Skating on Stilts

For all the passion it has unleashed, President Trump's executive order on section 230 of the Communications Decency Act is pretty modest in impact. It doesn't do anything to undermine the part of section 230 that protects social media from liability for the things that its users say. That's paragraph (1) of section 230(b), and the order practically ignores it.

Instead, the order is all about paragraph (2), which protects platforms from liability when they remove or restrict certain content: "No provider or user of an interactive computer service shall be held liable on account of  … any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable."

This makes some sense in terms of the President's grievance.  He isn't objecting to Twitter's willingness to give a platform to people he disagrees with.  He objects to Twitter's decision to cordon off his speech with a fact-check warning, as well as all the other occasions on which Twitter and other social media platforms have taken action against conservative speech. So it makes sense for him to focus on the provision that seems to immunize biased and pretextual decisions to downgrade viewpoints unpopular in the Valley.

(I note here that the existence of a liberal bias in the application of social media content mediation is heavily contested, especially by commentators on the left. They point out, correctly, that the evidence of a left-leaning bias is anecdotal and subjective. Of course the same could be said of left-leaning bias in media outlets like the Washington Post or the New York Times. I'm friends with many reporters who deny such a bias exists. Yet most readers of these and other traditional media recognize that there is bias at work there -- rarely reporting the facts, but often in deciding which stories are newsworthy, or how the facts are presented, or past events are summarized. If you are sure there's no bias at work in the mainstream press, then I can't persuade you that the same dynamic is at work on social media's content moderation teams.  But if you have seen even a glimmer of liberal bias in the New York Times, you might ask yourself why there would be less in the decisions of Silicon Valley's content police, whose decisions are often made in secret by unaccountable young people who have not been inculcated in a journalistic ethic of objectivity.)

What's interesting and useful in the order's focus on content derogation is that it addresses precisely the claim that anticonservative bias isn't real. For it is aimed at bringing speech suppression decisions into the light, where we can all evaluate them.

In fact, that's pretty much all it's aimed at.  The order really only has two and a half substantive provisions, and they're all designed to increase the transparency of takedown decisions.

The first provision tells NTIA (the executive branch's liaison to the FCC) to suggest a rulemaking to the FCC. The purpose of the rule is to spell out what it means for the tech giants to carry out their takedown policies "in good faith." The order makes clear the President's view that takedowns are not "taken in good faith if they are "deceptive, pretextual, or inconsistent with a provider's terms of service" or if they are "the result of inadequate notice, the product of unreasoned explanation, or [undertaken] without a meaningful opportunity to be heard." This is not a Fairness Doctrine for the internet; it doesn't mandate that social media show balance in their moderation policies. It is closer to a Due Process Clause for the platforms.  They may not announce a neutral rule and then apply it pretextually. And the platforms can't ignore the speech interests of their users by refusing to give users even notice and an opportunity to be heard when their speech is suppressed. 

The second substantive provision is similar. It asks the FTC, which has a century of practice disciplining the deceptive and unfair practices of private companies, to examine social media takedown decisions through that lens.  The FTC is encouraged (as an independent agency it can't be told) to determine whether entities relying on section 230 "restrict speech in ways that do not align with those entities' public representations about those practices."

(The remaining provision is an exercise of the President's sweeping power to impose conditions on federal contracting. It tells federal agencies to take into account the "viewpoint-based speech restrictions imposed by each online platform" in deciding whether the platform is an "appropriate" place for the government to post its own speech. It's hard to argue with that provision in the abstract. Federal agencies have no business advertising on, say, Pornhub. In application, of course, there are plenty of improper or unconstitutional ways the policy could play out. But as a vehicle for government censorship it lacks teeth; one doubts that the business side of these companies cares how many federal agencies maintain their own Facebook pages or Twitter accounts. And in any event, we'll have time to evaluate this sidecar provision when it is actually applied.)

That's it.  The order calls on social media platforms to explain their speech suppression policies and then to apply them honestly. It asks them to provide notice, a fair hearing, and an explanation to users who think they've been treated unfairly or worse by particular moderators.  

I've had many conversations with participants in the debate over the risks arising from social media's sudden control of what ordinary Americans (or Brazilians or Germans) can say to their friends and neighbors about the issues of the day. That is a remarkable and troubling development for those of us who hoped the internet would bring a flowering of  views free from the intermediation of traditional sources. But you don't have to be a conservative to worry about how this unprecedented power could be abused.

In another context, I have offered a rule of thumb for evaluating new technology: You don't really know how evil a technology can be until the engineers who depend on it for employment begin to fear for their jobs.  Today, social media's power is treated by the companies themselves as a modest side benefit of their astounding rise to riches; they can stamp out views they hate as a side gig while tending to the real business of extending their reach and revenue. But every one of us should wonder, "How they will use that power when the ride ends and their jobs are at risk?" And, more to the point, "How will we discover what they've done?"

Such questions explain why even those who don't lean to the right think that the companies' control of our discourse needs more scrutiny. There are no easy ways to discipline the power of Big Tech in a country that has a first amendment, but the answer most observers offer is more transparency.

We need, in short, to know more about when and how and why the big platforms decide to suppress our speech.

This executive order is a good first step toward finding out.

Our interview is with Mara Hvistendahl, investigative journalist at The Intercept and author of a new book, The Scientist and the Spy: A True Story of China, the FBI, and Industrial Espionage, as well as a deep WIRED article on the least known Chinese AI champion, iFlytek. Mara’s book raises questions about the expense and motivations of the FBI’s pursuit of commercial spying from China.

In the News Roundup, Gus Hurwitz, Nick Weaver, and I wrestle with whether Apple’s lawsuit against Corellium is really aimed at the FBI. The answer looks to be affirmative, since an Apple victory would make it harder for contractors to find hackable flaws in the iPhone.

Germany’s top court ruled that German intelligence can no longer freely spy on foreigners – or share intelligence with other western countries. The court seems to be trying to leave the door open to something that looks like intelligence collection, but the hurdles are many. Which reminds me that I somehow missed the 100th anniversary of the Weimar Republic.

There’s Trouble Right Here in Takedown City. Gus lays out all the screwy and maybe even dangerous takedown decisions that came to light last week. YouTube censored epidemiologist Knut Wittkowski for opposing lockdown. It suspended and then reinstated a popular Android podcast app for the crime of cataloging COVID-19 content. Thanks to Google, anyone can engage in a self-help right to be forgotten with a bit of backdating and a plagiarism claim. And classical musicians are taking it on the chin in their battle with aggressive copyright enforcement bots and a sluggish Silicon Valley response.

In that climate, who can blame the Supreme Court for ducking cases asking for a ruling on the scope of Section 230? They’ve dodged one from the 2d Circuit already, and we predict the same outcome in the next one, from the 9th.

Finally, Gus unpacks the recent report on the DMCA from the Copyright Lobby Off, er, the Copyright Office.

With relief, we turn to Matthew Heiman for more cyber and less law. It sure looks like Israel launched a disruptive cyberattack on Iranian port facility. It was probably a response to Iranian cybermeddling with Israeli water systems.

Nick covers Bizarro-world cybersecurity: It turns out malware authors now can hire their own black-market security pentesters.

I ask about open-source security and am met with derisive laughter, which certainly seems fair after flaws were found in dozens of applications.

I also cover a Turing Test for the 21st Century: Can you sext successfully with an AI and not know it’s an AI? And the news from AI speech imitation is that Presidents Trump and Obama have fake-endorsed Lyrebird.

Gus reminds us that most of privacy law is about unintended consequences, like telling Grandma she’s violating GDPR by posting her grandchildren's photos without their parents' consent.

BEERINT at last makes its appearance, as it turns out that military and intelligence personnel can be tracked with a beer enthusiast app.

Finally, in the wake of Joe Rogan’s deal with Spotify, I offer assurances that the Cyberlaw Podcast is not going to sell out for $100 million.

Download the 317th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview guest, Peter Singer, continues to write (with August Cole) what he calls "useful fiction"– thrillers that explore the real-world implications of emerging technologies. His latest is Burn-In: A Novel of the Real Robotic Revolution, to be released May 26, 2020.  The thoroughly researched (and footnoted!) book is a painless way to understand the social and economic changes new AI and robotic technologies will make possible and their impact on actual human beings. The interview ranges widely over these policy implications, plus a few plot spoilers.

In the News Roundup, David Kris covers the latest Congressional FISA Follies, leading me into a rant on the utter irresponsibility of subjecting national security authorities to regular expiration – and equally regular ransom demands from the least responsible elements of Congress. Speaking of FISA, it turns out that the December Pensacola shootings were hatched by al-Qaeda's Yemen franchise. Why are we only learning this in May? Because the evidence comes from an iPhone whose security Apple refused to find a way around. The FBI's self-help solution worked in the end, but not until the trail had gone cold.

US-China decoupling is in overdrive this week. Nick Weaver talks about the move by the Trump Administration to achieve semiconductor self-sufficiency – and probably-not-coincidental announcements that TSMC will build a chip factory in Arizona and that the Commerce Department has drafted a new export rule aimed at making it much harder for TSMC to build chips for Huawei. In response, China is preparing a list of unreliable US suppliers of technology. I wonder whether putting companies on the list for diversifying their supply chain out of China will have the long-term effect of making companies more reluctant to open new supply relationships with Chinese companies.

David and I note that recent US accusations of Chinese and Iranian cyber intrusions on COVID-19 research may be more than just the usual imprecations.

And Nick explains why so many US professors are going to jail for undisclosed China ties. The key word is "undisclosed."

Mark MacCarthy previews France's (and Germany's and the EU's and the UK's) increasingly tough sanctions for US social media firms that fail to remove "hate speech" and other bad content within 24 hours (or sometimes one hour). More and more, it seems, Section 230 immunity is just a local US ordinance.

Mark and Nick review the latest trial balloon from Europe's technocrats: How about a Chinese firewall for Europe, ask apparently respectable policy thinkers working for the European Parliament.

David and Nick find themselves agreeing with the latest release from DHS's CISA pouring cold water on online voting.

In quick hits, David notes the Trump administration's now routine extension of the "telecom national security" Executive Order, Nick brings us This Week in NSO Bashing, I touch on a ransomware and doxing threat that has tripped up a celebrity law firm, and Nick and I muse on why cell phone contact tracing seems about to jump the shark.

We close with a surprising catfishing story that leads us into a discussion of the relative hotness of recent NSA directors and whether it's true that being dual-hatted makes you irresistible to women.

Download the 316th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

J.P. Morgan once responded to Teddy Roosevelt’s charge that his railway trust violated federal law by telling the President, “If we have done anything wrong, send your man to see my man, and we’ll fix it up.” That used to be the gold standard for monopolist arrogance in dealing with government, but Google and Apple have put J.P. Morgan in the shade with their latest instruction to the governments of the world: You can’t use our app to trace COVID-19 infections unless you promise not to use it for quarantine or law enforcement purposes.

The two companies are able to dictate this policy because between them they have about 99% of the phone OS market. That’s more control than Morgan had of US railways, and their dominance apparently gives them the clout to send a message that improves on Morgan's: “If you think we’ve done something wrong, don’t bother to send your man; ours is too busy to meet.”

Nate Jones and I discuss Silicon Valley overreach in this episode. (In that vein, I apologize unreservedly to John D. Rockefeller, to whom I mistakenly attributed the Morgan quote.) The sad result is that what began as a promising technological adjunct to covid-19 contact tracing has been delayed and muddled by ideological engineers in the Valley to the point where it isn’t likely to be deployed and used in a timely way.

Another lesson we draw in today’s episode is for authoritarian governments: Worry less about Cyber Command and more about NGOs. Citizen Lab has released a great paper making the case that WeChat monitors its users outside China, not to suppress their speech but to flag documents and images for later suppression inside China. Ironically, Matthew Heiman notes, Western users of WeChat who circulate human rights material are giving China’s censors the ability to hash and block that material as soon as it crosses the Great Firewall -- where it's really needed.

Meanwhile, Nate points out, Bellingcat has done for Russia’s GRU what Citizen Lab did for China. Perhaps inspired by Germany’s indictment of Dmitry Badin for hacking the Bundestag, Bellingcat doxes him to a fare-thee-well, finding his phone number, car registration, wife's home page, GRU office address, and preposterously bad password.

David Kris, meanwhile, explains the intersection of export control law and the Law of Unintended Consequences, as the US Commerce Department finds that its efforts to isolate Huawei may be excluding US firms from some standards bodies.

Anthony Anscombe joins us from Steptoe’s class action practice to unpack the recent Seventh Circuit decision on Article III standing and the second dumbest privacy law in the country – Illinois’s Biometric Information Privacy Act.

I note that Israel’s passive-aggressive Supreme Court, meanwhile, has found a second way to say, “Meh,” to the Israeli government’s use of intelligence capabilities to do contact tracing.

Matthew lays out what’s at stake as the Senate rewards the House’s “corona-cation” by trying again to pass its FISA bill. That may happen as early as today.

In short hits, every government's hackers are adding COVID-19 to their targets, going after everyone from the WHO to coronavirus researchers. And I make an effort to explain why Apple has brought a DMCA copyright lawsuit against Corellium. It’s all about the “chilling effect” on security research. And maybe one particular Five Eyes researcher, Azimuth. I make the case for Justice Department intervention on Corellium’s behalf – or at least Azimuth’s. Following up on last week's story, Banjo’s CEO finds himself canceled for his (bad) acts as a 17-year-old. And, finally, where is Jean-Paul Sartre when you need him? He’s the only one who can resolve the odd dispute over “authenticity” between Twitter and the US State Department.

Download the 315th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We begin the news with a US measure to secure its supply chain for a critical infrastructure – the bulk power grid. David Kris unpacks a new Executive Order restricting purchases of foreign equipment for the grid. As with all these measures, China is the unspoken target.

Nick Weaver, meanwhile, explains the remarkable extent of surveillance built into Xiaomi phones and questions the company's claim that it was merely acquiring pseudonymous ad-related data like others in the industry.

It wouldn't be the Cyberlaw Podcast if we didn't wrangle over using mobile phones to combat the coronavirus. Mark MacCarthy says that several countries – Australia, the UK, and perhaps France – are deviating from the Gapple model for  contact tracing. Several others, though, have bought in. India, meanwhile, is planning a much more government-driven approach to using phone apps to deal with the pandemic.

Mark ventures into even more contested territory in response to an article in The Atlantic by Jack Goldsmith and Andrew Woods, who argue that China has won the debate with John Perry Barlow over whether the Internet will be a force for free speech. Mark and I more or less agree, which sends me off on a rant about the growing self-confidence and ham-handedness of Big Tech as they get comfortable in their role as Guardians of What You Can't Say on the Internet. Things you can't say include plausible arguments about the still highly unsettled question of how best to deal with COVID-19 and descriptions of treatment options that have been entertained by President Trump without establishment approval, not to mention "unverified" statements (not, notably, false ones) that could cause "social unrest." Just reading such things, it turns out, will lead at least Facebook to track you down and tell you that it knows what you did and wants to correct your flirtation with thoughtcrime – a practice that earned it praise from Rep. Adam Schiff.

Nick and I note the difficulty Facebook is having getting out of FOSTA cases in Texas, and I ask why FOSTA hasn't already spelled doom for end-to-end encryption since it basically does what the EARN IT Act does, and all right-thinking Americans have been told that that act Spells Doom For End-to-End Encryption.

David explains why Amazon is facing tough new scrutiny from both parties: A Wall Street Journal article that questioned the accuracy of Amazon testimony before Congress has generated claims of perjury, a demand that Jeff Bezos testify, and suggestions that the administration open a criminal antitrust probe.

"You can't decouple from me! I'm decoupling from you!" That's the sentiment from Chinese officials, anyway, as they push forward with their own remarkably familiar supply chain security regulations. David explains that while the rules are similar to those in the United States, they're tougher and more likely to be implemented in a slow, inexorable way. And, of course, the United States is the unspoken target of them all.

Download the 314th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In today’s interview, I spar with Harriet Moynihan over the application of international law to cyberattacks, a topic on which she has written with clarity and in detail. We disagree politely but profoundly. I make the case that international law is distinct from what works in cyberspace and is inconsistent with either clarity or effectiveness in deterring cyberattacks. Harriet argues that international law has been a central principle of the post-1945 international system and one that has helped to keep a kind of peace among nations. It’s a good exchange.

In the News Roundup, David Kris and I discuss the state of Team Telecom, which is taking unwonted (but probably not unwelcome) fire for not being tough enough on state-owned Chinese telecom firms. Predictably, Team Telecom is going with the flow, and reportedly seeking to knock four such firms out of the US market.

Maury Shenk reports that Vietnam is suspected of hacking Chinese health authorities. In response to the accusations, the Vietnamese released what looks to me like a word-for-word clone of Chinese cyberespionage boilerplate denials. Sauce for the goose is sauce for the panda.

Gapple’s design for a COVID-19 tracing app isn’t the best way to track infections, I argue, but it’s all that Google and Apple are willing to let governments do, apparently because of Silicon Valley's exquisitely refined and self-evidently superior sense of privacy. Nick Weaver disagrees, arguing that the Gapple system preserves privacy and allows health authorities all the information that they really need. Governments are mostly falling in line with Gapple's demands, either because they buy Nick’s argument or because they have decided that Silicon Valley resistance has the ability to wreck any more centralized system. France is still fighting for its vision of contact tracing. Australia seems to be adopting a lightly tweaked version of the Gapple model. And Germany seems to be surrendering.

Several senators want Cyber Command and CISA to do more to deter coronavirus hackers, David reports. More importantly, he points out that asking a military organization to attack a civilian criminal gang raises a host of legal issues that should be sorted out before rather than after the attack begins.

Failure to protect your client from Chinese government hackers might be malpractice, a DC court rules. But as Maury points out, there’s a long road from winning a motion to dismiss to winning at trial, so the lesson to be drawn from this case won’t be certain for some time.

Three years later, the Shadow Brokers leak is making news, and still providing challenges for private security researchers. Nick reports on how a three-year-old leak led to the latest revelation of an unknown APT group.

Nick and I touch on confused reporting about the latest filing in the mud fight between Facebook and NSO Group over NSO’s hacks of WhatsApp customers. NSO, Facebook says, has used a lot of US servers in those attacks. That matters for the technical question of whether NSO can be sued in the United States, but the volume (several hundred instances) also suggests to Nick that NSO did more than throw exploits over the wall to its customers – it was arguably offering espionage as a service.

David dings IBM for its handling of a researcher’s disclosure of four zero-days – and that leads to a dive into what a good bug bounty program can and can’t do.

Maury notes that Amazon is getting new scrutiny for its handling of third-party sales data, including suspicions on Congress’s part that it may have been lied to. This isn’t the last we’ll hear of this story.

In quick hits, I am nonplussed by Vimeo’s willingness to outsource its definition of “hate group” to, well, a left-wing hate group, the Southern Poverty Law Center.

Nick celebrates the end to what he calls the “Asshat meets BlackHat” affair: Crown Sterling’s “defamation” lawsuit against BlackHat has been settled.

And Nick and I mark the surprising ouster of Marc Rotenberg, EPIC’s long-time director, over what might be called excessive attention to his own COVID-19 privacy.

Download the 313th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, I interview Thomas Rid about his illuminating study of Russian disinformation, Active Measures: The Secret History of Disinformation and Political Warfare. It lays out a century of Soviet, East European, and Russian disinformation, beginning with an elaborate and successful operation against the White Russian expatriate resistance to Bolshevik rule in the 1920s. Rid has dug into recently declassified material using digital tools that enable him to tell previously untold tales – the Soviets' remarkable success in turning opposition to US nuclear missiles in Europe into a mass movement (and the potential shadow it casts on the legendary Adm. Hyman Rickover, father of the US nuclear navy), the unimpressive record of US disinformation campaigns compared to the ruthless Soviet versions, and the fake American lobbyist (and real East German agent) who persuaded a West German conservative legislator to save Willy Brandt's leftist government. We close with two very different predictions about the kind of disinformation we'll see in the 2020 campaign.

In the news, David Kris, Nick Weaver, and I trade perspectives on the Supreme Court's grant of certiorari on the question when it's a crime to access a computer r “in excess of authority.” I predict that the Justice Department's reading of the Computer Fraud and Abuse Act will lose, but it's far from clear what will replace the Justice Department's interpretation.

Remember when the House left town without acting on FISA renewal? That's looking like a worse and worse decision, as Congress goes weeks without returning and Justice is left unable to use utterly uncontroversial capabilities in more and more cases. Matthew Heiman explains.

In Justice Department briefs, all the most damaging admissions are down in the footnotes, and it looks like that's true for the inspector general's report on the Carter Page FISA. Recently declassified footnotes from the report make the FBI's pursuit of the FISA order look even worse, in my view. But at the end of the day, the footnotes don't add much to suspicions of a partisan motivation in the imbroglio.

Speaking of IG reports, the DOD inspector general manages first to raise the possibility that Amazon was the victim of political skullduggery in the big DOD cloud computing award and then to find a way to stick it to Amazon anyway. Meanwhile, the judge overseeing the bid protest gives the Pentagon a chance for a do-over.

Matthew covers intel warnings about China-linked ‘Electric Panda’ hackers and the Syrian government spreading malware via a coronavirus apps. And David notes that a Zoom zero-day is being offered for $500,000.

Nick and I mix it up, first over the Gapple infection tracing plan and their fight with the UK National Health Service and then over Facebook’s decision to suppress posts about anti-lockdown demonstrations that violate the lockdown. I think that's highly questionable and not something Facebook would be doing if the first demonstrations had been Black Lives Matter activists in Detroit – or regime protestors during the Arab Spring for that matter. Nick thinks it's the best way to treat a "zombie death cult serving haterade." So, all in all, exactly the restrained and civil exchange of views you've come to expect from the Cyberlaw Podcast.

Download the 312th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Google and Apple have released specifications for how to use a mobile phone to track coronavirus infections. That’s good news. As the country moves toward at least partial resumption of normal life, we’re likely to need good tracking capabilities to avoid a second peak in infections, and that can’t be done without the cooperation of Google and Apple.

But the more I study the design that these companies are promoting, the less attractive it looks. To be blunt, I think the companies were so eager to avoid criticism from privacy groups and Silicon Valley libertarians that they produced a design that raises far too many barriers to effectively tracing infections. The good news, though, is that Google and Apple won’t have the last word. The two companies are creating an absolutely essential set of tools, or APIs, that will allow other tracking apps to interact with phone operating systems. They’ve also sketched what might be described as the default tracking system that they intend to implement “while maintaining strong protections around user privacy.”  This default system is less essential, and a good thing too. The Google/Apple default tracking system is seriously flawed, mainly because it elevates privacy over effectiveness. Luckily, national health systems will be free to write better, more workable tracking apps that can still plug into Google and Apple operating systems without buying into the questionable choices those companies seem to favor.

Public health agencies have tracked infections as a way of stopping the spread of disease for more than a century, and not just for pandemics. It’s a routine part of the public health response to syphilis and other sexually transmitted diseases. The process is straightforward. If someone tests positive for an infectious disease, health authorities ask for a list of all his contacts while he had the disease. They track those people down, treat or quarantine them, and then get a list of their contacts. Eventually, everyone in the chain of infection is accounted for, and the chain is broken. COVID-19 is a challenge to this model because asymptomatic infection is so easy, which makes it hard to recreate all of a COVID-positive person’s contacts. Which is what makes mobile phone tracking so attractive. An app that knows where you’ve been for the last two weeks allows a reconstruction of your contacts that your memory can’t match. That’s why there’s been such an emphasis in many countries on using location data for infection tracking. But as the initial enthusiasm encountered reality, public health officials realized that location data on phones was not well-suited to the task. It wasn’t detailed enough, gathering everyone’s locations over the length of the emergency felt unnecessarily intrusive. Singapore came up with a better approach: using not location data but an exchange of Bluetooth signals between the phones of people who were actually close to each other for a period of time. Then if one of them tested positive, the health authorities could collect the contact data and send alerts to everyone who had exchanged signals with the infected party.

But Singapore’s system did not work well with the Android and iOS operating systems.  It only worked if Bluetooth was actively seeking connections all the time, which often required that the phone be continually unlocked. The app still hasn’t achieved more than about twenty percent market share.

Google and Apple soon realized that for such a system to work, they would have to adapt the operating system to the needs of a disease tracking app. That’s why they are developing new APIs. At the same time, their engineers seem to have decided that they could make an app that worked like Singapore’s but had more privacy protections. That idea is the source of the default tracking app they are promoting.

It’s also the source of most of the problems with the default app. Probably the biggest mistake the default app makes is trying to build a tracing system will be completely independent of any central health authority.  That’s not realistic or wise. Real-world disease tracing systems like Singapore’s (and like those of the United States for a century) all rely on the public health authorities to identify infected people, collect their contacts, and notify those at risk. But Silicon Valley is in love with a “trust no one” approach to security that is grounded in an assumption that centralized systems can be abused if authoritarian governments get access to the data. That’s always possible, but the risk is pretty modest in this case since the only data at issue is two weeks’ worth of contacts. And any authoritarian government worth its salt could get far more location and contact data simply by subpoenaing Google’s adtech files. Nonetheless, Google and Apple are pushing a default app that does not depend on centralized administration and therefore is guarded against that particular abuse.

But in preventing abuses from the center, such an app would invite many abuses from the edge. The design seems to envision a regime in which testing results are known to health authorities, but the place and identities of those who’ve come into contact with each other are never disclosed. That means the health authorities can tell someone who tests positive to notify his contacts, but they will have no way of knowing whether he follows their advice. Predictably, some people won’t.  Maybe they’ll forget. Maybe they’ll be worried about retaliation from those they’ve exposed. And maybe they’ll just be freeloaders who wanted to be notified if they were at risk but have no interest in notifying others. By leaving the decision to the user, and even creating additional barriers to notification with a separate “consent to notify” hurdle, the default design from Google and Apple compromises public health in the name of privacy

Other abuses are made possible by the designers’ preference for keeping information from the authorities. In the default design, those getting a notification are told only that they’ve been near an infected person, but not who and not where. Anonymity breeds irresponsibility, as many Zoom users learned in recent weeks. Surely some irresponsible app users will be delighted to cause random grief by sending out false infection alerts to everyone with whom they’ve been in contact. Google and Apple say that they can prevent that by having public health authorities verify test results. But a verification process, such as cryptographic signing of test results, is likely to add substantially to notification friction.

The same effort to keep data out of the hands of a central administrator leads the Google and Apple engineers to store and process all contact data locally on the phone.  This is bad news for anyone who loses or has to reset their phone.  It looks as though, under the default Google/Apple design, those already unfortunate people also lose their contact records and thus run the risk of missing a notice that they may have been exposed. Indeed, as far as I can see, the design doesn’t even allow people to store a backup of their contacts in the cloud.  Similarly, suppose a person using the app comes to the health system’s attention by collapsing in public, or dying before they make it to the hospital, as all too many victims have. In that case, it would be impossible to trace the person’s contacts or notify those affected. Apple’s famously law-enforcement-hostile phone design will ensure that the authorities cannot open either the phone nor the app.

That’s a lot of dysfunction to suffer just to avoid the theoretical risks of a centralized infection tracing system like the ones we’ve been using for the last hundred years.

A related problem is that Google and Apple seem to assume that infection tracing needs the same kinds of user consent as a weather or traffic app. (And, to be fair, the designers may believe that more privacy features will induce more users to download the app.) But it’s increasingly clear that to be effective, a tracing app is going to require a market share well over 50%. That can’t be achieved by throwing something into the app store and waiting for users to find it.  Even though Singapore’s app has substantial privacy protections and its populace is generally compliance-minded, its app is being used by less than a fifth of the population. In fact, as I’ve said before, it’s likely that mobile phone infection tracking will only work if Google and Apple are required to install such an app automatically on Androids and iPhones, the way Apple Maps or iTunes updates are auto-downloaded.  (Apple is, after all, famous for having automatically sent all its users a U2 album that none of them ordered; last time I checked.) Google and Apple have said that they intend to add a contact tracing platform to their phone operating systems, though it’s not clear that the feature will be on by default.

At the end of the day, the purpose of infection tracing is to notify people who may have been infected. Unfortunately, without a lot of changes, the Google/Apple system will make notification a lot less likely. First, in an effort to reduce the role of central authorities, the app design separates testing from contact tracing, so the health authorities who do the testing can’t confirm that the contacts got notice of the result. Instead, the design imagines that someone who tests positive will be given the option of sending notice. That means friction every step of the way -- a user who tests positive must remember to send the notice, open the app, navigate the “do you really consent?” screen, and wait for the notification to upload.  And all of those steps depend entirely on the user’s sense of social responsibility.  That’s just a bad idea. At a minimum, public health authorities need to be able to tell who tested positive but didn’t send notifications.  That would allow the authorities to ping those who didn’t notify others, reminding them to do so. It would also allow the health authority to impose fines or other sanctions on those who use the system to protect themselves but not others.

Finally, Google and Apple’s assumption that tracking apps should keep location data away from health authorities leads to absurd results.  It’s quite true that in most cases, there’s no need to record the exact location where each contact occurred. What matters most is just whether one person was in close proximity to another. But there are times when location matters too. Someone who gets a notice and can’t figure out how the contact occurred might want more data before quarantining himself; maybe there was a wall that Bluetooth didn’t recognize between him and the infected party, or perhaps they were standing outside with a breeze blowing between them.  I suspect that few people will thank Google and Apple if we end up with an American tracking app that assumes that it’s better for them to endure an unnecessary two-week quarantine than for them to tell health authorities the location of their potential infection.

Being able to get precise location data in at least some cases will be especially important if commerce resumes and the app is not universally adopted. Suppose that an infected person spends time at a Starbucks, where a quarter of the people in the shop have installed the Google/Apple app. When the infected person sends out a notice, only a quarter of the customers will get it. But some of them will suspect that the contact was at Starbucks. Without knowing the infected person’s location data; authorities would have no idea where the exposures occurred. What if health authorities want to find the other customers, plus the barista? It wouldn’t be that hard if they knew the place and time of the infected person's visit. The barista’s hours are already recorded by Starbucks, and customers who were there at the time could be found through payment records. But it appears that the Google/Apple app makes no provision for public health authorities being able to identify hotspots by time and location. In fact, in the world the two companies envision, potentially infected parties themselves apparently won’t know for sure where their exposure occurred.

These are a lot of problems, most of them stemming from design assumptions that start in the wrong place, privileging decentralization and anonymity over the goal of defeating the virus. Don’t get me wrong. Google and Apple deserve a lot of credit for having stepped up to the challenge of providing essential APIs. We’re going to need their help to get it onto phones all over the country. But the companies also have blind spots and a fear of getting crosswise with privacy advocates is one of them. This means mean we can’t simply trust them to set the parameters for a tracing app that does what we want in the real world.

And we don’t have to. Pandemics force us to trust elected leaders with great power over individuals and businesses. State governments have ordered people to stay home even at the cost of their jobs. Governors have been given authority to seize private supplies of ventilators and to close otherwise lawful businesses and gatherings -- even church services on Easter.   And as I’ve written before at greater length, 40 states have adopted a post 9/11 public health emergency law that gives governors broad authority to intervene in private industry to respond to crises. This authority extends even to companies that deal in “communication devices.” If they can mandate that people sacrifice jobs and access to in-person religious services, surely state governors can also order companies like Google and Apple to build an interface that works with tracking apps that actually fit society’s needs and not Silicon Valley’s conventional wisdom.

The Cyberspace Solarium Commission’s report was released into the teeth of the COVID-19 crisis and hasn’t attracted the press it probably deserves. But the commissioners include four sitting Congressmen who plan to push for adoption of its recommendations. And the Commission is going to be producing more material – and probably more press attention – over coming weeks. In this episode, I interview Sen. Angus King, co-chair of the Commission, and Dr. Samantha Ravich, one of the commissioners.

We focus almost exclusively on what the Commission’s recommendations mean for the private sector. The Commission has proposed a remarkably broad range of cybersecurity measures for business. The Commission recommends a new products liability regime for assemblers of final goods (including software) who don’t promptly patch vulnerabilities. It proposes two new laws requiring notice not only of personal data breaches but also of other significant cyber incidents. It calls for a federal privacy and security law – without preemption. It updates Sarbanes-Oxley to include cybersecurity principles. And lest you think the Commission is in love with liability, it also proposed tort immunities for critical infrastructure owners operating under government supervision during a crisis. The interviews cover all these proposals, plus the Commission’s recommendation of a new role for the Intelligence Community in providing support to critical US companies.

In the news, Nick Weaver and I dig deep into the Google and Apple proposals for tracking COVID-19 infections. I’ve got a separate post in the works on the topic, but the short version is that I think Google and Apple have dramatically overvalued privacy interests and downgraded the job of actually tracking infections. Nick disagrees, believing that the privacy interests aren't actually conflicting with the tracking goals, but we agree that the app should operate on an opt-out basis, not opt-in.

The Great Decoupling, part 278: It looks as though China Telecom will be getting the boot from US telecom markets, at least if Team Telecom has anything to say about it. And speaking of Team Telecom, Brian Egan tells us that it has a new charter and a new, catchy acronym: CAFPUSTTSS!

Nick and I dig into a Ninth Circuit decision that may be heading for the Supreme Court. It holds that Facebook can be held liable for wiretapping when it gets information from its widely deployed “like” buttons on third-party sites.

Fish gotta swim, birds gotta fly, and the EU gotta regulate tech, coronavirus or no coronavirus. Maury Shenk reports, bemusedly. Matching him bemusement for bemusement, Nick tries to explain a French ruling that Google must pay news outlets to link to their content (and can’t stop linking to the outlets).

Maury explains the 5G-coronavirus conspiracy that has Brits burning cellular masts. And Nick explains how to make a “smart” lock spill its secrets, and how to fall foul of the FTC.

And in quick takes, the COVID-19 cyber threat has the US and UK authorities joining hands against cyberattacks, the Australian government is hacking criminals who are exploiting coronavirus, and we get a look at a future in which IoT devices defect to foreign intelligence agencies.

Download the 311th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

.

David Kris, Paul Rosenzweig, and I dive deep on the big tech issue of the COVID-19 contagion: Whether (but mostly how) to use mobile phone location services to fight the virus. We cover the Israeli approach, as well as a host of solutions adopted in Singapore, Taiwan, South Korea, and elsewhere. I’m a big fan of Singapore, which produced in a week an app that Nick Weaver thought would take a year.

In our interview, evelyn douek, currently at the Berkman Klein Center and an SJD candidate at Harvard, takes us deep into content moderation. Displaying a talent for complexifying an issue we all want to simplify, she explains why we can’t live with social platform censorship and why we can’t live without it. She walks us through the growth of content moderation, from spam, through child porn, and on to terrorism and “coordinated inauthentic behavior” – the identification of which, evelyn assures me, does not require an existentialist dance instructor. Instead, it’s the latest and least easily defined category of speech to be suppressed by Big Tech. It’s a mare’s nest, but I, for one, intend to aggravate our new Tech Overlords for as long as possible.

Returning to the News Roundup, Nate Jones and evelyn mull the head-spinning change the virus has made in the public reputation of Big Tech, but Nate wonders if Silicon Valley's PR glow will last.

Meanwhile, China is celebrating its self-proclaimed victory over COVID-19 by borrowing Russian tactics to spread coronavirus disinformation. I argue that any country adopting Russia’s patented “Who knows what’s true?” tactics probably has something to hide. Because the Russians usually do.

We take advantage of evelyn’s Aussie ties to get a translation (and an apology) for Australia’s latest venture into the business of blocking graphic violent content.

David and Paul review the White House’s National Strategy for 5G Security. They talk for two minutes, but they say more than the strategy does.

The House of Representative has irresponsibly bolted for home without even a temporary reauthorization of expiring FISA authorities. Paul and David explain why that isn’t quite the disaster it sounds like. Quite.

The NYT finds more AI bogus bias, and I invent a new term for the practice of pretending AI is a man and then attributing racism to him. We’ll see if misanthropomorphism catches on once I learn to say it without stumbling.

David says the Justice Department has brought the first fraud case stemming from the coronavirus crisis, and I suggest that case itself has a whiff of false advertising about it.

Amazon is complaining that the Pentagon is trying to fix some of the contract award problems in the big DOD cloud procurement. Paul is more sympathetic than I am.

And Paul questions the wisdom of failing to delay CCPA enforcement while the coronavirus rages across California.

Download the 308th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll. You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

.

One of the keys to slowing a pandemic is to trace infections: Find one person who’s infected. Identify, test, and quarantine all his contacts. Then trace, test, and quarantine his contacts’ contacts. Repeat until you run out of potential victims. This is pretty much the strategy followed during the current coronavirus outbreak by countries such as Singapore, South Korea and Taiwan. All three were faster off the mark than the U.S. or Europe, largely because their experience with SARS and MERS was so traumatic that they built the legal framework and the muscle memory to act quickly in the next outbreak.

The U.S. didn’t take this approach, and it was particularly hampered by botched testing at the Centers for Disease Control and Prevention and the Food and Drug Administration, from which we still haven’t completely recovered. Tests are becoming available much faster now, but widespread testing and tracing may not be feasible in places that have been hit hard, such as New York and New Jersey. In those states, more than 30 percent of the people tested have already been infected. But there are other states, such as New Mexico or Minnesota, where testing has been growing fast and infection rates are low enough that tracking infections looks like a feasible strategy. With the caveat that these numbers are undoubtedly distorted by who gets tested and how results get reported, there are still striking differences in the results among states, according to statistics compiled by the Covid Tracking Project and adjusted per capita by Buzzfeed:

For places like Minnesota, New Mexico and even Washington, President Trump may have been right when he suggested that some parts of the country could use a strategy other than lockdowns to fight the virus. If so, the best alternative will be aggressive testing and contact tracing.

The countries that did contact tracing the most effectively relied in part on technology—phone location tracking, in particular. They’ve used the location services already built into mobile phones to find others who’ve been close to those who test positive. Privacy and civil liberties advocates hate the idea in principle, but they know no one values the privacy of their location history more highly than they value the lives of their loved ones. Rather than argue directly against phone tracking, privacy advocates such as Susan Landau have instead fallen back on a couple of practical objections.

First, they argue, we don’t have enough tests to imitate Asia. Really? I know the press is full of stories about U.S. testing shortages, and there are indeed supply bottlenecks in everything from protective gear to reagents. But a Trump-loathing press has every incentive to dwell on testing shortages as an emblem of administration errors at the start of the outbreak. In fact, testing capability in the U.S. is rising dramatically. Nationwide, testing has risen from a risible level—less than a thousand in early March—to 894,000 as of March 28. And new testing capabilities are coming online fast. The test-shortage argument may have been correct relatively recently, but if it still has merit, it won’t for long.

Indeed, we may soon have enough tests for some governors to mandate South Korean-style tracking and tracing. In fact, South Korea dodged disaster with a testing rate that isn’t any higher than New York’s or Washington’s today (around 730 per 100,000). Even more remarkable, Japan and Vietnam flattened their infection curves with per-capita testing rates that are even lower—well under 40 per 100,000.

To get a tracking program in place, we’ll need to use phone data; the alternatives are too slow and rely too much on fallible memories. Which brings us to the privacy advocates’ second argument: that phone location technology won’t do the job.

They have a point. Routine cell-sector data might identify a phone’s location within a few blocks—not exactly a fine tool for measuring the risk for infection. While triangulation and other tricks can improve that resolution substantially, it usually can’t say what floor of a large building the customer was on, and in many cases, such fine-grained resolution isn’t routinely collected. GPS signals are great if the user is outside, but not inside.

What public health officials need is a tool that will tell them who the phone’s owner has been close to—really close, like six feet or less. Luckily, the Singapore government has developed an app that does exactly that—and it’s open sourcing the software for the world. The app, called TraceTogether, uses Bluetooth to find nearby phones the way it finds our car audio or wireless earbuds.

The basic idea is simple: If two people who’ve downloaded the app come within six feet of each other and stay there for half an hour, their phones exchange unique identifiers and each phone logs the contact in encrypted memory. It remains encrypted unless one of them turns up positive for the virus. If that happens, public health officials ask for the phone’s contact log, translate the unique identifiers into phone numbers, and quickly call everyone who came within electronic range of the infected person. There are plenty of privacy safeguards built in: The logs never leave the user’s phone without his or her consent, and other users can’t learn anything about the people around them from the identifier.

In short, the app addresses most of the practical and privacy objections that American privacy advocates have put forward. It could be a game changer for states like Minnesota and New Mexico that already have strong testing programs and haven’t yet been swamped by the virus. They should be acting now, talking to Singapore officials and mobilizing local tech talent to adapt the tool and construct the back-end processes needed to get a state version off the ground.

For the app to work, it needs to be installed on a lot of phones. Some people will install it without much prompting. Who wouldn’t want to be called if they’ve unknowingly crossed paths with a coronavirus carrier? And many of us would be glad to have a log of our contacts if we test positive, instead of trying to reconstruct contacts from memory.

But asking people to download an app means delays and gaps in coverage, especially when some privacy advocates are dragging their feet, claiming as we’ve seen that the technology won’t work or arguing that it should wait until a regulatory regime has been enacted. To jump-start the program, governors should ask Apple and Google to auto-download the app to every phone in their states, along with a message explaining why users should activate it.

Actually, the governors probably don’t need to ask. Some 40 states have adopted one version or another of a model public health emergency law promulgated after 9/11. The law gives governors explicit authority to issue orders seizing “materials and facilities as may be reasonable and necessary to respond to the public health emergency.” Those facilities expressly include “communication devices,” and there’s no good reason to exclude the Android and Apple app stores from the authority.

In fact, if push comes to shove, the governors likely have authority to require that residents of their states activate the app. The law grants individual states the  emergency authority to conduct “any diagnostic or investigative analyses necessary to prevent the spread of disease.” And, since Apple and Android know which apps we’ve activated, they could be ordered to identify those who haven’t registered for contact tracing. The federal law prohibiting disclosure of subscriber information to governments without a subpoena contains an express exception for “an emergency involving danger of death or serious physical injury to any person.”

In short, a forward-leaning approach to high-tech contact tracing is feasible. It could save many lives and get the economy back on track much faster. It’s time for governors in less affected states to do this.

If more incentive is needed, there’s one more thing. There’s a good chance that the governor who makes this work will end up running for president on the strength of that performance in four years. And perhaps even sooner.

President Trump is growing so worried about the economic impact of covid-19 that he’s talking about drastic action, including ending the lockdown in states that haven’t seen lots of infections. He’s right to be worried and right to be looking for dramatic solutions. He may even be well-served in this case by his skepticism about giving government public health experts the last word on fateful economic decisions, for reasons I’ll discuss. But ending the lockdown in states with low infection numbers is the wrong answer when we haven’t tested widely; many of these states almost certainly have an underground contagion that will explode as soon as the lockdown is lifted.

There are, however, responsible alternatives that might address the underlying concern.Instead of easing the lockdown state by state, we could do it person by person.  Specifically, we could end the lockdown for people who have already recovered from COVID-19. These people offer something we badly need right now:  A workforce that probably can’t get infected and probably can’t infect others. I say probably because there is plenty we don’t know. But there is reason to believe that people who recover from the coronavirus pose much less risk of infecting others and face less risk of being reinfected themselves. There’s still much uncertainty on both counts, but that’s the way to bet.

Which means that recovered coronavirus patients could be a vital resource for public health and for the economy. They can work directly with people still fighting for their lives in hospitals. They can tend to the elderly without fear of spreading the disease. Indeed, it’s possible that their blood plasma can be used to treat the sick. And, as their numbers increase over coming weeks, they can take on other jobs that call for close interactions with the uninfected – grocery and pharmacy sales, Uber drivers, and the like. They’ll suddenly be in high demand, and just in time, since many of them have been thrown out of work by the mass lockdowns. Instead of living off stimulus payments, they’ll be earning good money, performing critical jobs, and free to go out and spend it without fear.

By itself, ending the lockdown for those who’ve recovered from the virus won’t end the economic crisis. They are a tiny population in the US right now, but one that’s growing about as fast as infections did last month, which is to say it should be more or less doubling every few days. (In Italy, a couple of weeks ahead of us, there are 8300 recovered patients.) Ending their lockdown would allow both a real and a symbolic step toward economic normalcy, not to mention the public health benefits it would offer at a time when we need as many safe caregivers as we can muster.

What would it take to free up this resource?  Three things.

First, we cannot simply presume recovered patients are safe. We need the best available public health data about recovered COVID-19 patients, to get answers about when they stop being contagious and their resistance to reinfection. It is important to note, that even with more data, we are unlikely to get complete certainty on either point, and even the recovered will need to take precautions while out and about. But the decision to end their lockdown—in the face of some degree of uncertainty—should take into account economic, as well as health, risks.

This is where the President’s famous suspicion of expertise might do him some good. The government’s public health officials are indeed experts, but only in one part of the crisis we now face. They are ruled by the same incentives that govern all bureaucracies, as the recent CDC and FDA testing failures should remind us. And the bureaucratic incentive for public health officials is to maximize public health. 

As professionals, they’ll be judged by their success in suppressing the virus – not by their role in restoring the economy. To ensure that the desperate state of the economy gets proper weight, it’s entirely appropriate for the President to force a decision now, using public health officials’ best guess about infection and reinfection risks – even if the uncertainty makes them uncomfortable. The stakes are higher here than usual, but this is the kind of call we have Presidents for.

Second, we need good ways to identify the recovered. Tests for the virus identify people who have the infection; we also need to identify recoveries by testing for the antibodies that show the virus has come and gone. Those tests are on the way, but they’re caught up in FDA approval processes. The administration should be pushing the FDA to act faster. Because until we have those tests, we’re going to have to rely on doctors to write letters identifying patients who have recovered from the virus.

Third, this system requires a mechanism to enforce rules that end lockdown for some people and not others. Because we will need to rely on physician letters at the start, we should set uniform standards for representations from doctors. And the government should make clear that false claims of recovery can be criminally prosecuted as fraud. (If this proves insufficient, states and the private sector could issue 3-D barcodes to help stores, hospitals, and lockdown enforcers verify claims of recovery using a mobile phone. Similar systems are currently used across Asia.)

Most importantly, if we want this to work, we need to do all of these things now, and as impatiently as possible.

Which, of course, is where President Trump comes in. We’ve never needed his famous impatience more -- as long as he can keep it well-targeted.

That’s the question I debate with David Kris and Nick Weaver in this episode, as we explore the ways in which governments are using location data to fight the covid-19 virus. Phone location data is being used both to enforce quarantines and to track contacts with infected people.  It’s useful for both, but Nick thinks the second application may not really be ready for a year – too late for this outbreak.

Our interview is with Jason Healey, who has a long history with Cyber Command and a deep recent oeuvre of academic commentary on cyberconflict. Jay explains Cyber Command’s doctrine of “persistent engagement” and “defending forward” in words that I finally understand.  It makes sense in terms of Cyber Command’s aspirations as well as the limitations it labored under in the Obama administration, but I wonder if in the end it will be different from “deterrence through having the best offense.” Nothing wrong with that, in my view – as long as you have the best offense by a long shot, something that is by no means proven.

We return to the news to discover the whole idea of sunsets for national security laws looking dumber than it did when it first saw the light of day (which is saying something). Several important FISA authorities have expired, Matthew Heiman reports.  That's thanks to Sens. Rand Paul and Mike Lee, I might add (though Nick blames President Trump, who certainly put his boot in too). Both House and Senate passed measures to keep FISA authorities alive, but the measures were completely different and out of sync.  Maybe the House will fix the problem this week, but only by extending the deadline for a couple of months.  Because of course by then we’ll be rested and ready, in the middle of a contagion and a Presidential campaign, for a  debate over Sen. Paul’s proposal to make it harder to wiretap and prosecute Americans who spy for foreign governments.

Maybe before they did all that naming and shaming of Russian government hackers, federal prosecutors should have worked on their aiming: The US Justice Department has now dropped Robert Mueller’s charges against a sponsor of Russian electoral interference, Matthew tells us. We explore two fever-dream narratives – that the whole prosecution was part of a witch hunt and that the Attorney General is just sabotaging Bob Mueller’s righteous crusade. You don’t have to believe either to conclude that the Mueller team should have thought a little more about how it would try the case and a little less about how convenient it was to be able to tell the IRA story in an indictment. CyberScoop – Wall Street Journal

There’s another major leak about government skullduggery in cyberspace, David tells us, and Wikileaks is, uh, nowhere to be seen.  That’s because the skulldugging government in question is Vladimir Putin’s, and Wikileaks is looking more and more like Putin’s lapdog.  So it falls to a group called Digital Revolution to publish internal FSB documents showing Russia’s determination to acquire a huge DDOS network, maybe enough to take whole nations offline.

Alan Cohn makes a guest appearance to discuss the role that DHS’s CISA is playing in the covid-19 crisis.  And it has nothing to do with cybersecurity.  Instead, CISA is ensuring the security of critical infrastructure around the country by identifying facilities that need to keep operating, notwithstanding state lockdown orders.  We talk about the federalism crisis that could come from the proliferation of critical infrastructure designations but neither of us expects it soon.

Here’s a surprise: Russia is deploying coronavirus disinformation, claiming that it is a US bioweapon. Uncharacteristically, I find myself praising the European Union for flagging the campaign.

Nick talks about the ambiguity of the cyberattack on Norsk Hydro, and I raise the risk that companies may stop releasing attribution information pointing to nation states because doing so may undercut their insurance claims.

Finally, we wrap up the story of ex-Uber autonomous driving executive Anthony Levandowski, who pled guilty to trade-secret theft and is likely headed to prison for a year or three.

Download the 307th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll. You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

If your podcast feed has suddenly become a steady diet of more or less the same COVID-19 stories, here’s a chance to listen to cyber experts talk about something they know – cyberlaw. Our interview is with Elsa Kania, adjunct senior fellow at the Center for a New American Security and one of the country's most prolific students of China, technology, and national security. We talk about the relative strengths and weaknesses of the artificial intelligence ecosystems in the two countries.

In the news, Maury Shenk and Mark MacCarthy describe the growing field of censorship-as-a-service and the competition between US and Chinese vendors.

Elsa and I unpack the report of the Cyberspace Solarium Commission. Bottom line: The report is ambitious but constrained by political reality. And the most striking political reality is that there hasn’t been a better time in 25 years to propose cybersecurity regulation and liability for the tech sector. Seizing the Zeitgeist, the report offers at least a dozen such proposals.

Nick Weaver explains the joys of trojanizing the trojanizers, and we debate whether that is fourth-party or fifth-party intelligence collection.

In a shameful dereliction, Congress has let important FISA authorities lapse, but perhaps only for a day or two (depending on the president’s temperature when the reauthorization bill reaches his desk). The reauthorization bill isn’t good for our security, but it tries to avoid crippling intelligence collection, mostly hanging new ornaments on the existing FISA Christmas tree.

Mark covers a Swedish ruling that deserves to be forgotten a lot more than the crimes and embarrassments protected by the “right to be forgotten.” This decision fines Google for failing to show sufficient zeal in covering up Sweden’s censorship orders.

Nick explains how Microsoft finds itself taking down an international botnet instead of leaving the job to the world’s governments.

Maury reports that the federal trial of a Russian hacker is exposing seamy ties between the FSB and criminal Russian hackers. Now we know why Russia fought so hard to head off extradition of the Russian hacker to the US.

Elsa helps me through recent claims that US chip makers face long-term damage from the US-China trade fight. That much is obvious to all; less obvious is what the US can do to avoid it.

Nick and I talk about Facebook’s suit against NSO Group. I claim that NSO won this round in court but lost in the media, which has finally found a company it hates more than Facebook. Nick thinks Facebook is quite happy to swap a default judgment for a chance at discovery.

In other quick hits, DOD is wisely seeking a quick do-over in the cloud computing litigation involving AWS and Microsoft. House and Senate committees have now okayed a bill to give CISA much-needed and suprisingly uncontroversial subpoena authority to identify at-risk Internet users. Rebooting my "Privacy Kills" series, I break the injunction against COVID-19 news to point out that dumb privacy laws likely delayed for weeks discovery of how widespread COVID-19 was in Seattle. And Joshua Schulte’s trial ends in a hung jury; I ask where the juicy post-trial jury interviews are.

Download the 306th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll!

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The NSA’s effort to use call detail records to spot cross-border terror plots has a long history. It began life in deepest secrecy, became public (and controversial) after Edward Snowden’s leaks, and was then "reformed" in the USA Freedom Act. Now it’s up for renewal, and the Privacy and Civil Liberties Oversight Board, or PCLOB, has weighed in with a deep report on how the program has functioned – and why NSA has suspended it.

In this episode I interview Travis LeBlanc, a PCLOB Member, about the report and the program. Travis is a highly effective advocate, bringing me around on several issues, including whether the program should be continued and even whether the authority to revive it would be useful. It’s a superb guide to a program whose renewal is currently being debated (against a March 15 deadline!) in Congress.

And, uh, asking for a friend: Do the early stages of covid-19 infection make you more susceptible to persuasion? 

Download the 305th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll!

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, families or friends.

Our interview in this episode is with Glenn Gerstell, freed at last from some of the constraints that come with government service. We cover the Snowden leaks, how private and public legal work differs (hint: it’s the turf battles), Cyber Command, Russian election interference, reauthorization of FISA, and the daunting challenges the US (and its Intelligence Community) will face as China’s economy begins to reinforce its global security ambitions.

In the news, Nate Jones and Nick Weaver talk through the new legal and technical ground broken by the United States in identifying two Chinese nationals and the $100 million in cryptocurrency they laundered for North Korean hackers.

Paul Rosenzweig lays out the challenge posed for the Supreme Court’s Carpenter decision by LocateX, which provides detailed location data commercially. This is exactly the quagmire I expected the Court to find itself in when it abandoned the third-party doctrine on a one-off basis. Nick points out that the data is only pseudonymized and tries with mixed success to teach me to say “de-pseudonymized.”

Nate and I conclude that facial recognition has achieved a kind of Kardashian status, though instead of being famous for being famous, facial recognition is toxic for being toxic. Kashmir Hill at the New York Times adds a new drop of poison in a story that could just as well have repeated “I hate Clearview AI” 50 times for all it told us about the company. And Vice, which never saw a Twitter mob it wouldn’t join, lets Anna Merlan tell us to hate Clearview because it found pictures of her that she apparently posted in public. Meanwhile, we all know the technology is evil, but we can't quite remember why. If the problem is that it doesn’t work, the stories about how Buenos Aires found a wanted man on the street using another company’s recognition tech is kind of harshing the narrative. (We're supposed to see that it's evil because the cops had mixed up two people with the same name. Not sure that’s facial recognition’s fault, guys.)

Nate and I review the Justice Department’s guidance on how threat researchers can do undercover work safely on the Dark Web. It’s a mixed bag for sure, but the biggest beneficiary of the guidance may turn out to be Dark Web criminal network administrators.

A proposed FAA drone rule is angering aviation hobbyists. Nick feels their pain but thinks it’s time for them to get over it.

Microsoft, Google, Facebook, and others have adopted international principles for enforcing laws against child abuse. But if they were hoping to stave off the EARN IT bill, they were mistaken. The bill has been introduced, with striking bipartisan sponsorship and a few changes since we last covered it. Nick and I cross swords on whether the bill would turn the companies into agents of the government for Fourth Amendment purposes.

And in short takes, I note that the Trump Administration is borrowing from Europe in one respect: CFIUS is building a wall against the export of Americans' personal data to China by overturning mergers that would give Chinese companies access to data on Americans’ hotel stays and their love lives. Paul tells us that Oz is apparently in the lead for a deal with the United States on the CLOUD Act. China’s Qihoo360 tries to beat US cyber forensics firms at the name-and-shame game but came up short. And the FISA Court offers some surprisingly tame changes in the wake of the Horowitz report detailing the botched Carter Page warrant application.

Download the 304th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll!

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

This is a bonus episode of the Cyberlaw Podcast – a freestanding interview of Noah Phillips, a Commissioner of the Federal Trade Commission. The topic of the interview is whether privacy and antitrust analysis should be merged, especially in the context of Silicon Valley and its social media platforms.

Commissioner Phillips, who has devoted considerable attention to the privacy side of the FTC’s jurisdiction, recently delivered a speech on the topic and telegraphed his doubts in the title: “Should We Block This Merger? Some Thoughts on Converging Antitrust and Privacy.” Subject to the usual Cyberlaw Podcast injunction that he speaks only for himself and not his institution or relatives, Commissioner Phillips lays out the very real connections between personal data and industry dominance as well as the complexities that come from trying to use antitrust to solve privacy problems. Among the complexities: the key to more competition among social media giants could well be more sharing between companies of the personal data that fuels their network effects, and corporate sharing of personal data is what privacy advocates have spent a decade crusading against.

It’s a wide-ranging interview, touching on, among other things, whether antitrust can be used to solve Silicon Valley’s censorship problem (he’s skeptical) and what he thinks of suggestions in Europe that perhaps the Schrems problem can be solved by declaring that post-CCPA California meets EU data privacy standards. Commissioner Phillips is bemused; I conclude that this is just Europe seeking revenge for President Trump’s Brexit support by promoting “Calexit.”

Download the 303rd Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll! 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, or relatives.

This episode features a lively (and – fair warning – long) interview with Daphne Keller, Director of the Program on Platform Regulation at Stanford University’s Cyber Policy Center. We explore themes from her recent paper on regulation of online speech. It turns out that more or less everyone has an ability to restrict users’ speech online, and pretty much no one has both authority and an interest in fostering free-speech values. The ironies abound: Conservatives may be discriminated against, but so are Black Lives Matter activists. In fact, it looks to me as though any group that doesn’t think it’s the victim of biased content moderation would be well advised to scream as loudly as possible about censorship anyway for fear of losing the victimization sweepstakes.

Feeling a little like a carny at the sideshow, I serve up one solution for biased moderation after another, and Daphne methodically shoots them down. Transparency? None of the companies is willing to allow real transparency, and the government may have a first amendment problem forcing companies to disclose how they make their moderation decisions. Competition law as a way to encourage multiple curators? It might require a "magic" API, and besides, most users like a moderated Internet experience. Regulation? Only if we want to take First Amendment law back to the heyday of broadcast regulation (which is frankly starting to sound pretty good to me).

As a particularly egregious example of foreign governments and platforms ganging up to censor Americans, we touch on the CJEU's insufferable decision encouraging the export of European defamation law to the US – with an extra margin of algorithmic censorship to keep the platform from any risk of liability. Turns out, that speech suppression regime is not just an end run around the first amendment; it's protected by the first amendment. I offer to risk my Facebook account to see if that's already happening.

In the news, FISA follies take center stage, as the March 15 deadline for reauthorizing important counterterrorism authorities draws near. No one has a good solution. Matthew Heiman explains that another kick-the-can scenario remains a live option. And Nick Weaver summarizes the problems that the PCLOB found with the FISA call detail record program. My take: The program failed because it was imposed on NSA by libertarian ideologues who had no idea how it would work in practice and who now want to blame NSA for their own shortsightedness.

Another week, another couple of artificial intelligence ethics codes: The two most recent ones come from DOD and … the Pope? Mark MacCarthy sees a lot to like. I offer my quick and dirty CTRL-F test for whether the codes are serious or flaky, and both fail.

In China news, Matthew covers China’s ever-spreading censorship regime – which now reaches Twitter users whose accounts are blocked by the Great Firewall. We also ask whether and how much the US “name and shame” campaign has actually reduced Chinese cyberespionage. And whether China is stealing tech from universities for the same reason Willie Sutton robbed banks – that’s where the IP is.

Nick recounts with undisguised glee the latest tribulations suffered by Clearview AI's facial recognition system: Its app has been banned from Android and Apple, and both its customers and its data collection methods have been doxed.

Mark notes the success of threats to boycott Pakistan on the part of Facebook, Google, and Twitter. I wonder if that will simply incentivize Pakistan to drive its social media ecosystem toward the Chinese giants.

Nick gives drug dealers a lesson in how not to store the codes for €53.6 million in Bitcoin; or is it a lesson in what to say to the police if you want that €53.6 million waiting for you when you get out of the clink?

Finally, in a few quick hits, we cover new developments in past stories: It turns out, to the surprise of no one, that removing a police tracking device from your car isn’t theft. West Virginia has apparently recovered from a fit of insanity and now does not plan to allow voting by insecure app. And the FCC is doing a slow striptease in its investigation of mobile carriers for selling customer location data; now we know who’ll be charged (pretty much everyone) and how much it will cost them ($200 million), but we still don’t know the theory or whether the inquiry is going to kill off legitimate uses of location data.

Download the 302nd Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll! 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, families or pets.

Once again, I put my Facebook account at risk to find out:

 We interview Ben Buchanan about his new book, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. This is Ben's second book and second interview on the podcast about international conflict and cyber weapons. It's safe to say that America's strategic posture hasn't improved since the first one.

We face more adversaries with more tools and a considerably greater appetite for cyber adventurism. Ben recaps some of the stories that were under-covered in the US press when they occurred. The second large attack on Ukraine's grid, for example, was little noticed during the US election of 2016, but it looks much more ominous after a recent analysis of the tools used, and perhaps most importantly, those that were available to the GRU but not used. Meanwhile, the US is not making much progress in cyberspace on the basic requirement of a great power, which is making sure our enemies fear us.

In the news, Nick Weaver, Gus Hurwitz, and I take a quick pass at the Internet content regulation problem and Section 230 of the Communications Decency Act. I've written that Section 230 needs to be reconsidered, and I predict that the Justice Department, which held a workshop on Section 230 last week, will propose reforms. Gus and I offer two different takes on Facebook's recent white paper about content moderation. Gus is more a fan of Twitter's approach. And Nick reminds us that there are some communities on the Internet whose content causes real harm, including to innocent children.

The debate in the US is taking a distinctly European turn, I suggest, which makes Europe's determination to regulate its way to digital innovation a little less implausible than usual. Maury Shenk outlines the very tentative (and almost certainly out of date before it's launched) European plan for building a European data lake to foster a European AI and digital economy.

Speaking of AI regulation, Elon Musk hasn't given up on his concerns about the technology's risks. But the real action in media circles is attacking fairly simple machine learning tools as used by law enforcement and the justice system. I argue that the attack is wrongheaded and will either result in abandoning tools that could have disciplined true outliers or in imposing dangerous racial quotas on things like incarceration. Nick thinks there's enough institutionalization of bias in AI as it now exists that giving up such tools may be the better course.

In quick hits, Nick explains how Google's effort to stamp out ad click fraud can generate a secondary form of criminal extortion. Maury explains the latest flap over Australia's encryption law; the tl;dr is that nothing is likely to change soon. Gus makes a down payment on an emerging issue: Whether ISPs can defeat Internet privacy laws that affect them by pleading their First Amendment rights. Nick calls BS on the simplest forms of "anonymization" for credit card data. I highlight a ransomware attack on a US natural gas operator that actually affected operations and is thus a forerunner of future attacks. Nick reminds us that Julian Assange is still in court to stop a US extradition bid. And Europe's data protection advisor is questioning Google's acquisition of Fitbit.

Download the 301st Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll!

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of participants' institutions, clients, family, or friends.

Yesterday, the Attorney General held a workshop on Section 230 of the Communications Decency Act. The question was whether the law can be improved. Section 230 does need work, though there's plenty of room for debate about exactly how to fix it. These are my mostly tentative and entirely personal thoughts on the question the Attorney General has asked.

Section 230 gives digital platforms two immunities – one for publishing users' speech and one for censoring users' speech. the second is the bigger problem.

1. Immunity for what users say and do online

When section 230 was adopted, the impossibility of AOL, say, monitoring its users in a wholly effective way was obvious. It couldn't afford to hire tens of thousands of humans to police what was said in its chatrooms, and the easy digital connection it offered was so magical that no one wanted it to be saddled with such costs. Section 230 was an easy sell.

A lot has changed since 1996.  Facebook and other have in fact already hired tens of thousands of humans to police what is said on their platforms. Combined with artificial intelligence, content fingerprinting, and more, these monitors work with considerable success to stamp out certain kinds of speech. And although none of these efforts are foolproof, preventing the worst online abuses has become part of what we expect from social media. The sweeping immunity Congress granted in Section 230 is as dated as the Macarena, another hit from 1996 whose appeal seems inexplicable today. Today, jurisdictions as similar to ours as the United Kingdom and the European Union have abandoned such broad grants of immunity, making it clear that they will severely punish any platform that fails to censor its users promptly.

That doesn't mean the US should follow the same path.  We don't need a special, harsher form of liability for big tech companies. But why are we still giving them a blanket immunity from ordinary tort liability for the acts of third parties? In particular, why should they be immune from liability for utterly predictable criminal use of warrant-proof encryption? I've written on this recently and won't repeat what I said there, except to make one fundamental point.

Immunity from tort liability is a subsidy, one we often give to nascent industries that capture the nation's imagination. But once they've grown big, and the harm they can cause has grown as well, that immunity has to be justified anew. In the case of warrant-proof encryption, the justifications are thin.  Section 230 allows tech companies to capture all the profits to be made from encrypting their services while exempting them from the costs they are imposing on underfunded police forces and victims of crime.

That is not how our tort law usually works. Usually, courts impose liability on the party that is in the best position to minimize the harm a new product can cause. Here, that's the company that designs and markets an encryption system with predictable impact on victims of crime. Many believe that the security value of unbreakable encryption outweighs the cost to crime victims and law enforcement. Maybe so.  But why leave the weighing of those costs to the blunt force and posturing of political debate? Why not decentralize and privatize that debate by putting the costs of encryption on the same company that is reaping its benefits? If the benefits outweigh the costs, the company can use its profits to insure itself and the victims of crime against the costs. Or it can seek creative technical solutions that maximize security without protecting criminals – solutions that will never emerge from a political debate. Either way it's a private decision with few externalities, and the company that does the best job will end up with the most net revenue. That's the way tort law usually works, and it's hard to see why we shouldn't take the same tack for encryption.

2. Immunity for censoring users Detecting bias.

The harder and more urgent Section 230 problem is what to do about Silicon Valley's newfound enthusiasm for censoring users whose views it disapproves of. I confess to being a conservative, whatever that means these days, and I have little doubt that social media content mediation rules are biased against conservative speech. This is hard to prove, of course, in part because social media has a host of ways to disadvantage speakers who are unpopular in the Valley. Their posts can be quarantined, so that only the speaker and a few persistent followers ever see them but none knows of that distribution has been suppressed. Or they can be demonetized, so that Valley-unpopular speakers, even those with large followings, cannot use ad funding to expand their reach. Or facially neutral rules, such as prohibitions on doxing or encouraging harassment, are applied with maximum force only to the unpopular. Combined with the utterly opaque talk-to-the-bot mechanisms for appeal that the Valley has embraced, these tools allow even one or two low-level but highly motivated content moderators to sabotage their target's speech.

Artificial intelligence won't solve this problem.  It is likely to make it worse. AI is famous for imitating the biases of the decisionmakers it learns from – and for then being conveniently incapable of explaining how it arrived at its own decisions. No conservative should have much faith in a machine that learns its content moderation lessons from current practice in Silicon Valley.

Foreign government interference. European governments, unbound by the first amendment, have not been shy about telling Silicon Valley to suppress speech it dislikes, which include true facts about people who claim a right to be forgotten, or charges that a politician belongs to a fascist party, or what it calls hate speech. Indeed, much of the Valley has already surrendered, agreeing to use their terms of service to enforce Europe's sweeping view of hate speech--under which the President's tweets and the Attorney General's speeches could probably be banned today.

Europe is not alone in its determination to limit what Americans can say and read.  Baidu has argued successfully that it has a first amendment right to return nothing but sunny tourist pictures when Americans searched for "Tiananmen Square June 1989." Jian Zhang v. Baidu.Com Inc., 10 F. Supp. 3d 433 (S.D.N.Y. 2014). Today, any government but ours is free to order a US company to suppress the speech of Americans the government doesn't like.

In the long run it is dangerous for American democracy to give highly influential social media firms a blanket immunity when they bow to foreign government pressure and suppress the speech of Americans. We need to armor ourselves against such tactics, not facilitate them.

Regulation deserves another look. This isn't the first time we've faced a disruptive new technology that changed the way Americans talked to each other. The rise of broadcasting a hundred years ago was at least at transformational, and as threatening to the political order, as social media today. It played a big role in the success of Hitler and Mussolini, not to mention FDR and Father Coughlin.

American politicians worried that radio and television owners could sway popular opinion in unpredictable or irresponsible ways. They responded with a remarkable barrage of new regulation – all designed to ensure that wealthy owners of the disruptive technology did not use it to unduly distort the national dialogue. Broadcasters were required to get government licenses, not once but over and over again. Foreign interests were denied the right to own stations or networks. A "fairness" doctrine required that broadcasters present issues in an honest, equitable, and balanced way. Opposing candidates for office had to be given equal air time, and political ads could to be aired at the lowest commercial rate. Certain words (at least seven) could not be said on the radio.

This entire edifice of regulation has acquired a disreputable air in elite circles, and some of it has been repealed. Frankly, though, it don't look so bad compared to having a billionaire tech bro (or his underpaid contract workers) decide that carpenters communicating with friends in Sioux Falls are forbidden to "deadname" Chelsea Manning or to complain about Congress's failure to subpoena Eric Ciaramella.

The sweeping broadcast regulatory regime that reached its peak in the 1950s was designed to prevent a few rich people from using technology to seize control of the national conversation, and it worked. The regulatory elements all pretty much passed constitutional muster, and the worst that can be said about them today is that they made public discourse mushy and bland because broadcasters were cautious about contradicting views held by a substantial part of the American public.

Viewed from 2020, that doesn't sound half bad. We might be better off, and less divided, if social media platforms were more cautious today about suppressing views held by a substantial part of the American public.

Whether all these rules would survive contemporary first amendment review is hard to know. But government action to protect the speech of the many from the censorship of the privileged deserves, and gets, more leeway from the courts than the free speech absolutists would have you believe. See, e.g., Bartnicki v. Vopper, 532 U.S. 514 (2001).

That said, regulation has many risks, not least the risk of abuse. Each political party in our divided country ought to ask what the other party would do if given even more power over what can be said on line. It's a reason to look elsewhere for solutions.

Network effects and competitive dominance. Maybe we wouldn't need a lot of regulation to protect minority views if there were more competition in social media – if those who don't like a particular platform's censorship rules could go elsewhere to express their views.

In practice, they can't.  YouTube dominates video platforms, Facebook dominates social platforms, Amazon dominates online book sales, etc. Thanks to network effects, if you want to spread your views by book, by video, or by social media post, you have to use their platforms and live with their censorship regimes.

It's hard to say without investigation whether these platforms have violated antitrust laws in acquiring their dominance or in exercising it. But the effect of that dominance on what Americans can say to each other, and thus on political outcomes, must be part of any antitrust review of their impact. Antitrust enforcement often turns on whether a competitive practice causes consumer harm, and suppression of consumer speech has not usually been seen as such a harm. It should be. Suppression of speech it dislikes may well be one way Silicon Valley takes monopoly profits in something other than cash. If so, there could hardly be a higher priority for antitrust enforcement because such a use of monopoly strikes at the heart of American free speech values.

One word of caution:  Breaking up dominant platforms in the hope of spurring a competition of ideas won't work if the result is to turn the market over to Chinese companies that already have a similar scale – and even less interest in fostering robust debate online. If we're going to spur competition in social media, we need to make sure we aren't trading Silicon Valley censorship for the Chinese brand.

Transparency. Transparency is everyone's favorite first step for addressing the reality and the perception of bias in content moderation. Surely if the rules were clearer, if the bans and demonetizations could be challenged, if inconsistencies could be forced into the light and corrected, we'd all be less angry and suspicious and the companies would behave more fairly. I tend to agree with that sentiment, but we shouldn't kid ourselves. If the rules are made public, if the procedures are made more open – hell, if the platforms just decide to have people answer complaints instead of leaving that to Python scripts -- the cost will be enormous.

And not just in money. All of the rules, all of the procedures, can be gamed, and more effectively the more transparent they are.  Speakers with bad intent will go to the very edge of the rules; they will try to swamp the procedures. And ideologues among the content moderators will still have room to seize on technicalities to nuke unpopular speakers.  Transparency may well be a good idea, but its flaws are going to be painful to behold if that's the direction our effort to discipline Section 230 takes.

3. What is to be done?

So I don't have much certainty to offer.  But if I were dealing with the Section 230 speech suppression immunity today, I'd start with something like the following:

First, treat speech suppression as an antitrust problem, asking what can be done to create more competition, especially ideological and speech competition, among social media platforms. Maybe breakups would work, although network effects are remarkably resilient. Maybe there are ways antitrust law can be used to regulate monopolistic suppression of speech. In that regard, the most promising measures probably are requiring further transparency and procedural fairness from the speech suppression machinery, perhaps backed up by governmental subpoenas to investigate speech suppression accusations.

Second, surely everyone can agree that foreign governments and billionaires shouldn't play a role in deciding what Americans can say to each other. We need to bar foreign ownership of social media platforms that are capable of playing a large role in our political dialogue. We should also use the Foreign Agent Registration Act or something like it to require that speech driven by foreign governments be prominently identified as such. And we should sanction the nations that try to do that.

And finally, here's a no-brainer. If nothing else, it's clear that Section 230 is one of the most controversial laws on the books. It is unlikely to go another five years without being substantially amended. So why in God's name are we writing the substance of Section 230 into free trade deals – notably the USMCA? Adding Section 230 to a free trade treaty makes the law a kind of a low-rent constitutional amendment, since if we want to change it in future, organized tech lobbies and our trading partners will claim that we're violating international law. Why would we do this to ourselves? It's surely time for this administration to take Section 230 out of its standard free-trade negotiating package.

Note: I have many friends, colleagues, and clients who will disagree with much of what I say here.  Don't blame them. These are my views, not those of my clients, my law firm, or anyone else.

In breaking news from 1995, the Washington Post takes advantage of a leaked CIA history paper to retell the remarkable tale (first published in the mid-90s) of Crypto AG, a purveyor of encryption products to dozens of governments – and allegedly a wholly controlled subsidiary of US and German intelligence. Nick Weaver, Paul Rosenzweig, and I are astonished at the derring-do and unapologetic enthusiasm for intelligence collection that the story displays. I mean, really: The Pope?

This week’s interview is with Jonathan Reiber, a writer and strategist in Oakland, California, and former Chief Strategy Officer for Cyber Policy and Speechwriter at the Department of Defense, currently senior advisor at Technology for Global Security and visiting scholar at the UC Berkeley Center for Long-Term Cybersecurity. His recent report offers a candid view of strained relations between Silicon Valley and the Pentagon. The interview explores the reasons for that strain, the importance of bridging the gap, and how that can best be done.

Nick reports that four PLA members have been indicted over the Equifax breach. He speculates that the US government is sending a message by disclosing a photo of one soldier that appears to have been taken by his own webcam. Paul and I note that the purpose of the hack was very likely the assembly of records on Americans not dissimilar to the records we know the Chinese keep on Uighurs – which are extraordinarily detailed and surprisingly artisanal. 

The arrest of a Bitcoin mixer allows Nick to explain how Bitcoin mixing works and why it's (sometimes) illegal.

Paul lays out the potentially serious impact of Amazon’s lawsuit to stop a $10 billion Microsoft-DOD cloud contract. We note that Amazon wants to take testimony from President Trump about political interference in the award. Thanks to his Twitter habit, we conclude, that’s not out of the question.

I preview my remarks at a February 19 Justice Department workshops on Section 230. I will reprise my article in Lawfare and the encryption debate with Nick Weaver that inspired it. And I hope to dig as well into the question whether Section 230 provides too much protection for Silicon Valley’s censors. Speaking of which, Jeff Bezos’s company has joined the censors but won’t tell us which books it’s suppressing.

Nick and I give a favorable review to CISA’s new #Protect2020 election strategy. We search for deeper meaning in IANA’s failure to complete its DNSSEC root key signing ceremony because of… a physical safe. And we all take a moment to mock and abuse the latest vote-by-phone snake-oil app seller, Voatz. If nothing else, we conclude, it will greatly reduce friction in the market for selling votes in future elections. 

Download the 300th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, or friends.

The battle between Congress and Silicon Valley has a new focus: the EARN IT Act of 2019. (The title is an embarrassing retronym that I refuse to dignify by repeating; you can safely ignore it.) A “discussion draft” of the bill is attributed to Republican Sen. Lindsey Graham and Democratic Sen. Richard Blumenthal. To hear the Electronic Frontier Foundation (EFF), the Center for Internet and Society, and Gizmodo tell it, the draft EARN IT Act is an all-out assault on end-to-end encryption.

The critics aren’t entirely wrong about the implications of EARN IT for encryption—but they’ve skipped a few steps. To understand the controversy, it’s useful to start with the structure of the bill. That will show how EARN IT could affect the deployment of end-to-end encryption—and why the draft bill makes sense as social policy.

The central change made by the bill is this: It would allow civil suits against companies that recklessly distribute child pornography. It would do this by taking away a piece of their immunity from liability when transmitting their users’ communications under Section 230 of the Communications Decency Act (CDA).

Originally added to the CDA as part of a legislative bargain, Section 230 was one of the best deals tech lobbyists ever struck. The CDA was a widely popular effort to restrict internet distribution of pornography to minors. Tech companies couldn’t stop the legislation but feared being held liable for what their users did online, so they agreed not to fight the CDA in exchange for Section 230. The next year, the law’s measures to protect children online were ruled unconstitutional, leaving the industry protections in Section 230 as more or less the only operative provision in the entire CDA.

Both Section 230 and the content monitoring it protects have become increasingly controversial in recent years. Conservatives believe they have been unfairly targeted for arbitrary deplatforming and demonetization; liberals complain that there are still too many right-wing proselytizers and rabble-rousers on the internet. Fewer and fewer people are happy that Section 230 gives tech companies broad discretion to do what they please about user content.

But the most recent attacks on Section 230 have been more focused. Congress first took aim at sites, like Backpage, that were accused of knowingly accepting ads that fostered prostitution and sex trafficking. In 2018, Congress enacted the Fight Online Sex Trafficking Act (FOSTA), which provided that internet companies could be held liable for assisting in sex trafficking if they “knew or should have known” what their customers were doing. 18 U.S.C. § 1595; 47 U.S.C. § 230(c)(5).

Silicon Valley’s advocates hated FOSTA, but their resistance didn’t matter. Times had changed. It was hard to argue that the big platforms couldn’t afford to monitor their users’ content. Much of the industry caved rather than look soft on sex trafficking. The bill passed with overwhelming bipartisan support.

This brings us to the EARN IT Act, which would treat child pornography more or less the way FOSTA treated sex trafficking content—by lifting the immunity of companies that don’t take reasonable measures to prevent its distribution. It’s a surprise that EARN IT came second to FOSTA. Sex work has defenders on the left and the libertarian right, after all, but no one defends child pornography. What’s more, ads touching on sex and companionship have a good deal more First Amendment appeal than child sexual abuse images, which are after all direct evidence of crime. But now that FOSTA has shown the way, it’s no surprise that a similar attack on child pornography has gained traction.

In seeking to counter this proposal, Silicon Valley and internet freedom advocates have moved away from the First Amendment paeans and “don’t break the internet” memes they used in their unsuccessful fight against FOSTA. Rather, they’re arguing that EARN IT will hurt end-to-end encryption.

How so? The short answer is that EARN IT imposes civil liability on companies that distribute child pornography “recklessly.” Victims—presumably the individuals whose images are being circulated—could sue online platforms that recklessly ignored the exchange of child pornography on their services. By itself, that rule is hard to quarrel with. Recklessness requires more than simple negligence. A party is reckless if he deliberately ignores a harm that he can and should prevent.

For anyone who has defended a tort case, being reassured that the jury has to find your client acted recklessly is cold comfort. You don’t know what facts you’ll be accused of ignoring. You don’t know what emails may have been sent to even low-level employees in your company. You don’t know what measures you’ll be accused of ignoring. And you don’t know when a trawl through the company’s email servers will show that someone somewhere treated the problem with insensitivity.

To address that fear, EARN IT offers a safe harbor to companies that follow best practices in addressing child pornography. Notably, this is more protective of social media defendants than FOSTA and not strictly necessary for those willing to trust the good sense of American juries. Nonetheless, the bill creates a commission to spell out the safe harbor best practices. To further protect industry, 10 of the 15 members of the commission must agree on the best practices, and six of the 15 must have worked at a computer service or in computer science, giving the commission members with a technical background a blocking minority. To protect the government’s interests, the attorney general is given authority to review and modify, with reasons, the best practices endorsed by the group. Companies that certify compliance with the best practices cannot be sued or prosecuted under federal child pornography laws. Companies that disagree with the best practices that emerge from this process can still claim the safe harbor if they implement “reasonable measures … to prevent the use of the interactive computer service for the exploitation of minors.”

To see what this has to do with encryption, just imagine that you are the CEO of a large internet service thinking of rolling out end-to-end encryption to your users. This feature provides additional security for users, and it makes your product more competitive in the market. But you know it can also be used to hide child pornography distribution networks. After the change, your company will no longer be able to thwart the use of your service to trade in child pornography, because it will no longer have visibility into the material users share with one another. So if you implement end-to-end encryption, there’s a risk that, in future litigation, a jury will find that you deliberately ignored the risk to exploited children—that you acted recklessly about the harm, to use the language of the law.

In other words, EARN IT will require companies that offer end-to-end encryption to weigh the consequences of that decision for the victims of child sexual abuse. And it may require them to pay for the suffering their new feature enables.

I don’t doubt that this will make the decision to offer end-to-end encryption harder. But how is that different from imposing liability on automakers whose gas tanks explode in rear-end collisions? If the gas tank makes its cars cheaper or more popular, the company will get the benefit; but now it will also have to pay damages to the victims of the explosions. That makes the decision to offer risky gas tanks harder, but no one weeps for the automaker. Imposing liability puts the costs and benefits of the product in the same place, making it more likely that companies will act responsibly when they introduce new features.

There is nothing radical about EARN IT’s proposal, except perhaps for the protections that the law still offers to internet companies. Most tort defendants don’t get judged on a recklessness standard. Juries can award damages if the defendant was negligent, a much lower bar. Indeed, in many contexts, the standard is strict liability: If your company is best able to minimize the harm caused by your product, or to bear its cost, the courts will make you the insurer of last resort for all the harm your product causes, whether you are negligent or not. Compared to these commonplace rules, Section 230 remains a remarkably good deal, with or without EARN IT.

But critics of EARN IT have focused on the role the bill provides for the attorney general Because Attorney General William Barr could modify the best practices recommended by the commission, critics say, Barr might unilaterally declare that end-to-end encryption is never a best practice when dealing with the scourge of child pornography. That would effectively prohibit end-to-end encryption, or so the argument goes.

There’s one problem with this: EARN IT doesn’t impose liability on companies that fail to follow the commission’s best practices. They are free to ignore the recommendations of the commission and the attorney general, which are after all just a safe harbor, and they will still have two ways to avoid liability. First, they can still claim a safe harbor as long as they adopt “reasonable measures” to prevent child sex exploitation. Second, they can persuade a jury that their product design didn’t recklessly allow the spread of child pornography.

The risk of liability isn’t likely to kill encryption or end internet security. More likely, it will encourage companies to choose designs that minimize the harm that encryption can cause to exploited kids. Instead of making loud public arguments about the impossibility of squaring strong encryption with public safety, their executives will have to quietly ask their engineers to minimize the harm to children while still providing good security to customers—because harm to children will in the long run be a cost the company bears. That, of course, is exactly how a modern compensatory tort system is supposed to work. Such systems have produced safer designs for cars and lawn mowers and airplanes without bankrupting their makers.

Maybe it’s time to apply the same rules to internet products and services.

The views expressed here do not reflect those of my firm or clients.

The next trade war will be over transatlantic data flows, and it will make the fight with China look like a picnic. That’s the subject of this episode’s interview. The European Court of Justice is poised to go nuclear – to cut off US companies’ access to European customer data unless the US lets European courts and data protection agencies refashion American intelligence capabilities according to standards no European government has ever been required to meet. It is Europe in full neocolonial mode, but the movement has so far sailed below the radar, disguised as an abstruse European legal fight. Maury Shenk and I interview Peter Swire on the Schrems cases that look nearly certain to provoke a transatlantic trade and intelligence crisis. Actually, Maury interviews Peter, and I throw bombs into the conversation. But if ever there were a cyberlaw topic that deserves more bomb-throwing, this is it.

In the News Roundup, David Kris tells us that the trial of alleged Vault7 leaker Joshua Schulte is under way. And the star of the first day is our very own podcast regular, Paul Rosenzweig.

If you’re wondering whether more cybersecurity regulation is what the country needs, you should be paying attention to the Pentagon, which has embraced cybersecurity regulation for its contractors. Matthew Heiman reports that DOD isn’t finding the path easy. DOD has released its final cybersecurity plan for contractors, but the audit process needed to enforce it remains a mystery.

That’s SNAKE spelled backwards: David tells us about a new strain of ransomware known as EKANS; ominously, it is targeting industrial control systems. I manage to find a very modest silver lining.

Nate Jones sums up the cybersecurity lessons from the voting debacle in Iowa.

Nate also reports on the FCC’s latest half-step toward suing one or more telcos for selling phone-location data.

Matthew covers the Maze ransomware that has ravaged law firms in recent weeks. He argues that it’s only a matter of time before such attacks become dog-bites-man stories.

Matthew also notes that Google and Facebook have apparently dropped plans to terminate their transpacific cable in Hong Kong. US national security concerns seem to have driven the decision. Looks like the Great Decoupling could be spurring a very real physical decoupling.

Nate makes the best of being asked to talk about the 2020 version of a Worthwhile Canadian Initiative: The third volume of the Senate Intel Committee’s Russian electoral interference report. It’s sober and responsible and bipartisan – and largely unread, sadly.

And to bring you up to speed on past stories:

• A Brazilian judge has declined to accept charges against Glenn Greenwald, “for now.”
• The poster child for our current facial recognition moral panic can’t catch a break: As I predicted, Clearview AI has been hit with orders to cease-and-desist from Google and Facebook.
• Tag-teaming with Bill Barr, child-welfare activists are attacking Facebook over its encryption plans and what that means for exploited kids.
• One of the first CCPA lawsuits has been filed, against Salesforce.
• And This Week in Silicon Valley's Suppression of the Right:
• Letterboxd banned a black libertarian film critic’s reviews.
• James O’Keefe’s Twitter account was suspended after he named a Bernie Sanders staffer who spoke fondly of gulags and electoral violence.
• And Twitter banned the widely popular Zero Hedge account after it named a Chinese researcher who it thought might have a role in coronavirus.

Download the 299th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the participants' firms, clients, friends, former friends, or family members.