasury’s new sanctions against Iranian organizations for supporting intelligence and cyber operations targeting US persons. It turns out that the hackers had help – and that there is no ideology so loathsome it can’t win converts among Americans.

Nate Jones describes the EU’s plan to use “cyber sanctions” to fend off hackers during upcoming elections.

This Week in Old Guys You Shouldn’t Mess With: Nate reveals how 94-year-old William H. Webster helped take down a Jamaican scam artist. Of course, if he was any younger, he probably wouldn't have picked up when the landline rang.

Our colleagues Nate Jones and David Kris have launched the Culper Partners Rule of Law Series. Be sure to listen as episodes are released through Lawfare.

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here.

Download the 251st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

This is admittedly self-indulgent, but I was recently interviewed by Cyberinsecurity News about my involvement in technology and national security policy over the years, and the result might be of interest to those who weren't there for the fights that still shape the policy environment.  A sample:

    Now, you cannot overestimate how significant the decryption victories of World War II were in shaping NSA’s culture. They were, one way or another, part of breaking Japanese codes, and Nazi codes, and everyone agreed that those decryption achievements shortened the war and maybe made it possible to win the war. Given the stakes, no one wanted to be caught in the situation again where we did not have an overwhelming advantage with respect to dealing with foreign nations’ codes. At the same time, the Soviets, who had seen that experience, had developed formidable capabilities of their own. We only occasionally got little glimpses of what was going on inside Russian communications, because their encryption was so good and so disciplined. So everybody was aware that what we had achieved in World War II was not ours by birthright. It was going to have to be something we scrapped and clawed at if we wanted to get that advantage again. So NSA was reluctant to surrender any advantage, including export controls on encryption.

     For Microsoft and the rest of Silicon Valley, they were already deep into the cycle of destroying other people’s businesses by turning them into software. Microsoft had done that successfully and become a massive new company at a time when new companies were rare. Basically by eating other people’s businesses and saying, “Oh, sorry about that!” and moving on. I think they started out with the assumption that NSA’s encryption and decryption advantage was just one more business model that was not going to survive Microsoft’s software advantages. They were more confident maybe than they should have been, but they had plenty of experience and a lot of achievement behind them. You had two very proud, very self-confident organizations dueling with each other over matters that each of them thought was central to their future.

 

If you get SMS messages on your phone and think you have two-factor authentication, you’re kidding yourself. That’s the message Nick Weaver and David Kris extract from two stories we cover in this week’s episode of The Cyberlaw Podcast – DOJ’s indictment of a couple of kids whose hacker chops are modest but whose social engineering skillz are remarkable. They used those skills to bribe or bamboozle phone companies into changing the phone numbers of their victims, allowing them to intercept all the two-factor authentication they needed to steal boatloads of cryptocurrency. For those with better hacking chops than social skills, there’s always exploitation of SS7 vulnerabilities, which allow interception of text messages without all the muss and fuss of changing SIM cards.

Okay, it ain’t “When Harry Met Sally,” but for a degraded age, “When Bezos Exposed Pecker” will have to do. David keeps us focused on the legal questions: Was the Enquirer letter really extortion? Would publication of the pics be actionable? And is there any way the Enquirer could get those text messages without someone committing a crime? Plus, of course, whether the best way to woo your new girlfriend is to send her brother to jail.

Social media – privacy law threat or competition law menace? That’s the question European (naturally) regulators are weighing. But Matthew Heiman and I have a pretty good idea what their answer will be: Both! We look at the Twitter-mobbing of Facebook by regulators and ask whether the competition charges make more sense than the privacy claims.

Looks like the net effect of the Obama-Xi agreement on not stealing commercial secrets is that a better class of Chinese officials is stealing our commercial secrets. President Xi kicked the PLA to the curb and brought in the professionals from China’s Ministry of State Security. So now Chinese tradecraft is a little better, and DOJ is indicting MSS officials instead of PLA soldiers. David sums up.

NERC is proposing a $10 million fine for cybersecurity violations on a utility reported to be Duke Energy. Matthew and I are shocked. Not by the fine, which was negotiated, or by the violations, many of them self-reported, but by the cheese-paring, penny-ante nature of so-called cybersecurity enforcement at NERC and FERC. All this Sturm und Drang to make sure utilities use six-character passwords? When security guys complain about compliance trumping security, these NERC rules will be Exhibit A.

Finally, add another chapter to the Annals of Failed Civil Liberties Campaigns, as EFF and likeminded reporters try to get us outraged about the FBI using court orders to identify a North Korean botnet. Nick points out that academics have been conducting research that is more intrusive for years without unduly disturbing even conservative university lawyers.

Well, maybe one more item: I close by thanking HoyaSaxaSD for a podcast review that honors our own inimitable Nick Weaver:

“I got a fever, and the only cure is more Weaver. Love the show. I’m a lawyer but not in tech or security law, but it’s still fascinating. My teenage sons also like most episodes, especially the Nick Weaver segments. And I concur. There needs to be Weaver in every episode, and more of him. In fact, an hour of Weaver and Baker debating/discussing would be the perfect show.”

In return, I am moved to channel Peggy Lee. And if more good reviews don’t pour in, I may make that performance a weekly feature. David Kris, I’m sure, would consider that extortion, on the ground that no one has a right to butcher Peggy Lee’s oeuvre like that.

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here: https://www.thirdway.org/letter/2019-cyber-symposium-call-for-papers

Download the 250th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

My latest op-ed tries to open the Overton window on responding to cyberattacks:

Cyber weapons have allowed Russia to reinvent deterrence on the cheap. Recent reports reveal a prolonged, systematic, and not particularly subtle Russian campaign to infiltrate the U.S. power grid.

It raises the prospect that Russian strongman Vladimir Putin has the ability to cut off power to large parts of the United States, as he has done already in Ukraine. He has “prepare[d] the battlefield, without pulling the trigger,” said one former U.S. official.

All of which raises the question: how to deter him? After all, where Putin goes, Iranian mullahs and Kim Jong Un will not be far behind. If any of these actors knock out even a small segment of our power grid, we will need to retaliate, and not with restraint. It’s time to start thinking the unthinkable.

Four principles should guide American decision makers in developing tough responses to other nations’ cyber provocation ...

Read the rest at Fifth Domain. 

In this episode, I interview Chris Bing and Joel Schectman about their remarkable stories covering the actions of what amount to US cyber-mercenary hackers. We spare a moment of sympathy for one of those hackers, Lori Stroud, who managed to go from hiring Edward Snowden to hacking for the UAE in the space of a few years.

In the news, I ask my partner Phil Khinda whether the $29 million Yahoo breach settlement opens a new front in breach derivative litigation or is a black swan event. He says it’s more of a red herring – and explains why.

This week in black ops: I ask Nate Jones to comment on the tradecraft used in an apparent effort to smear Citizen Lab for its reports on NSO. My take: This feels a lot like what BlackCube did for Harvey Weinstein, except that this was the low-budget version.

I'm not sure the indictments are working.  The Russians are so far from being shamed that now they’re engaged in fake hacking. Dr. Megan Reiss notes Special Counsel Mueller’s recent claim that Russians are leaking discovery materials and pretending they came from a hack of the counsel’s office. Remember the remarkably adroit robot that turned out to be a Russian in a robot suit?  That's what this reminds us of.

Maury Shenk and I discuss Google’s latest imitation of Apple’s “law enforcement lockout” feature and Google's claim that hurting law enforcement was an “unintended side effect.” I call BS.

Maury also notes the flap over a flaw in Apple’s FaceTime that allows for eavesdropping. Predictably, New York State is investigating.

And in possibly related news, Apple went out of its way to publicly embarrass Facebook and Google over their use of corporate certificates to sideload apps to record the browsing habits of paid volunteers. I'm not convinced that the fuss is justified.  Whatever those users sold their data for, it's a lot more than I'm getting.

Quick hits:

This week in dogs biting men: Ukraine says Russia is trying to disrupt its upcoming election, and the Pentagon is reportedly failing to stay ahead of cyber threats. Megan covers the first and Nate the second.

I offer one and a half cheers for Japan’s pioneering and mildly intrusive survey of bot-vulnerable IoT devices. Unfortunately, it's not intrusive enough to really address the problem.

Finally, EPIC is calling on the FTC to impose a $2 billion fine, structural changes, and more on Facebook, claiming that “the algorithmic bias of the [Facebook] news feed reflects a predominantly Anglo, male world view.” If you still need evidence that privacy law is the legal equivalent of a Twitter mob – an always-ready tool for punishing unpopular views – EPIC’s filing should do the trick.

Download the 249th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

If the surgeon about to operate on you has been disciplined for neglecting patients, wouldn’t you like to know? Well, the mandarins of European Union privacy law beg to differ. Google has been told by a Dutch court not to tell anyone about the disciplined doctor, and there seems to have been a six-month lag in disclosing even the court ruling. Gus Hurwitz and I are appalled. I repeat my long-standing view that in the end, privacy law just protects the privileged. Gus agrees.

This week's interview is with John Carlin, author of Dawn of the Code War. It’s a great inside story of how we came to indict China’s hacker-spies for attacking US companies.

In other news, the Illinois Supreme Court has demonstrated just how bad Illinois’ biometric privacy law is – by the simple expedient of applying it the way it’s written.

Dr. Megan Reiss and I air our ambivalence about the latest site hosting collections of doxed messages. We lack enthusiasm for indiscriminate doxing of the kind highlighted on Distributed Denial of Secrets, but if it’s got to happen, it couldn’t happen to a nicer Russian dictator. 

Nick Weaver explains the DHS emergency order telling civilian agencies to protect themselves against DNS hijacking, and why the shutdown may have made those agencies more vulnerable.

Nick and I debate YouTube’s latest algorithmic tweak to avoid recommending “borderline” material. He notes that the  tweak is to correct an algorithm that used to push people toward extremes. I counter that this tweak turns out to be a suspiciously good way for YouTube Social Justice Warriors to suppress videos they don’t like but can’t actually show to be violating YouTube’s terms of service.

Speaking of which, maybe the real singularity will be when Silicon Valley SJWs join forces with Beijing to produce technology to suppress WrongThink once and for all. If so, the singularity is nigh, in the form of a Chinese app that allows you to identify all the people around you who deserve to be shamed. Of course, when it comes from Twitter, instead of identifying those who haven’t paid their debts, the app will identify anyone who ever wore a MAGA hat. And it will have a cooler name. Maybe #Punchable.

Download the 248th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

So says the remarkable Jeff Jonas, CEO of Senzing. And he’s got a claim to be doing just that. A data scientist before data science was cool, Jeff has used his technical skills and an intuitive grasp of complex data problems to stop card counters in Las Vegas and terrorists targeting the US, and then to launch an initiative making voter registration more accurate and widespread. Most recently, in the course of an effort to improve maritime security around Singapore, he also found a key to identifying asteroids that are about to collide with each other and head off on a new course (one that might intersect with, well, ours).

The media has been hyping a strikingly bad magistrate judge’s opinion giving 5th Amendment protection to biometric phone security. This leads Gus Hurwitz and me to question why Congress ever promoted US magistrates to “magistrate judges” in the first place. We suggest striking the word “judge” from the title given to these Article I judicial aides; call it the Truth in Judging Act.

Congress and the President can’t even agree on a compromise that would end the partial government shutdown. So what genius decided that our security from terrorist attacks should depend on Congress and the President agreeing every couple of years on yet another part of our counterterrorism system? Like it or not, though, 2019 will feature another cliffhanger debate over several national security provisions of FISA  that are scheduled to come to an end unless renewed. Jamil Jaffer and David Kris talk about the provisions and possible outcomes. I plead for a compromise that takes seriously the Trumpist concern about partisan abuse of the law.

I suspect the government would have imposed serious fines on the owner of EDGAR for enabling a new form of insider trading -- if the SEC didn't own EDGAR itself. Jamil and Gus debate the harder question: How can hackers with access to guaranteed market moving info manage to make only $4 million in six months of trading?

The Department of Justice’s Office of Legal Counsel has reversed an Obama-era interpretation limiting the scope of federal criminal laws governing online gambling. David provides the background; I introduce our listeners to the Baptist-bootlegger coalition.

If you would like to hear more from Jeff Jonas and you’ll be in London on January 29, be sure to attend his talk, “AI for Entity Resolution,” at the SAGE Ocean speaker series. Event details can be found here.

Download the 247th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Readers of this blog may be interested in my Lawfare post about the news that the FBI made President Trump the subject of a counterintelligence investigation after he fired their boss.  My take:

The political and bureaucratic motives mixed into this incident are reminiscent of the motives mixed into the decision to launch an investigation of Russia and the Trump campaign, the decision to rely on Christopher Steele’s research despite his partisan funding, and the decision to interrogate national security adviser Michael Flynn in the slipperiest of fashions. There are reasons why all of these things might have seemed necessary to honest, committed cops just doing their job. But they also offer a roadmap for how to abuse counterintelligence authority to serve partisan ends—a roadmap that more or less begins where the civil liberties protections of the 1970s end.

My concern is that we’re not taking that risk seriously because so many former officials and commentators believe that President Trump deserves all this and more. Some of them still hope that the election of 2016 can be undone, or at least discredited. This leads to a perseverating focus on leaks and scraps from the investigation and a determined lack of concern about the investigation’s sometimes tawdry origins. (Yes, I’m talking to you, #BabyCannon!)

If we’re going to prevent future scandals, we need to look at both. We need to know the answers to a lot of questions that are not being seriously addressed today: To what extent was politics involved in the decision to open the Trump-Russia investigation; to what extent did politics drive its direction; to what extent was politics involved in the Obama administration’s transition intelligence leaks; and, finally, to what extent was politics involved in adding the president to the counterintelligence probe?

The only independent review of any of these questions seems to be the investigation launched by Justice Department Inspector General Michael Horowitz. He’s examining the FISA application for Carter Page. That’s a good start, but it’s only a start. It’s a commonplace insight that President Trump’s norm-defying conduct has triggered norm-defying payback by others. I’m sure we’re going to learn about the first, but we can’t ignore the second.

It’s time to expand the Horowitz inquiry, or something like it, into all of these events.

Brazen Russian intrusions into the US electricity grid lead our episode. I ask Matthew Heiman and Nick Weaver whether Russia intended for us to know about their intrusions (duh, yes!) and how we should respond to the implicit threat to leave Americans freezing in the dark. Their answers and mine show creativity if not exactly sobriety.

In what may be good news about emerging European sobriety, Google gets a favorable opinion from the advocate general to the European Court of Justice (ECJ) on the question of whether to extend Europe’s “right to be forgotten” censorship regime to benighted Americans, and Turks, and Russians, and Chinese. Most of those countries would be glad to impose their censorship regime on Europeans, consideration of which may be enough to overcome the America Derangement Syndrome the ECJ has displayed in earlier tech privacy cases.

DHS was right, and EFF was wrong. That’s the lesson Maury Shenk, Nick, and I derive from the latest drone crisis at Gatwick Airport. In response, the UK is seeking police powers that DHS recently obtained – over EFF’s bitter opposition.

Matthew unpacks the Fourth Circuit ruling that a politician cannot block constituents on her official Facebook page because it has become a public forum.

Nick explains how the Hal Martin Saga keeps getting weirder – and we try on the full aluminum foil hat to explain how the whole thing could have been orchestrated by the GRU to turn Kaspersky Lab into a hero.

Ron Wyden and Motherboard combined to get mobile phone companies to stop selling location data to third parties. I wonder whether we’ll regret the result. Nobody else does.

Happy New Year from Big Brother: Vietnam takes a leaf from the EU and Chinese playbooks, threatening Facebook with fines for allowing prohibited posts and failing to localize data.

For comic relief, we cover the cybersecurity misadventures of “El Chapo.” Nick Weaver sums up the lesson: bespoke security is almost always bad security. Oh, and never use a phone provided by a paranoid boss.

We close with a quick review of how China has misused the Great Firewall to launch cyberattacks and what Silicon Valley (or the rest of us) can do in response.

Download the 246th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Nate Jones, David Kris, and I kick off 2019 with a roundup of the month of news since we took our Christmas break. First, we break down the utterly predictable but undismissable Silicon Valley claim that the administration’s new export control strategy will hurt the emerging AI industry.

Then we draw on our guests’ expertise in counterintelligence prosecutions to review the APT10 indictment – and the claim by Jack Goldsmith and Robert Williams that the strategy is a failure. We conclude that it isn’t a magic bullet, but that’s not quite the same as a failure. I tease my plan to propose two dozen more or less unthinkable retaliatory responses the US could deploy if and when it decides to get serious about deterring adversarial cyber operations.

We quickly cover three new hacks that once looked as though they might be government sponsored. Now we suspect that two were less strategic than that. The denial of service attack on newspaper printing may have been a profit-motivated ransomware attack, and the guy who doxxed the German political establishment may have been a lone hacker (hopefully not one weighing 400 pounds or we’ll never hear the end of it).

We quickly review the bidding on the US-China “quantum arms race,” which may be a bit less critical than the press suggests.

David and Nate also review the mixed bag of rulings on three motions to suppress in Hal Martin’s NSA theft case, which just gets weirder and weirder. David and I are in surprising agreement (along with the judge) that the FBI overreached in using handcuffs, a flashbang, and a SWAT team to conduct “noncustodial” questioning of Martin.

Today’s forecast: Windy with a high probability of litigation as Los Angeles sues The Weather Company for collecting and sharing location information in its apps. We suspect that, in claiming a lack of adequate disclosure about location collection, Los Angeles is relying on the ancient legal maxim, “Damned if you do and damned if you don’t.”

In other litigation news, Illinois’s biometric privacy law continues to encounter judicial skepticism. But the Illinois state courts, unburdened by federal standing law, may yet give teeth to this seriously dumb law as Rosenbach v. Six Flags rolls on in the Illinois Supreme Court.

In Quick Hits, I am examine the claim that a clever generative adversarial AI “cheated” at a mapping task. In fact, the lesson is both less exciting and more troubling: If you don’t understand how your AI is accomplishing the task you’ve set for it, you are in for some rude surprises.

Despite all the talk of stasis and crisis in Washington, Congress is still passing modestly useful legislation on cyber issues. Nate describes the SECURE Technology Act, which sets vulnerability disclosure policy and calls for bug bounties at DHS.

And, finally, I recommend a fascinating and deeply ambivalating (okay, that's not a word, but it should be) report on the many ways third-party sellers game Amazon’s Marketplace rules.

Download the 245th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In the News Roundup, Nick Weaver and I offer very different assessments of Australia’s controversial encryption bill. Nick’s side of the argument is bolstered by special guest Denise Howell, the original legal podcaster, with 445 weekly episodes of This Week in Law to her credit.

Later in the program, I interview Rep. Jim Langevin (D-RI), who’s been a force for cybersecurity both on the Homeland Security Committee and on the Armed Services subcommittee that oversees Cyber Command and DARPA – a subcommittee that insiders expect him to be chairing in the next Congress.

Turning back to news, the Marriott hack, already one of the biggest in history, has developed a new and more interesting angle, Gus Hurwitz explains: It may have been a Chinese intelligence operation.

The Khashoggi killing has backfired on… Israeli and Italian hacking companies? Yes, indeed. Hacking Team and NSO are now immersed in legal hot water. And as a sign of how much the Middle East has changed, Nate Jones tells us that a Saudi dissident is now waging lawfare in the courts of Tel Aviv.

We also touch on what the detention in Canada of Huawei’s CFO means for US-China technology relations as well as on a new DOD report on the risks of EMP. Nick explains why he doesn’t worry about EMP but nonetheless loves the EMP alarmists.

Download the 243rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

This episode features an interview with Michael Tiffany, the co-founder and president of White Ops and a deep student of how to curtail adtech fraud. Michael explains the adtech business, how fraudsters take advantage of its structure, and what a coalition of law enforcement and tech companies did to wreck one of the most successful fraud networks, known as 3ve. You can read more about the take down in the joint White Ops and Google report, “The Hunt for 3ve.”

In the news, David Kris covers the Supreme Court argument in the Apple antitrust standing case. At stake: whether Illinois Brick should apply outside a brick-and-mortar context. Our panel guesses that it won’t.

You knew this was coming: Megan Reiss covers US proposals to screen Chinese students for espionage risk before giving them visas. We think it’s a good idea, but really wish there were a way to score every student in China for how compliant they are with government wishes…oh, wait…

Nobody trolls like the Russians troll. David Kris covers a Russian trollsuit claiming that Facebook has unfairly censored Russian speech. Showing that they know their opponents’ weakness, the suit includes broad hints that censoring Russians is … racist. Maury Shenk covers the bookend – Russian government threats to sue Google for not complying with Russian censorship demands. And I suggest that Putin’s Data Protection law will be just that – a law to protect Putin’s data. Speaking of privacy law always protecting the powerful, Michael Tiffany offers several reasons why GDPR has been good for Google and Facebook ad market share and bad for European competitors. It’s the tragedy of EU mercantilism: always aiming at the United States and usually hitting itself in the foot.

Another day, another Iranian hacking/ransomware indictment. What’s different about this one, Megan tells us, is that it includes a Treasury order freezing the bitcoin the Iranians collected. That’s a potentially new and powerful law enforcement tool. With only a little cajoling, David Kris acknowledges that this is one Trump administration initiative that is both novel and a good idea.

Wrapping up, David Kris ponders the surprisingly straightforward Fourth Amendment issues raised when the police have to stop an autonomous-mode Tesla going 70 on the 101 with a passed out “driver.” And Megan and I ponder the difficulty posed for social media by the “yellow-vest” riots in Paris. Which model applies: Arab Spring or Russian interference? You know what the Macron administration will say. Buckle up, Big Tech. To paraphrase Peter Parker’s Uncle Ben, with great power comes utter confusion.

Download the 242nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

This episode’s should be titled "Baker’s Law of Evil Technology," as it explains Twitter’s dysfunctional woke-ness, Yahoo’s crappy security, and Uber’s deadly autonomous vehicles. Companies with lots of revenue can afford to offer benefits that they don’t much care about, including protection of minority voices, network security, and, um, not killing people. But as Uber’s travails show, all that gets tossed out the window when corporate survival is at stake. And here’s Baker’s Law in action: Airline algorithms that deliberately break up families sitting on the plane so they can charge to put the kids back in the same row.

I do a mini-interview of Adam Candeub, who has disclosed that the supposedly populist, supposedly Silicon-Valley-skeptical Trump Administration has proposed a massive and antidemocratic subsidy for conservative-censoring social platforms.  Worse, it's written into the virtually unamendable NAFTA 2.0. I rant (briefly) about it and pray that Congress kills the provision in the lame duck.

Merrick Garland may now be available. But, we ask Jamil Jaffer and Gus Hurwitz, is a Facebook Supreme Content Court a good idea?

Speaking of Facebook, even 98-lb weaklings seem to be kicking sand in the company’s face. I lay out the latest, incredible tale about how an app that finds all your friends’ bikini pics ended up spurring an international breach of US confidentiality orders – at the behest of the UK Parliament’s serjeant at arms. And when I say it's an incredible tale, I mean just that; the story told by the participants is extraordinarily hard to believe.

Jamil and Gus note that Commerce has begun identifying an enormous list of “emerging” technologies to be restricted for export. Is this a kind of defense-industrial policy? And will it work? The panel disagrees.

Paul Rosenzweig reports that Airbnb now has its own (woker-than-thou, naturally) foreign policy. He thinks it may violate a host of state anti-BDS laws.

Nick Weaver gives us the latest Bear Facts. Both Cozy and Fancy are back with a vengeance – and not much concern about avoiding attribution.

Download the 241st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Mieke Eoyang joins us for aninterview about Third Way’s “To Catch a Hacker” report. We agree on the importance of what I call “attribution and retribution” as a way to improve cybersecurity. But we disagree on some of the details. Mieke reveals that this report is the first in a series that will hopefully address my concerns about a lack of detail and innovation in the report’s policy prescriptions.

Russia’s lawyers are almost as good as its hackers, to judge by a “letter” from the Russian government in the DNC’s hacking case against it. Matthew Heiman and I conclude that the DNC is going to face an uphill fight trying to overcome Russia’s sovereign immunity arguments.

It’s not cybersecurity, but it is cyberhygiene: Never do a global “find and replace” on a sensitive court filing without making sure the “replace” part actually worked. That seems to be the failure that disclosed to the world that the US has filed criminal charges against Julian Assange under seal. Maury Shenk comments.

“As an additional service to Alexa users, we promise to protect the privacy of anyone who murders you.” Okay, maybe that’s an unfair summary of Amazon’s position on whether to release Echo recordings in a double murder case. It’s not surprising that Amazon wants a court order before handing over the recordings, or that it got one, or that it seems to have complied promptly.  The real news, I argue, would be if the company had handled the matter any other way.

Dr. Megan Reiss explains the significance, if any, of the Paris Call for Trust and Security in Cyberspace, where more than 50 states and companies – the United States not among them – have signed onto a mostly Mom-and-apple-pie agreement on cyber principles.

Soft power update: Chinese-style social credit scoring is coming to a Venezuela near you. Megan comments.

Sweet justice: California SWATter has pleaded guilty and now faces 20+ years in prison.

Looks like DHS finally made it, so I can stop talking about Congress approving the renaming of NPPD to be the Cybersecurity and Infrastructure Security Agency.

And for the lightning round, Matthew confirms that remotely wiping your iPhone constitutes destruction of evidence; I note that Phineas Finn has officially gotten away with the doxing of Hacking Team; and Megan comments on yet another diversion of Western traffic through Russia and China. This time, though, we may have to blame the Nigerians.

Download the 240th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Today’s interview is a deep (and long – about an hour) dive into new investment review regulations for the Committee on Foreign Investment in the United States (CFIUS). It’s excerpted from an ABA panel discussion on the topic, featuring: Tom Feddo, who currently oversees CFIUS; Aimen Mir, who used to oversee CFIUS; Sanchi Jayaram, who is in charge of the Justice Department’s CFIUS and Team Telecom work; David Fagan, a noted CFIUS practitioner; and me as moderator. It turns out the new CFIUS law may be the most innovative – and sweeping – piece of legislation on national security in years.   

In the news, it’s time for a Cyberlaw Podcast victory lap, as our bold election-eve prediction that foreign governments would not successfully hack the election seems to hold up well, despite laughable Internet Research Agency claims in a new meta-trolling propaganda campaign.

I note that challenges to FISA are increasing as it starts to play a role in more criminal cases. I ask David Kris whether Bob Mueller took unwise risks with intelligence equities when he charged a Russian company with criminal election trolling, since that company is now seeking discovery of intelligence intercepts.

Dr. Megan Reiss notes that China is making what might be called great strides in “gait recognition” software to supplement face recognition, taking what looks like a global lead in the technology. This reminds me that fifteen years ago, when DARPA was researching gait recognition for terrorist identification, the left/lib NGOs got Congress to kill funding by lampooning what they called “a Monty Python-esque ‘Ministry of Silly Walks.’” Not so funny now, is it guys? Especially in light of evidence that China is exporting its cyber surveillance tech to Africa.

How does China do it? According to the Australian Strategic Policy Institute, with plenty of help from the universities of the English-speaking world. Apparently the People’s Liberation Army has been sending its scientists to the West under light cover to study cutting edge defense tech.

Nate Jones and I examine the latest chapters in the now-encyclopedic tale of Silicon Valley v. Conservatives. We take a look at a Trump immigration campaign ad that Facebook and broadcast media (Fox included) refused to run. Gab is back, but just by the skin of its teeth. Meanwhile, the pitchforks and torches are being mustered for LinkedIn, which apparently hasn’t been sufficiently cowed by lefty censors. And Facebook’s effort to suppress Alex Jones’s InfoWars site is running into trouble.

Megan and I talk about the prospect that Iran is getting ready to launch cyberattacks on the US and Israel.

Nate covers the collapse of IronChat security as Dutch police managed to decrypt 258,000 messages in the app. Maybe spurred by my taunting, Edward Snowden denies that he ever endorsed the product, notwithstanding the claim on IronChat’s website. (My tweet on same: “Hey, @Snowden, IronChat sold secure phones at exorbitant prices because of your endorsement.”)

Pakistan says “almost all” its banks have been hacked.  Wouldn’t it be ironic if North Korea was buying nuclear and missile technology from Pakistan with money stolen from Pakistani banks?

Download the 239th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

This episode puts our experts on the spot with an election-eve question: Will foreign governments attack US electoral rolls or vote-counting machinery in 2018? Remarkably, no one on our panel (Matthew Heiman, Nick Weaver, David Kris, and I) thinks they will. So if you want cybersecurity news, you can stop listening to election coverage and tune in to Episode 238 of The Cyberlaw Podcast.

Our interview features Steve Rice (Deputy CIO for DHS) and Max Everett (CIO for the Department of Energy) and was originally taped at a session of the Homeland Security Week conference.

In the news, Nick evaluates the report that China hijacked the Border Gateway Protocol; he thinks we need more data. David agrees with me that one way to get the data would be a Justice Department subpoena.

Matthew Heiman explains why SCOTUS is skeptical of Google’s cy pres settlement that treated 129 million class members like bystanders at someone else’s party – and why that skepticism may not appear in US Reports any time soon.

Nick and David lay out the painful story of how failures in CIA communications with their assets may have severely compromised HUMINT operations in Iran and China.

Matthew and I talk about the string of right-wing killers in the past few weeks and the tech implications, including the defenestration of Gab and a lot of throat-clearing about amending Section 230 of the Communications Decency Act.

Matthew also explains, then casts doubt on, a Florida Appeals Court decision that rejects the “foregone conclusion” doctrine for compelled passcode disclosure.

After all the Internet-enabled vibrator stories we’ve covered on the podcast, I think we’re obliged by gender equity to cover this effort to use artificial intelligence to improve male sex toys. For those who may face confirmation before the Senate Judiciary Committee any time in the next decade, Nick explains that Markov chain techniques have nothing to do with the Devil’s Triangle.

More hostilities in the US-China Cool War: DOJ has indicted a Chinese-state owned company as well as UMC and three individuals for stealing trade secrets from US companies; and in a coordinated move, the Department of Commerce has placed limits on US businesses interacting with the Chinese company. I wonder whether the Cool War between China and the US is increasingly forcing big foreign tech companies to choose between the two as they develop new technology.

Download the 238th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The theme of this week’s podcast seems to be the remarkable reach of American soft power. Really. We elect Donald Trump, and suddenly everybody’s trolling.

The Justice Department criminally charges a Russian troll factory’s accountant, and before David Kris can finish explaining it, she’s on YouTube, trolling the prosecutors with a housewife schtick.

She’s not alone. Faced with the news that President Trump is using a commercial iPhone for many of his calls – and, Nate Jones points out, getting wiretapped by China, Russia, and others as a result – China has a suggestion that scores at the top of the POTUS Troll Scale.

Tim Cook, meanwhile, goes to Europe to troll Android – and me – with a speech that pushes all my buttons: Europhilia, Apple sanctimony in pursuit of profit, and blind enthusiasm for privacy regulation. But at the end of the day, it's just another Apple-bites-Android story. 

Last in the troll parade comes what can only be described as the understated trolling deployed by the British government when it was asked by the Belgians to investigate whether a Belgian ISP might have been hacked by GCHQ. 

This week’s interview is with Dr. Dipayan Ghosh, Pozen Fellow at Harvard’s Shorenstein Center and co-author of a new report, “Digital Deceit II: A Policy Agenda to Fight Disinformation on the Internet.” It's an interesting mix of good insights and warmed-over Obama-era nostalgia (Carly Rae Jepsen makes a brief appearance). Dipayan and I tangle on privacy but struggle toward common ground on how to limit the power of the Big Platforms. He’s open-minded and flexible about the details of his proposal, so for fans of civil policy debate who are worried about where the platforms’ dominance and ad revenue are taking us, this episode is a keeper.

More news: Why would a Russian technical institute design malware used in an effort to sabotage a major petrochemical plant in Saudi Arabia? Nate Jones lays out the story. Originally suspected of being an Iranian operation, the attack may have originated in Iran, but FireEye persuasively links the underlying (and flawed) malware to Moscow. One possibility is that it’s a Russian false flag job, minus the embarrassing GRU operatives and their Uber receipts. My guess, though, is that the Russian institute is just amortizing malware development costs by selling off exploits developed for the GRU. If so, this may turn out to be another slow motion disaster for the thugs in the Aquarium.

In other news, Yahoo settled a class action over the enormous breach affecting 200 million people and three billion accounts. The price of that settlement? After the lawyers have been paid, the settlement works out to about 25 cents per victim. Seems pretty cheap to me.

For a brief moment, reality has descended on the left coast. It looks like California isn’t eager to get a judicial ruling on its campaign to nullify federal net neutrality law.

In the UK, Facebook is fined the maximum under pre-GDPR law, for what the privacy agency calls a failure to protect personal data from Cambridge Analytica – or, more likely, for the unspeakable crime of not having prevented the election of Donald Trump. And now that GDPR is in effect, the bien pensants of Europe have served notice; failure to prevent the President’s re-election will cost Silicon Valley billions.

Finally, what goes around comes around for the Uber “bounty” hackers. David and I think that this story pretty much answers the question whether they were just confused bounty hunters or extortionists with a clever line of patter.

Download the 237th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In this week's interview we ask whether the midterm elections are likely to suffer as much foreign hacking and interference as we saw in 2016. The answer, from Christopher Krebs, Under Secretary for National Protection and Programs Directorate (soon to be the Cybersecurity and Infrastructure Security Agency), is surprisingly comforting, though hardly guaranteed. Briefly, it’s beginning to look as though the Russians (and maybe the Iranians) are holding their fire for the main event in 2020.

In the News Roundup, Maury Shenk highlights the role of Twitter, trolls, and Saudi royals in the Khashoggi killing. He also explains the apparently ridiculous result in the EU Android competition matter. It may be a case of Google giving the EU what it asked for – good and hard.

Terry Albury certainly got it good and hard from a federal judge. He was sentenced to four years in prison for leaking classified documents to The Intercept. Jamil Jaffer explains why Albury’s claim of being a whistleblower didn’t win him much relief. I suggest that maybe the only people willing to read Intercept articles to the end are federal agents trying to find clues to the leakers’ identities; whatever they’re doing, it’s working.

Maury and I marvel over the flood of venture capital money into China – and a potential ebb tide for Chinese money in Silicon Valley.

Jamil explains the latest SEC report flagging the cost of email fraud; nine firms lost $100 million to cyberfraud.  And to add insult to injury, the SEC hints broadly that future victims may be tagged for violating SEC accounting standards, which should be sufficient to prevent such fraud.

I point to the ABA’s recent ethics opinion mandating breach disclosure to clients – and quite a bit more. Maury instructs me on the question of whether putting names on doorbells violates GDPR. Vienna says yes; Germany, no. Maury is sure the Germans have this right.

Finally, I update listeners on the Equifax data breach engineer who figured out that his company must have been breached and traded on his suspicion. In an act of relative mercy for the clueless engineer, he was fined and sentenced to eight months of home confinement.

Download the 236th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Today we interview Doug, the chief legal officer of GCHQ, the British equivalent of NSA. It’s the first time we’ve interviewed someone whose full identify is classified. Out of millions of possible pseudonyms, he’s sticking with “Doug.” Listen in as he explains why. More seriously, Doug covers the now-considerable oversight regime that governs GCHQ’s intercepts and other intelligence collection, Britain’s view of how the law of war applies in cyberspace, the prospects for UN talks on that topic, the value of attribution, and whether a national security agency should be responsible for civilian cybersecurity (the UK says yes, the US says no).

In the news, Nick Weaver and Matthew Heiman comment on the undying dumpster fire that is Bloomberg’s Chinese supply-chain-attack story. We may not know for sure whether the story is bogus, at least not for a while. But it’s not too late, I argue, to fund a journalist version of the Ig-Nobel Prize. Call it the Bullitzer, for the story with the most potent mix of consequences and BS. Right now, Bloomberg is definitely in the running.

Matthew tells us that Treasury has announced its CFIUS pilot program, which will require the filing of notices for Chinese acquisitions in 27 critical industries. I argue that this is one more sign that a predisposed bureaucracy has made President Trump a transformational president in terms of relations with China.

Speaking of bureaucratic predispositions, DOJ is carrying out its predisposition to haul Chinese spies into court. What’s remarkable is that it was able to do that from across the Atlantic. While not a cyberespionage case, the recent arrest and extradition of an accused Chinese economic spy is easy to read as DOJ's answer to those who say that indictments of government spies are ineffectual and a sign of weakness.

Everybody’s going to have to choose sides as Trump and Xi continue on their collision course. Except Google. At least according to Google, which bailed out of a Pentagon program because it didn’t meet Google’s values --oh, and because Google had no chance of winning the contract. Talk about virtue signaling on the cheap!

The EU’s virtue signaling isn’t nearly as cheap, at least for Google, which is now appealing a massive EU competition fine. I can’t help wondering who the hell uses Google Shopping to buy stuff; the EU fine feels like it must be $1 billion for every Google Shopping search ever conducted.

Nick reports on two troubling government reports. He believes one — worrying about the cybersecurity of DOD weapons systems . He’s less impressed by White House concerns about the health of the defense industrial base, having recently done some “Buy America” electronics procurement himself.

Finally, in the latest dog-bites-man story, Vietnam will force local data storage despite Silicon Valley’s protests. Nick, Matthew, and I explore the continuing delusion of US foreign policymakers that the Internet must be borderless and open and free.

Download the 235th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Bloomberg Businessweek’s claim that the Chinese buggered Supermicro motherboards leads off our News Roundup. The story is controversial not because it couldn’t happen and not because the Chinese wouldn’t do it but because the story has been denied by practically everyone close to the controversy, including DHS. Bloomberg Businessweek stands by the story. Maybe it’s time for the law, in the form of a libel action, to ride to the rescue.

Congress, astonishingly, has been doing things other than watch the Kavanaugh hearings. It produced a conferenced version of the FAA authorization including authority for DHS and DOJ to intercept drone communications and seize drones without notice or a warrant. This effort to get in front of dangerous technology yields the usual whines from the usual Luddite “technology advocates.” Meantime, Congress has also adopted a bill to change the name of DHS’s cyber and infrastructure security agency to, well, the Cybersecurity and Infrastructure Security Agency.

ZTE’s troubles continue, as a federal judge slammed the company for violating the terms of its probation. The judge extended ZTE’s probationary term and the term of its monitor – meaning the company now has two US monitors watching as it tries to rebuild its business.

The Trump Administration is following in the Obama Administration’s footsteps, Gus Hurwitz reports, trying to build consensus around norms for cyber conflict. I remain dubious, but at least this effort is limited to countries not actively engaged in cyber hostilities with the United States.

California has its own air pollution standards; why not its own net neutrality law? Probably because the FCC under Ajit Pai is not the EPA. Gus and I discuss whether any part of California’s law can withstand preemption.

The hits just keep on coming for the GRU, a formerly vaunted Russian intelligence service, which now can’t even keep secret the names of its most secret agents. Bellingcat, a private website, totally pantses the agency, outing not just its nerve agent operatives but 300 others for good measure. Piling on, the Justice Department indicts another batch of GRU operatives for hacking sports anti-doping authorities. Even Germany musters the courage to join the UK in fingering Russia for its cyberattacks while the mighty Dutch counter-hacking team joins in the sack dance.

Is the Turing test easier if you only have to convince Californians that you’re human? That may be the theory behind California’s SB 1001, making it unlawful for a bot to deceive a Californian about its botitude “in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.”

More bad news for Justice in Silicon Valley, according to leaks from a court case in which the Department is rumored to have sought a court order forcing Facebook to cooperate in a wiretap of MS-13 members.

Finally, Dr. Megan Reiss reports, North Korea is apparently getting rich robbing banks. Surprisingly, though, it seems not to be robbing American banks. Yet.

Download the 234th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In this news-only episode, Nick Weaver and I muse over the outing of a GRU colonel for the nerve agent killings in the United Kingdom. I ask the question that is surely being debated inside MI6 today: Now that he’s been identified, should British intelligence make it their business to execute Col. Chepiga?

On a lighter note, Uber is paying $148 million to state AGs for a data breach that apparently had no  adverse consequences and might not even have been a breach. That's a lot to pay just to show that the company is now under new and more responsible management.

About a year too late, a consensus of sorts is emerging among Republicans that Silicon Valley needs broad privacy regulation. The Trump Administration is asking for comment on data privacy principles. And the tech giants are pushing lawmakers for federal privacy rules. But the catalyst is an increasing need for federal preemption in the face of California’s new law, and the Dems who are expected to take the House will be hard to sell on preemption. So despite the emerging consensus, a logjam that lasts years could still be in our future.

The sentencing of an NSA employee for taking sensitive  hacking tools home – and getting them compromised by Kaspersky – leaves Nick with plenty of additional questions about the source of the tools disclosed by Russian proxies in recent years.

Evan Abrams gives us a summary of the NY AG’s report on virtual markets and cryptocurrency. Bottom line: New York is likely to pursue regulation with vigor.

Meanwhile, undeterred by NSA's inability to secure its own systems, West Virginia had embraced a mobile voting app for the 2018 election. Remarkably, despite its firm deployment of blockchain buzzwords, none of us thinks West Virginia has solved the security problem.

And in quick hits:

• The GRU is taking the “P” in APT way too seriously.
• A content moderator has sued Facebook, claiming that her job gave her PTSD. I think it probably did, but I doubt Facebook will be held liable.
• India’s Supreme Court has upheld, with limits, the government’s massive Aadhaar digital ID program.
• Facebook suffered a breach affecting 50 million user accounts and probably 40 million “log on with Facebook” accounts.  Will we hear about more?  Who knows?  We’re getting these facts piecemeal thanks to the EU’s dumb 72-hour deadline for reporting breaches under GDPR.
• President Trump says China is interfering in the 2018 elections. But unlike the Russian version, all of China’s fake news is on actual newsprint.
• Finally, a quick report roundup:
  • The EU is forcing Silicon Valley to restrict disinformation without actually defining, you know, disinformation. Probably because the EU doesn't want to admist that it thinks everything Trump tweets should be banned as disinformation.
  • DOJ’s otherwise pretty good best practices report sadly doubles down on hating hackback. Now with added rationales!
  • China is back to stealing our commercial secrets, but more quietly, think tanks report.
  • House AI report – pro: bipartisan; con: mostly content-free.
  • And here's yet another set of IoT security guidelines

Our guest is Peter W. Singer, co-author with Emerson T. Brooking of LikeWar: The Weaponization of Social Media. Peter’s book is a fine history of the way the Internet went wrong in the Age of Social Media. He thinks we’re losing the Like Wars, and I tend to agree. It’s a deep conversation that turns contentious when we come to his prescriptions, which I see as reinstating the lefty elite that ran journalism for decades, this time with even less self-doubt – and bolstered by AI that can reproduce elite prejudices at scale and without transparency.

In the News Roundup, Dr. Megan Reiss and Peter Singer join me in commenting on the White House and DOD cyber strategies. Bottom line: better than last time, plenty more room to improve.

God bless the Dutch. They’ve pwned Putin’s GRU again. In a truly multinational caper, as Nick Weaver explains, Dutch intel caught Russian spies planning cyberattacks on the Swiss institute that is investigating Russia’s nerve agent attack in Britain.

The downside of sanctions: China has joined with Russia in protesting sanctions on Russian weapons sellers that spilled over to the Chinese military. Maury Shenk and I worry about the risk that overuse of sanctions will create a powerful alliance of countries determined to neutralize the sanctions weapon.

Is it reckless to speculate that the gas fires in Massachusetts could be a cyberattack? I think it’s a fair question, to which we may not have the answer. Nick Weaver (mostly) persuades me I’m wrong.

Amazon finds itself in the sights of the European Commission over its dual role in hosting third party sellers. Maury explains why.

Putin’s enemies list, or a part of it, is disclosed when Google warns Senate staffers that their Gmail has been attacked. Maury and I congratulate Steptoe alum Robert Zarate for making the cut.

Looks like the Mirai botnet kids will be sentenced to help the FBI on cyber investigations.

And Megan sees the hand of Robert Zarate – now officially the Zelig of cyber conflict – in Marco Rubio’s letter to Apple asking why it was so slow to stop an app from sending American user data to China.

Download the 232nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Our interview this week (in our new studio!) is with Hon. Michael Chertoff, my former boss at Homeland Security and newly minted author of Exploding Data: Reclaiming Our Cyber Security in the Digital Age. The conversation – and the book – is wide ranging and shows how much his views on privacy, data, and government have evolved in the decade since he left government. He’s a little friendlier to European notions of data protection, a little more cautious about government authority to access data, and even a bit more open to the idea of letting the victims of cyberattacks leave their networks to find their attackers (under government supervision, that is). It’s a thoughtful, practical meditation on where the digital revolution is taking us and how we should try to steer it.

The News Roundup features Paul Rosenzweig, Matthew Heiman, and Gus Hurwitz – whom we congratulate for his move to tenured status at Nebraska. We all marvel at Europe’s misplaced enthusiasm for regulating the Internet. This fall the Europeans returned from their August vacation to embrace a boatload of gobsmackingly unrealistic tech mandates – so unrealistic that you might almost think they’re designed to allow the endless imposition of crippling fines on Silicon Valley.

In the last week or so, European institutions have pretty much shot the regulatory moon: Matthew sets out the European Parliament’s expensive and wrongheaded copyright rules. Paul covers the European Commission’s proposal that social media take down all terror-inciting speech within one hour, on pain of massive fines. Gus discusses the European Court of Human Rights’ ruling that GCHQ’s bulk data collection practices fail to meet human rights standards, though they can be fixed without dumping bulk collection. And I marvel that France is urging the European Court of Justice, which needs little encouragement to indulge its anti-Americanism, to impose Europe’s “right to be forgotten” censorship regime on Americans and on other users around the world. That’s a position so extreme that it was even opposed by the European Commission. Gus explains.

In other news, Paul outlines the National Academy of Sciences’ report, offering a sensible set of security measures for American voting systems. We all unpack the new California IoT security bill, which is now on the governor’s desk. I predict that, flawed though it is, ten more state legislatures could adopt the bill in the next year.

This Week in Social Media Bias: Paul tells us that Twitter has found a deep well of hate speech in … the United States Code. I tell the ambiguous story of offering up my Facebook account to verify claims of social media censorship.  And Gus reports that the Left has discovered a problem with fact checking for social media posts; to their surprise, it doesn’t always work in their favor.

In closing, we quickly touch on the meltdown of the world’s biggest identity database and The Intercept’s endlessly tendentious article trying to make a scandal out of IBM’s face recognition software, which can apparently search footage by skin color.

Download the 231st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

For those who've been waiting (and maybe hoping) that I'd be suspended from Facebook after I linked to infowars.com, we have an answer.

I began the experiment when a guy named Brandon Straka, leader of the conservative #WalkAway initiative, announced that he had been given a 30-day account suspension for linking from Facebook to his upcoming interview on infowars.  I couldn't believe Facebook was banning people for mentioning Alex Jones or his site, so I decided to put my own account at risk by doing the same. (If I were Cory Booker, I'd call it my "I am Spartacus" moment. But I'm not.)

A few hours later, with Straka getting a lot of clicks for his complaint, Facebook rescinded the ban, calling it a mistake. Straka claims Facebook didn't tell him the ban was lifted but did tell a hostile journalist, who then wrote a snarky article about the incident. 

So that's where things stand. Facebook's messages to Straka clearly show that his link to infowars triggered a 30-day suspension. Then the suspension was quickly reversed. Why? Presumably, whoever pulled the plug on Straka was overruled. But we don't know who issued the ban, or who lifted it, or why. Facebook apparently hasn't said anything publicly.

Lessons? First, now that being censored on social media is a surefire way to win conservative clicks, it's fair to assume that claims of censorship will proliferate, and not all of them will be true. Second, that doesn't mean they're all false, either. When it comes to the right, Silicon Valley almost certainly suffers from what the Valley used to call "epistemic closure" before the Valley embraced it. In that climate, "Sorry, mistake" isn't likely to mollify anyone.

So the right has good reason for its suspicion, and no way to get good evidence that might rebut it. To see if Alex Jones had indeed been turned into Voldemort, I had to put my Facebook account -- and a bit of my reputation -- at risk. And even then,  the fact that my account stayed up might simply show that the censors saw it as a trap that they were smart enough to avoid.

Bottom line: conservative concern about platform bias will continue to grow, and only radical transparency about platform standards and due process is likely to address that concern.

We are fully back from our August hiatus, and leading off a series of great interviews, I talk with Bruce Schneier about his new book, Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. Bruce is an internationally renowned technologist, privacy and security commentator, and someone  whom I respect a lot more than I agree with. But his latest book opens new common ground between us, as we both foresee a darker future for a world that is digitally connecting things that can kill people -- without figuring out a way to secure them. Breaking with Silicon Valley consensus, we see security regulation in the Valley’s future, despite all the well-known downsides that regulation will bring. We also find plenty of room for disagreement on topics like encryption policy and attribution.

In the News Roundup, I ask Jamil Jaffer, Nate Jones, and David Kris for the stories that people who took August off should go back and read. Jamil nominates the fascinating-as-a-slow-motion-car-wreck story of Maersk’s losing battle with NotPetya. We speculate on whether the Russians caused $10 billion in worldwide damage by mistake or on purpose, and whether anyone other than a US government lawyer would call that indiscriminate attack a war crime.

David nominates the 179-page complaint against a North Korean hacker behind most of that country’s famous hacks. And, as a palate cleanser, the remarkable, score-settling, where-are-they-now story of the companies that challenged the FBI’s attribution of the Sony hack to North Korea.

Finally, I suggest spending some time with what might be called DCLeaks for good guys: Intrusion Truth, a website devoted to outing personal details about the government hackers who have been attacking Western companies. It (and Crowdstrike) provides an old-fashioned pantsing of China’s Ministry of State Security (MSS) – the sort of embarrassing doxing that allowed the MSS to take over much of China’s cyberespionage portfolio from the hapless People’s Liberation Army after it was outed several years ago.

In other news, a Five Country Ministerial (homeland security and immigration ministers from the US, UK, Australia, Canada, and New Zealand) issued a statement on encryption that seemed to threaten action, saying that if tech companies don’t address the ministers’ concerns, “we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.” While this group isn’t really the “Five Eyes” of SIGINT fame, that’s not very comforting for Big Tech, since the statement suggests a wider coalition and another step forward in the effort to bring Big Tech to heel on the issue.

Download the 230th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!