Skating on Stilts

Our interview is with Mark Montgomery and John Costello, both staff to the Cyberspace Solarium Commission.  The Commission, which issued its main report more than a year ago, is swinging through the pitch, following up with new white papers, draft legislative language, and enthusiastic advocacy for its legislative recommendations, many of which were adopted last year. That makes it the most successful of the many cybersecurity commissions that have come and gone in Washington. And it's not done yet. Mark and John review several of the most important legislative proposals the Commission will be pursuing this year. I don't agree with all of them, but they are all serious ideas and it's a good bet that a dozen or more could be adopted in this Congress.

In the news roundup, David Kris and I cover the FBI's use of a single search warrant to remove a large number of web shells from computers infected by China's irresponsible use of its access to Microsoft Exchange. Deploying a search warrant (or, more accurately, a seizure warrant)requires a far-reaching interpretation of federal criminal Rule 41. But despite valiant efforts, David is unable to disagree with my earlier expressed view that the tactic is lawful.

Brian Egan outlines what's new in the Biden administration's sanctions on Russia for its SolarWinds exploits. The short version: While some of the sanctions break new ground, as with the restrictions on Russian bonds, they do so cautiously.

Paul Rosenzweig, back from Costa Rica, unpacks a hacking story that has everything – terrorism, the FBI, Apple, private sector hacking, and litigation. Short version: we now know the private firm that saved Apple from being ordered to hack its own phone. The hacking was done instead by an Australian firm named Azimuth that apparently only works for democratic governments but that is nonetheless caught up in Apple's bully-the-cybersecurity-researchers litigation campaign.

Gus Hurwitz talks to us about the seamy side of content moderation (or at least one seamy side) – the fight against "coordinated inauthentic behaviour."  

In quicker takes, Paul gives us a master class in how to read the intel community's Annual Threat Assessment.  David highlights what may be the next Chinese  telecom manufacturing target, at least for the GOP. I highlight the groundbreaking financial industry breach notification rule that has now finished the comment period and is moving toward adoption. And Gus summarizes the state of Silicon Valley antitrust legislation:  Everyone has a bill, so no one is likely to get a bill.

Download the 358th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

I've been warning for years about how social media suppresses views that aren't popular in Silicon Valley. Until recently, though, I hadn't found myself on the receiving end of its power.  Now I have. So this take on Silicon Valley speech suppression is more personal than usual.

Let's start with the Hunter Biden laptop story.

I know. You're probably already scoffing. Certainly my mostly liberal (and even some conservative) friends are convinced the whole thing is bogus, of interest only to denizens of the Trump fever swamp.  They remember that the laptop was never verified, that it was widely suspected of being a product of Russian hacking and disinformation, and even if true, that it was simply a wallow in Hunter Biden's many personal failings that told us nothing about his father's fitness for office.

Most of those widespread views are wrong. They are contradicted by a long and detailed story in the UK's Daily Mail. The "Russian disinformation" claim never stood up to much scrutiny, consisting as it did mainly of assertions that faking a laptop was the kind of thing the Russians would do. Now, however, the Daily Mail has validated the laptop and its contents, both obtaining a former FBI agent's forensic judgment and conducting a detailed examination of the laptop's contents. The sheer volume of material makes it highly unlikely that the laptop itself was a fabrication. There are 103,000 text messages, including many intimate (and heart-breaking) father-son exchanges, 154,00 emails, and over 2,000 photos, including numerous nude or sexual pictures of Biden and others. (That leaves open the possibility that someone, perhaps even Russian intelligence, might have added a few fake documents to the real ones – a possibility that would seem to call for detailed examination of the laptop's contents, something no mainstream media outlet has deigned to conduct.)

As for its relevance to President Biden's fitness, earlier reporting disclosed correspondence suggesting that Hunter's unsavory businesses exploited or even benefited his father. And the Daily Mail claims that Hunter was getting some form of Secret Service protection long after the agency claimed to have ended its work for the Biden family. Maybe these stories will fall apart on examination, but there can be little doubt that they deserve investigation. And little doubt that such an investigation could have influenced the 2020 election campaign, when the laptop first surfaced.

What the laptop story got was the opposite of examination. Relying on the unsupported "Russian hacking" conspiracy theory, Twitter blocked the New York Post article. Indeed it blocked the New York Post's Twitter account for weeks because the Post refused to retract its original tweet about the story. Facebook also limited distribution of the story. The threat was clear enough. Even an established media outlet could lose reach and ad revenue if it reported on the story.  And the threat worked; no mainstream publication followed up on the Post article, except for a New York Times article that put the knife in by reporting on controversy over the story's publication in the Post newsroom. When the story came up during the Presidential debates, candidate Biden was able to dismiss it unchallenged as "a Russian plan [and] a bunch of garbage."

To my mind, this treatment of the Biden laptop story tells us a lot about the role that Silicon Valley intends to play in future elections. Companies like Twitter were so fearful of a second Trump victory that they seized on a dubious hacking claim to suppress the story. That act of censorship may well have changed the outcome of the election. So when the Daily Mail showed that the hacking excuse for suppressing the story was specious, I posted a link to the Daily Mail story on Twitter and Linkedin, with this introduction:

"The social media giants that won't let you say the 2020 election was rigged are the people who did their best to rig it: Hunter Biden laptop was genuine and scandalous - Daily Mail"

Linkedin (but not Twitter) decided that I couldn't say that. It sent me this message:

This is a forbidding message, as it's intended to be. If you follow the "Learn more" link you eventually come to the standards for restricting or removing accounts, which tells you, "If we determine that an account, or content posted to that account, violates the Professional Community Policies or the User Agreement, we may remove the content or place a restriction on your account. Depending on the severity of the violation, your account may be restricted indefinitely." (Emphasis added). In short, Linkedin was telling me that it might lock me out of its service if I repeated my offense.

The Linkedin message worried me.  I've got more than 5000 contacts on Linkedin, and I use it in business almost every day. Losing my account would be a blow.

Nonetheless. I hadn't been bullied by such a clueless authoritarian since high school. So instead of moving on to some less fraught topic I doubled down, posting five variants of my original post. The idea was to see exactly what it was about my original post that triggered Linkedin's antibodies. I began by simply posting "The straight news version: The Hunter Biden laptop was genuine and scandalous, according to the Daily Mail." Then I added a link to the Daily Mail story. Then I added commentary: "Social media suppressed the Hunter Biden laptop story in the middle of the 2020 election campaign. Now we know that the story they suppressed was true." In the fifth post, I was more pointed: "Social media won't let you talk about election interference in 2020. Maybe that's because it was social media that interfered in the election by suppressing a true story that would have hurt Joe Biden." And, finally, I reposted the original, which said the same thing as the fifth, but talked about "rigging" rather than "interfering with" the election.

I thought there was a real possibility that Linkedin would deplatform me for the same reason the vice principal used to discipline me in high school – my palpable lack of respect for authority. But it was a risk I was willing to take in the name of science – trying to figure out exactly what triggered Linkedin's content suppression machinery. To cut to the chase, Linkedin left up all of my posts except the one that repeated the original post. That came down, and I again was warned about Linkedin's professional standards.

What did I learn? First, I am grateful to Linkedin for a chance to recapture my youth, if only for a few hours. Second, Linkedin and its corporate parent, Microsoft, has some explaining to do. (Brad Smith, I'm talking to you.) The most charitable assessment of its policy is that it adopted a lame algorithm that suppresses claims of election rigging of any kind, no matter whether they are charges that Venezuela tampered with our voting machines or arguments that Silicon Valley used its platform power to defeat Trump. The scariest possibility is that, having first joined in suppressing stories that hurt Biden in 2020, Linkedin is now suppressing stories that criticize its role in suppressing stories that hurt Biden.

I'm guessing that a lame algorithm is the real culprit.  But frankly, I and anyone else censored by Linkedin deserves to know how that happened. That's why we need laws requiring social media to provide far more transparency and better appeal procedures when they suppress content. But such laws alone do not seem adequate to the threat.

To be clear, Linkedin, or some algorithm, or some contract employee in Arizona or the Philippines, decided that there were some views about an American Presidential election that I could not express, even to my friends. Really? That's the real offense to American free speech values. Linkedin added insult to injury when it failed to say why it didn't like my speech, but that insult carried an injury of its own: It chilled (or tried to) anything I might say in future on that topic. A prudent man wouldn't have put up any of my followon posts.

That chilling effect probably helps explain why no American media did a story on the Biden laptop after Twitter took down the Post's coverage. Even a reporter or newspaper who thinks there could be a great story in the laptop had to ask what would happen once the story went on line. If Twitter, Facebook, and YouTube suppressed it, the story would go from bombshell to bomb. It would get no reach and attract no ads. The ambiguity raises the already high cost of doing investigative journalism on this topic.

Such suppression is a recent phenomenon, less than ten years old, but Silicon Valley is not done yet.  One of my rules about the Valley is "You won't know how evil a technology can be until the engineers who maintain it begin to fear for their jobs."

Right now, social media is printing money. No one fears for their jobs, or even their yachts. But if the move to rein in social media really gathers steam, I'm confident the content suppression tools that protected Joe Biden will be used with even more enthusiasm to protect Silicon Valley itself.

Of course, at that point it will be foolish to complain. No one will hear you anyway.

Our interview is with Kim Zetter, author of the best analysis to date of the weird messaging from NSA and Cyber Command about the domestic "blind spot" or "gap" in their cybersecurity surveillance. I ask Kim whether this is a prelude to new NSA domestic surveillance authorities (definitely not, at least under this administration), why the gap can't be filled with the broad emergency authorities for FISA and criminal intercepts (they don't fit, quite), and how the gap is being exploited by Russian (and soon other) cyberattackers. My most creative contribution: maybe AWS, where most of the domestic machines are being spun up, would trade faster cooperation in targeting such machines for a break on the know-your-customer rules they may otherwise have to comply with. And if you haven't subscribed to Kim's (still free for now) substack newsletter, you're missing out.

In the news roundup, we give a lick and a promise to today's Supreme Court decision in the fight between Oracle and Google over API copyrights, but Mark MacCarthy takes us deep on the Supreme Court's decision cutting the heart out of most, class actions for robocalling. Echoing Congressional Dems, Mark thinks the Court's decision is too narrow. I think it's exactly right. We both expect Congress to revisit the law soon.

Nick Weaver and I explore the fuss over vaccination passports and how Silicon Valley can help. Considering what a debacle the Google and Apple effort on tracing turned into, with a lot of help from privacy zealots, Nick and I agree that this is a tempest in a teapot. Paper vax records are likely to be just fine most of the time. That won't prevent privacy advocates from trying to set unrealistic and unnecessary standards for any electronic vax records system, more or less guaranteeing that it will fall of its own weight.

Speaking of unrealistic privacy advocates,  the much-touted GDPR privacy regime is grinding to a near halt as it moves from theory to practice. Charles-Albert Helleputte explains why. Needless to say, I am not surprised.

Mark and I scratch the surface of Facebook's Fairness Flow tool for policing AI bias. Like anything Facebook does, it's attracting heavy criticism from the left, but Mark thinks it's a useful, if limited, tool for spotting bias in machine learning algorithms.  I'm half inclined to agree, but I am deeply suspicious of what seems to be a confession, made in one "model card," that the designers of an algorithm for identifying toxic speech juiced their real-life data with what they call "synthetic data" because "real data often has disproportionate amounts of toxicity directed at specific groups." That sure sounds as though the algorithm that used real-life data produced results that weren't politically correct, so the researchers just made up data that fit their ideology and pretended it was real – an appalling step for scientists to take with so little explanation.  I welcome informed explanations and contradictions.

Nick explains why there's no serious privacy problem with the IRS subpoena to Circle, asking for the names of everyone who conducted more than $20 thousand in cryptocurrency transactions. Short answer: everybody who doesn't deal in cryptocurrency already has their transactions reported to the IRS without a subpoena.

Charles-Albert and I note that the EU is on the verge of finding that South Korea's data protection standards are "adequate" by EU standards.  The lesson for the US and China is simple: The Europeans aren't looking for compliance; they're looking for assurances of compliance. As Fleetwood Mac once sang, "Tell me lies, tell me sweet little lies."

Mark and I note the extreme enthusiasm with which the FBI used every possible high-tech tool to identify even people who simply trespassed in the Capitol on January 6. The tech is impressive, but we both suspect a backlash is coming. Nick weighs in to tell me I'm wrong when I argue that we didn't see these tools used this way against ANTIFA's 2020 rioters.

Nick also thinks we haven't paid enough attention to the Accellion breach, which leads to a discussion of whether companies are getting a little too comfortable with aggressive lawyering of their public messages after a breach. One result is likely to be a new executive order mandating broader breach notification (and other cybersecurity obligations) for government contractors, I predict.

And Charles and I talk about the UK's plan to take another bite out of end-to-end encryption services, essentially requiring them to show they can still protect kids from sexual exploitation even though they can't actually read the texts and pictures they carry. Good luck with that!

Download the 356th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview this week is with Francis Fukuyama, a fellow and teacher at Stanford and a renowned scholar and public intellectual for at least three decades. He is the coauthor of the Report of the Working Group on Platform Scale, an insightful paper on the power of platforms to suppress and shape public debate. Fukuyama understands the temptation to address those issues through antitrust lens – as well as the reasons why antitrust will fail to counter the threat that platform power poses to our democracy. As a solution, the report proposes forcing the platforms to divest their curatorial authority over what Americans (and the world) reads, creating a host of middleware suppliers who will curate consumers' feeds in whatever way consumers prefer. We explore the many objections to this approach, from first amendment purists to those, mainly on the left, who really like the idea of suppressing their opponents on the right.  But it remains the one policy proposal that could attract bipartisan support from left and right and at the same time actually make a difference.

In the news roundup, Dmitri Alperovich, Nick Weaver, and I have a spirited debate over the wisdom of Google's decision to expose and shut down a western intelligence agency's use of zero day exploits against terrorist targets. I argue that if a vulnerabilities equities process balancing security and intelligence is something we expect from NSA, we should expect the same of Google.

Nate Jones and Dmitri explore the slightly odd policy take on SolarWinds that seems to be coming from NSA and Cyber Command – who are pushing the view that the Russians exploited NSA's domestic blind spot by using US infrastructure for their attack. That suggests that NSA wants to do more spying domestically, although no such proposal has surfaced. Nate, Dmitri, and I are united in thinking that a better solution is a change in US law, though Dmitri thinks a know your customer rule for cloud providers is the best answer, while I think I persuaded Nate that empowering faster and more automatic warrant procedures for the FBI is doable, a solution that we adopted to the burner phone intercept problem in the 90s.

The courts, meanwhile, seem to be looking for ways to bring back a Potter Stewart style of jurisprudence for new technology and the fourth amendment: "I can't define it, but I know it when it creeps me out." The first circuit's lengthy oral argument on how long video surveillance of public spaces can continue without violating the fourth amendment is a classic of the genre. 

Dmitri and Nick weigh in on Facebook's takedown of Chinese hackers who were using Facebook to target Uighurs abroad. Dmitri thinks we can learn policy lessons from the exposure (and likely sanctioning) of the private Chinese companies that carried out the operation.

Dmitri also explains why CISA's head is complaining about the refusal of private companies to tell DHS which US government agencies were compromised in SolarWinds. The companies claimed that their NDAs with, say, Treasury meant that they couldn't tell DHS that Treasury had been pwned. I say that's an all too familiar example of federal turf fights hurting federal cybersecurity.  

In our ongoing feature, This Week in U.S.-China Decoupling, we cover the "Disasta in Alaska," evaluate the latest bipartisan bill to build an international Western technology sphere to compete with China's, note the completely predictable ousting of Chinese telecom companies from the US market, and conclude that the financial sector's effort to defy the gravity of decoupling will be a hard act to maintain.

Always late to embrace a trend, I offer Episode 1 of the Cyberlaw Podcast as a Non-Fungible Token to the first listener who coughs up $150, and Nick explains why it would be cheap at a tenth the price, dashing my hopes of selling NFTs for the next 354 episodes and retiring.

Nick and I have kind words for whoever is doxxing Russian criminal gangs, and I suggest offering the doxxer a financial reward (not just a hat tip in a Brian Krebs column). We have fewer kind words have for the prospect that AI will soon be able to locate, track, and bankrupt problem gamblers.   

I issue a rare correction to an earlier episode, renouncing any suggestion that Israel traded its citizens' health data for first dibs on the Pfizer vaccine. It turns out that what it offered was "deidentified aggregate health data." With proper implementation, that data may actually stay aggregate and deidentified, Nick tells me.

And I offer a hat tip to Peter Machtiger, whose student note in an NYU law journal cites the Cyberlaw Podcast, twice!

And more!

Download the 355th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our news roundup for this episode is heavy on China and tech policy. And most of the news is bad for tech companies. Jordan Schneider tells us that China is telling certain of its agencies not to purchase Teslas or allow them on the premises, for fear that Elon Musk's famously intrusive record-keeping systems will give U.S. agencies insight into Chinese facilities and personnel. Pete Jeydel says the Biden administration is prepping to make the same determination about Chinese communications and information technology, sending subpoenas to a number of Chinese tech suppliers. Meanwhile, Apple's effort to protect its consumers from apps that collect personal data is coming under pressure from what Jordan sees as a remarkable alliance of normally warring Chinese tech companies, including Baidu, Tencent, and Bytedance. In addition to their commercial heft, all these companies likely have more juice in Beijing than Apple, so look for Tim Cook to climb down from his privacy high horse in China. (And in Russia, where Apple has already agreed to let the Russian government specify the apps that must come preinstalled on iPhones sold in Russia.) Still, you can expect that Apple will continue to bravely refuse to cooperate with the FBI on terrorism and serious crime because that might set a precedent for cooperating with governments like Russia's and China's.

But the episode gets its title from our discovery that President Xi's critique of social media platforms sounds exactly like Sen. Josh Hawley's. It is, in fact, the global bien pensant consensus, which has no dissenters to speak of now that the Chinese go to Davos. Jordan offers insights into why the Chinese government's concerns about Big Tech might have origins in something other than factional strife in Beijing.

David Kris and I dive into the final word from the intelligence community on foreign governments' interference  (via hacking or influence ops) in our 2020 election. The short answer is that the Russians and the Chinese didn't hack our election machinery; in fact they didn't even try. So, chest-beating over our 2020 cyber defenses may be a little like doing a victory lap after the other team forfeits. David and I manage to disagree about a few things, including the Hunter Biden laptop story, which I contend is now the principal example of a disinformation campaign in 2020, with the media and Big Tech combining to throttle the story on spurious suspicions of a Russian hand in its provenance; David disagrees.

Pete Jeydel and Ishan Sharma, our interview guest, weigh in on the latest cyber conflict paper  from the United Nations. We all agree that it could be worse, and that getting the General Assembly to accept it was an achievement at a time of lowered expectations for the UN.

The Cyber Space Solarium Commission is not going away, Pete and I agree, as witness the most recent report card issued to the Biden Administration by a Solarium staffer. In principle, that's a good thing; commissions need to stick around and fight for their recommendations. But I can't help complaining that some of the things the Commission is fighting for – Senate confirmation of a White House cyber director, and cutting DHS out of supply chain governance – are bad ideas.

We close with a recognition of the rafts of material supplied over the years to the podcast by the data protection authorities of Europe. They've mostly been an what Texans call "all hat and no cattle" – better talkers than doers. But now their lack of serious implementation skills is catching up with them, as the companies they have penalized begin to  pursue, and win, judicial appeals. That's a trend likely to continue, and a good thing too.

Our interview is with Ishan Sharma, from the Federation of American Scientists, and author of "A More Responsible Digital Surveillance Future Multi-stakeholder Perspectives and Cohesive State & Local, Federal, and International Actions."

If you like the episodes where I disagree profoundly with my guests, this one's for you. I don't think Ishan gets more than two minutes into the interview before the critiquing begins. Still, he holds his own, defending a vision of surveillance technology that serves democratic ends and is for that reason supported and even subsidized in a global competition with the less democratic alternatives from China. I suspect that he'll lose friends on both the left and the right as he tries to walk this line, but he's clearly put a lot of thought into finding an alternative to technopessimism, and he defends it ably.

And more!

Download the 354th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This week we interview Eliot Higgins, founder and executive director of the online investigative collective Bellingcat and author of We Are Bellingcat.

Bellingcat has produced remarkable investigative scoops on everything from Saddam's use of chemical weapons to exposing the Russian FSB operatives who killed Sergei Skripal with Novichok, and, most impressive, calling a member of the FSB team that tried to kill Navalny and getting him to confess. Eliot talks about the origins of the effort (as a part-time break from his job at a lingerie company), the techniques that make Bellingcat so effective, and the hazards, physical and moral, that surround crowdsourced investigations.

In the news, Dave Aitel gives us the latest on the Chinese Exchange server attacks, and the reckless hack-everyone spree that was apparently triggered by Microsoft's patch of the vulnerability.

Jamil Jaffer introduces us to the vulnerability of the week – dependency confusion, and the startling speed with which it is being exploited.

I ask Nate Jones and the rest of the panel what all this means for government policy.  No one thinks that the Biden administration's published cyberstrategy tells us anything useful. More interesting are two deep dives on cyber strategy from people with a long history in the field. We see Jim Lewis's talk on the topic as a sign of his evolution in the direction of much harsher responses to Russian and Chinese intrusions. Dmitri Alperovich's approach also has a hard edge, although he points out that the utter irresponsibility of the Chinese pwn-em-all tactic  deserves an especially harsh response.  I ask why Cyber Command didn't respond by releasing a worm that would install poorly secured shells on every Exchange server in China.

In other news, I blame poor (or rushed) DOD lawyering for the district court ruling that DOD couldn't list Xiaomi as an entity aligned with the Chinese military. Jamil is more charitable both to DOD and the Judge who made the ruling, but he expects (or maybe just hopes) that the court of appeal will show DOD more deference.

Twitter, on the other hand, is praying that the Northern District of California suffers from full-blown Red State Derangement, as it asks the court there to enjoin the Texas Attorney General's investigation into possible anticompetitive coordination in the Great Deplatforming of January 2021. Nate gives us the basics on the lawsuit. I observe that, to bring such a Hail Mary of a case, Twitter must deeply fear what its own employees were saying about the deplatforming at the time. Neither Nate nor I give Twitter a high probability of success. And even if this case does succeed, red states are lining up a host of new laws and regulatory initiatives for Silicon Valley, most notably Gov. DeSantis's controversial effort to navigate section 230 and the first amendment.

Nate also provides a remarkably clear explanation of the sordid tale of European intelligence and law enforcement agencies trying to cut a special deal for themselves in the face of surveillance-hostile rulings from the EU's Court of Justice. The agencies are right to want to avoid those foolish decisions, but leaving the US on the hook will only inflame trans-Atlantic relations.

In quick hits, Jamil and Dave talk about Israel's Unit 8200, which offers a better cybersecurity VC alumni network than Stanford. Playing to type, I close with This Week in Sex Toy Security and immediately display my naivete: Wearables, who knew?  But the security lapses in what Dave calls the internet of junk at least offer us a new, more explicit interpretation of a man-in-the-middle attack.

And more!

Download the 353rd Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We're mostly back to our cybersecurity roots in this episode, for good reasons and bad. The worst of the bad reasons is a new set of zero-day vulnerabilities in Microsoft's Exchange servers. They've been patched, Bruce Schneier tells us, but that seems to have inspired the Chinese government hackers to switch their campaign from Stealth to Promiscuous Mode. Anyone who hasn't already installed the Microsoft patch is at risk of being compromised today for exploitation tomorrow.

Nick Weaver and Dmitri Alperovitch weigh in on the scope of the disaster and later contribute to our discussion of what to do about our ongoing cyberinsecurity. We're long on things that don't work. Bruce has pointed out that the market for software products, unfortunately, makes it entirely rational for industry to skimp on security while milking a product's waning sales. Voluntary information sharing has also failed, Dmitri notes. In fact, as OODA Loop showed in a devastating chart, information sharing is one of half a dozen standard recommendations made in the last dozen commission recommendations for cybersecurity. They either haven't been implemented or they don't work.

Dmitri is hardly an armchair quarterback on cybersecurity policy. He's putting his money where his mouth is, in the form of the Silverado Policy Accelerator, which we discuss during the interview segment of the episode. Silverado is focused on moving the cybersecurity policy debate forward in tangible, sometimes incremental, ways. It will be seeking new policy ideas in cybersecurity, international trade and industrial security, and ecological and economic security (what the group is calling Eco2Sec).  (The unifying theme is the challenge to the US posed by the rise of China and the inadequacy of our past response to that challenge.) But ideas are easy; implementation is hard. Dmitri expects Silverado to focus its time and resources both on identifying novel policy ideas and on ensuring those ideas are transformed into concrete outcomes.

Whether artificial intelligence would benefit from some strategic decoupling sparks a debate between me, Nick, Jane Bambauer, and Bruce, inspired by the final AI commission report. We shift from that to China's version of industrial policy, which seems to reflect Chinese politics in its enthusiasm not just for AI and chips but also for keeping old leaders alive longer.

Jane and I check in on the debate over social media speech suppression, including the latest developments in the Facebook Oversight Board and the unusual bedfellows that the issue has inspired. I mock Google for YouTube's noblesse oblige promise that it will stop suppressing President Trump's speech when it no longer sees a threat of violence on the Right. And then I mock it again for its silly refusal to return search results for "BlueAnon"—the Right's label for the Left's wackiest conspiracy theories. (If you think there aren't any, just google "blue anon" … oh, wait, you can't.)

In quick hits, Bruce and Dmitri explore a recent Atlantic Council report on hacked access as a service and what to do about it. Bruce thinks the problem (most often associated with the Israeli firm NSO) is real and the report's recommendations plausible. Dmitri argues that trying to stamp out a trade in zero days is solving the wrong part of the problem, since reverse engineering of software patches, not zero days, is the source of most successful attacks.  Speaking of NSO, Nick reminds us of the rumors that they have been under criminal investigation and that the investigation has been revived recently.

Jane notes that Virginia has become the second state with a consumer data protection law, and one that resembles California's CCPA.

Jane also notes the Israeli Supreme Court decision ending (sort of) Shin Bet's use cellphone data for coronavirus contact tracing. Ironically, it turns out to have been more effective than most implementations of the Gapple privacy-crippled app.

Bruce and Dmitri celebrate the hacking of three Russian cybercrime forums for the rich array of identity clues the doxxing is likely to offer researchers like Bellingcat (whose founder will be our interview guest on Episode 353 of the Cyberlaw Podcast).

And more!

Download the 352nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In the news roundup, David Kris digs into rumors that Chinese malware attacks may have caused a blackout in India at a time when military conflict was flaring on the two nation's Himalayan border. This leads us to Russia's targeting of the U.S. grid and to uneasy speculation on how well our regulatory regime is adapted to preventing successful grid attacks.

The Biden administration is starting to get its legs under it on cybersecurity. In its first major initiative, Maury Shenk and Nick Weaver tell us, it has called for a set of studies on how to secure the supply chain in several critical products, from rare earths to semiconductors. As a reflection of the rare bipartisanship of the issue, the President's order is weirdly similar to Sen. Tom Cotton's call to "beat China" economically.  

Nick explains the most recent story on how China repurposed an NSA attack tool to use against U.S. targets. Bottom line: It's embarrassing for sure, but it's also business as usual for attack teams. This leads us to a surprisingly favorable review of the Cyber Threat Alliance's recent paper on how to run a Vulnerability Equities Process.

Maury explains the new rules that Facebook, WhatsApp and Twitter will face in India.

Among other things, the rules will require India-based "grievance officers" to handle complaints. I am unable to resist suggesting that, if ever there were a title that the wokeforce at these companies should aspire to, it's Chief Grievance Officer.

Nick and I make short work of two purported scandals -- ICE investigators using a private utility database to enforce immigration law and the IRS purchasing cellphone location data. I argue that the first story is the work of ideologues who would loudly protest ICE access to the White Pages. And the second is a nonstory largely manufactured by Sen. Wyden.  

In a story that isn't manufactured, David and I predict that the Supremes will agree to decide the scope of cellphone border searches.  More than that, we conclude, the Ninth Circuit will lose. The hard question is how broadly the Court decides to rule once it has kicked the Ninth Circuit rule to the curb.

Maury reports that Facebook and Google have pushed the Aussie government into a compromise on paying Aussie media fees for links. Facebook gets the credit for being willing to shoot the family members the government was holding hostage (although in Facebook's case, the hostage was probably a second cousin once removed). Maury predicts that the negotiations will be tougher once the European Union starts rounding up its hostages.  

In quick hits, I claim credit for pointing out years ago that sooner or later the crybullies would come for  "quantum supremacy." And they have. Maury and I note the rise of audits for AI bias. He's mildly favorable; I am not. And I close by noting the surprisingly difficult choices illustrated by Pro Publica's story on how the content moderation sausage was made at Facebook when the Turkish government demanded that a Kurdish group's postings be taken down.

And more!

Download the 351st Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode features an interview with Jason Fagone, journalist and author of The Woman Who Smashed Codes: A True Story of Love, Spies, and the Unlikely Heroine Who Outwitted America's Enemies. I wax enthusiastic about Jason’s book, which features remarkable research, a plot like a historical novel, and deep insights into what I call NSA’s “pre-history” – the years from 1917 through 1940, when the need for cryptanalysis was only dimly perceived by the US government. Elizebeth and William Friedman more or less invented American cryptanalysis in those years, but the full story was never known, even to NSAers. It was protected by a force even stronger even than classification – J. Edgar Hoover’s indomitable determination to get good press for the FBI even when all the credit belonged elsewhere. And, at all its crucial stages, that prehistory is a love story that lasted, literally, right to the grave. Don’t miss this (long!) interview with Jason Fagone, or his book.

Meanwhile, in the news roundup. Dmitri Alperovitch covers the latest events in what we just can’t call the SolarWinds hack any more. There’s no doubt that Microsoft code is at the center of the hack, though not because of unintended flaws; the hackers showed great interest in Microsoft’s code and took full advantage of its most easily abused features. Dmitri predicts multiple executive orders from Anne Neuberger’s review of the matter, and he hopes it means more centralization of federal civilian security monitoring and policy under CISA.

Dmitri and I agree that the Congressional effort to turn the cybersecurity director position into a Senate-confirmed White House office is more trouble than it’s worth.

The Maryland law taxing Google and Facebook ad revenue is ground-breaking, and for that reason is will also be heavily litigated. First time caller, first time listener David Fruchtman explains the tax and the litigation it has already spawned.

Which came first, China’s dream of a rare-earth boycott or U.S. nightmares of a rare-earth boycott? We ask Jordan Schneider, who suggests that neither the dream nor the nightmare is likely to come true any time soon.  

Is Australia going to war with Big Tech?  I take on Oz’s link fee and end up siding, improbably, with Mike Masnick and Facebook and against the fee. Meanwhile, the Australian infrastructure protection bill is drawing fire from Microsoft. Dmitri leans toward Microsoft’s view that the law should not give government authority to intervene when a private sector entity is unable or unwilling to respond to an attack.  I lean toward the government's position.

Jordan Schneider reviews the latest stories of tech companies getting a little too close for comfort to the Chinese surveillance state. The ByteDance censorship story is compelling but not new.  The Oracle story is compelling, new, and a clever piece of journalism by another alumna of the podcast, Mara Hvistendahl. 

Finally, in a series of quick bites, we cover:

• U.S. charges against three North Koreans who boosted their nation's GDP appreciably with their hacks.
• The ongoing Jones Day Doxtorsion.
• France’s discovery that GRU successfully targeted Centreon servers for years, and
• Sultan Meghji’s departure from The Cyberlaw Podcast for some damn thing or other

And more!

Download the 350th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview this week is with Nicole Perlroth, the New York Times reporter and author of This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. It's a wide-ranging, occasionally confrontational, interview and a great tour of the issues raised in the book about 0-day exploits, US responsibility for the global cyber arms race, and the colorful personalities whose hard choices helped shape the cybersecurity environment we all now live in.

In the news roundup, Nate Jones serves up a second helping of the SuperMicro story, a rerun of a much-maligned Bloomberg report from two years ago, claiming that SuperMicro gear had been elaborately compromised by China. This time, Nate reports, Bloomberg offers much more evidence, but probably not enough to completely satisfy the critics. Still, as we conclude, even giving the critics their due, this is a very bad story for SuperMicro – and for its customers.

It seemed like a classic cybersecurity horror story, with hackers using access to the industrial control system to nearly poison Oldsmar's water supply. But Nate and I both suspect that it will turn out to be a much more mundane horror tale, one where the call is always coming from inside the house – and untraceable because all the employees use the same password and no firewall.

Paying for news links is suddenly all the rage among Western governments. I'd link to the Australian stories about their new law, but I'm afraid they'd want me to pay them. Mark MacCarthy says that risk is overrated, but the prospects for such payment schemes are pretty good. Not just Australia, but also the EU are moving in this direction. And Microsoft has expressed its willingness to let Google pay such a fee in the U.S.

I suggest that this is all part of restoring an Establishment of "authoritative narrative shapers," for the internet age, noting that the critical question will be which publishers can attach themselves firmly to the flow of internet funding – a question already causing angst among French publishers.

Paul Rosenzweig summarizes the work done by a lot of smart people on the question of how to think about Chinese technology platforms operating in the United States. He also summarizes the current state of litigation over Chinese technology platforms operating in the United States. In a word, it's mostly on hold, waiting for the Biden administration to run a laborious interagency review.

Nate says the process has already begun for a related topic – how to secure the US tech supply chain, particularly manufacturing semiconductor.

Meanwhile, the First Circuit has taken on the question of border searches of mobile phones, ruling against a coalition of cyberleft organizations. There is now a circuit conflict that could bring the Supreme Court into the fray – soon if the cyberleft losers are imprudent enough to seek cert but not much longer than that if the Solicitor General picks a favorable case to lose in the Ninth Circuit.

In short hits, I wonder at just how bad open source security has gotten, noting a clever hack that pwned many companies by putting a compromised package in a public repository, thereby trumping the companies' private packages. Luckily, NIST is all over open source security. Or not. It turns out that NIST is actually offering a host of insecure open source  products with known flaws. The purpose of the products? Better computer security, naturally. 

The creative policing award of the week goes to the Beverly Hills cop who expresses his unhappiness with being filmed on the job by playing background snippets of songs that will get the video taken down by copyright bots if it is ever posted.In the "a bout time" category, a Canadian woman who defamed dozens of ordinary people in online vendettas has been arrested in Toronto.   And EncroChat, the phone that promised criminals absolute security but delivered them into the hands of law enforcement, has spawned a complicated debate about whether stealing messages from memory  is wiretapping or hacking.  

Finally, either The Cyberlaw Podcast has hit a new high or the Harvard Law Review has hit a new low: Looking for a way to sum up the European Court of Justice's ruling in Schrems II, a student note in the Review quotes from the podcast, characterizing Schrems II as "solipsistic Europocrisy meets judicial imperialism." Couldn't have said it better myself!

And more!

Download the 349th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode features a deep dive into the National Security Agency's self-regulatory approach to overseas signals intelligence, or SIGINT. Frequent contributor David Kris takes us into the details of the SIGINT Annex that governs NSA's collection outside the US. It turns out to be a surprising amount of fun as we stop to examine the SIGINT turf wars of the 40s, the intelligence scandals of the 70s, and how they shaped NSA's corporate culture.

In the news roundup, Bruce Schneier and I review the Canadian Privacy Commissioner's determination that Clearview AI violated Canadian privacy law by scraping Canadians' photos from social media. Bruce thinks Clearview had it coming; I'm skeptical, since it appears that pretty much everyone has been scraping public face data for their machine learning collections for years.

David Kris explains why a sleepy investment review committee with practically no staff is now being compared to a SWAT team. The short answer is Sen. Cornyn.

More and more, Gus Hurwitz and I note, Big Tech CEOs are being treated in Washington like comic book supervillains.  But have they finally met their match? Sen. Amy Klobuchar is clearly campaigning to be their nemesis. Like Doc Ock, she's throwing punch after punch at Big Tech, not just in antitrust legislation but Section 230 reform as well.

We're not done with Solar Winds yet, and Bruce Schneier thinks that's fair. He critiques the company for milking profits from its software niche without reinvesting in security.

Gus returns to the theme of Big Tech at bay, noting that Australia may start charging Google for linking to Australian news sites and that the Biden administration seems quite willing to join the rest of the world in imposing more taxes on tech profits.

David covers the flap between India and Twitter, which is refusing to follow refusing to follow an Indian government order to suppress several Twitter accounts. That's probably, I suggest, because India provided insufficient proof that the accounts in question belong to Republicans.

IBM seems to be bailing on blockchain, and Bruce thinks it's about time.  In some ways, IBM is the most interesting of tech companies, since it has less of a moat around its business than most and must live by its wits, which are formidable. Bruce offers quantum computing as an example of IBM doing the right things well.

Bruce and Gus help me with a preview of an upcoming interview of Nicole Perlroth as we cover an op-ed she drew from her new book. Bruce also offers a quick assessment of the draft report of the National Security Commission on Artificial Intelligence The short version: there isn't enough there there.

Finally, Gus reminds us that a prophet who predicts the attention economy but then refuses to play by its rules is almost guaranteed to end up as an attention Cassandra, as Michael Goldhaber has.

And more!

Download the 348th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

My latest op-ed, on Lawfare, argues that the Biden administration's first big counterterrorism blunder was getting rid of the Trump travel ban:

How, you might ask, could undoing such an unpopular and racist order possibly be a mistake? The answer is that, by the time of its revocation, the Trump travel ban had become something quite different from its starting point. Under pressure from the courts and the press, the leadership of the Department of Homeland Security (DHS) had reshaped Trump’s order into a calibrated security tool that depended not at all on the majority religion of the countries it affected. 

One of DHS’s great successes since 9/11 has been finding a way to let huge numbers of people into the country each day without giving up on security. The key is knowing more about each traveler, so that the government can make good risk-based decisions about who to admit. But that data-driven strategy only works if the U.S. has a minimum of cooperation from other governments. If the traveler’s home government makes it easy to obtain a fake identity, or if it refuses to tell the U.S. about travelers with criminal or terrorist ties, a border security system that depends on traveler data will fail. 

The original travel ban executive orders, issued in January and March of 2017, weren’t grounded directly in the need for such cooperation. Instead, to determine which countries were subject to the ban, the orders simply borrowed their list from past congressional and executive designations. But these orders did contemplate that the temporary ban would be followed by an interagency effort to determine the kind of information needed to admit future travelers. DHS took this as a mandate to put the ban on a new footing—one that would support its data-driven, individualized assessment of travelers by encouraging deeper cooperation from other governments. 

Many commentators have jeered at the idea of Republicans joining the Trump administration in the hope of contributing to government by sanding the rough edges off Trump’s instincts and turning them into good policy. But this is such a case. DHS officials were able to transform Trump’s off-the-cuff rhetoric into a defensible and important contribution to U.S. border security. 

By September 2017, DHS’s work was adopted in a presidential proclamation. It did not judge a handful of countries by the ethnicity or religion of their citizens; nor did it borrow its list from other legal contexts. Instead, the department had ranked 200 countries by how much help they give the U.S. in deciding who can safely be admitted to this country. 

It is an unfortunate fact that some governments don’t issue reliable identity documents, or don’t bother to tell Interpol when one of their citizens’ passports is stolen, even though such a passport can be used for a long time outside the country of issuance. Other governments are reluctant to share the criminal or terrorist records of their citizens, and a few are so hostile that the U.S. can’t count on them for any help in spotting terrorists.

The U.S. has a pretty good idea which countries are doing a good job on these and other measures of cooperation. In fact, in its initial review, DHS found almost 50 countries whose identity systems or information sharing with the U.S. needed improvement. It told them all that their citizens could be caught in an expanded and revamped travel ban.

No one wanted to end up on the new list. DHS was able to open talks, not just with the least helpful governments but with any that didn’t meet the highest standards. The result was heartening. Nearly 30 countries provided document exemplars that could be used to spot fake IDs. According to testimony by Assistant Secretary Elizabeth Neumann, three countries agreed to issue more secure passports. Nearly a dozen agreed to share more information about known or suspected terrorists. 

I have negotiated such information sharing agreements with other countries on behalf of DHS, and getting even one new agreement is an accomplishment. DHS’s achievement here is impressive.

https://www.lawfareblog.com/hidden-cost-undoing-travel-ban

The US has never really had a "cyberczar." Arguably, though, the U.K. has. The head of the National Cyber Security Center combines the security roles of NSA and DHS's CISA. To find out how cybersecurity issues look from that perspective, we interview Ciaran Martin, the first director of the NCSC.

In the news roundup, Paul Rosenzweig sums up recent successes in taking down the NetWalker  and Emotet  hacking networks: It's a win, and that's good, but we will need more than this to change the overall security status of the country.

Jordan Schneider explains the remarkable trove of leaked Chinese police records and the extraordinary surveillance now being imposed on the Uyghur minority in China.

Enthusiasts for end-to-end encryption should be worried, Mark MacCarthy and I conclude. First, the EU – once a firm advocate of unbreakable encryption – is now touting "security through encryption and security despite encryption." You can only get the second with some sort of lawful access, an idea that has now achieved respectability inside Brussels government circles, despite lobbying by e2e messaging firms based in Europe. On top of that, there's a growing fifth column of encryption skeptics inside the firms, whose sentiments can be summarized as, "I'm all for cop-proof encryption as long as it isn't used by lawbreakers who voted for Trump."

Paul brings us up to speed on the Office 36 – I mean the SolarWinds – attack. Turns out lots of companies were compromised without any connection to SolarWinds. The episode shows that information sharing about exploits still has a ways to go. And if you're a lawyer who's been paying ten cents a page for downloads from the federal courts' electronic filing system, whatever you've been paying for, it isn't security. The attackers got in there, and as a result, we'll be making sensitive filings on paper.  First voting, then suing – more and more of our lives are heading off line.

Does China want your DNA, and why? I have a truly scary suggestion, and Jordan tries to talk me down.

The Facebook Oversight Board has issued its first decisions. Paul and Mark touch on the highlights. I predict that the board will overrule Trump's deplatforming, to surprisingly little dissent.

Jordan and I dig into two overviews of U.S. tech and military competition. It starts to feel a little incestuous when it turns out we all know the authors – and that Jordan has invited them all to be on his excellent podcast, ChinaTalk.

In short hits,

• I predict that Beijing will fight CFIUS to the last dollar of TikTok revenue. And could easily win.
• I question YouTube's demonetization of the Epoch Times, but Jordan has less sympathy for the paper.
• I'm less flexible about Google's hard-to-justify decision to block the ads of a group that (like most Americans) opposes Democratic proposals to pack the Supreme Court.
• And if you're wondering how dumb stuff like this happens, the L.A.Times gives an object lesson. Faced with a campaign to recall California governor Newsom, the Times dug into the online organizations supporting recall.  Remarkably, it found that the groups included a lot of the same kinds of folks who came to Washington in January to protest President Biden's victory. Shortly after that drive-by festival of guilt by association, Facebook banned ads supporting the recall movement. 

And more!

Download the 347th Episode (mp3)

Special announcement: We are thinking about hiring a part-time producer/sound engineer/intern for the Cyberlaw Podcast.  That decision hasn’t been made, but consider this a head start.  If you or someone you know would want such a position, send their resume to us at CyberlawPodcast@Steptoe.com.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

It's a story that has everything, except a reporter ready to tell it. A hostile state attacking the US power grid is a longstanding and quite plausible national security concern. The Trump administration was galvanized by the threat, even seizing Chinese power equipment when it arrived in the US to do a detailed breakdown of the gear and then issuing an executive order and follow-up rulings designed to cut Chinese products out of the US grid supply chain.

Yet now the Biden administration has suspended this order for 90 days – the only Trump cybersecurity order to be called into question so far. Industry lobbying? Chinese maneuvering? Tech uncertainty?  No one knows, but Brian Egan and I sketch the outlines of an irresistible story that will surely reward a persistent journalist.

The SolarWinds story, meanwhile, needs a new moniker, as the compromises spread beyond SolarWinds distributions, reaching victims like Malwarebytes. Increasingly, it looks as though Microsoft and its cloud are the common denominators, Sultan Meghji and I observe, but that's one moniker the story will never acquire.

In other cyber TTP news, the Chinese are stealing airline passenger reservation data, Sultan notes. Maybe they're just trying to find out when Mike Pompeo next plans to come to China so they can meet him at the airport and enforce their latest sanctions – no Great Wall tours for you, Mr. Secretary!

This is our last week of Trumpian cyber news, so we wallow in it. President Trump also issued a last-minute order calling for an assessment of the security risks of Chinese drones, Maury Shenk tells us. And Brian unpacks the other last-minute Trump administration order requiring U.S. U.S. cloud providers to know which foreigners they are selling virtual machines to.

I claim victory in my short letter to Secretary Mnuchin, suggesting that, instead of jamming a cryptocurrency regulation through on his watch, he concentrate on convincing Secretary-designate Yellen to carry the project through.  If he took my advice, it seems to have worked. Sultan reports that she is showing signs of wanting to "curtail" cryptocurrency. In other news, Sultan boldly predicts the advent of interplanetary cryptocurrency in Elon Musk's lifetime.

Brian and I unpack the latest Cyberspace Solarium Commission product -- its persuasive Transition Book for the Biden administration. I predict that the statutorily mandated cybersecurity director it recommends will have to be subordinated to the Deputy National Security Adviser for cybersecurity if the office is to be accepted in the White House.

And in quick hits: Maury covers the surprisingly robust European enforcement of employee protections against video surveillance. I explain Parler's loss in trying to overturn the AWS ban that pushed it off the internet. Sultan explains why the Biden Peloton is a cybersecurity risk, and I tip my hat to the President's physical fitness. I summarize the Mike Ellis story; he held the job NSA's general counsel for about a day before a political witch-hunt caught up with him, and he may never serve another day.  

And, finally, a little schadenfreude for the European Parliament, which is being investigated by the EU's lead data regulator for poor cookie notices on a website it set up for MEPs to book coronavirus tests. The complainant? Max Schrems, who is now well on his way to becoming as unpopular with European politicos as he is in the U.S.

And more!

Download the 346th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, I interview Jane Bambauer on the failure of COVID-tracking phone apps. She and Brian Ray are the authors of "COVID-19 Apps Are Terrible—They Didn't Have to Be," a paper for Lawfare's Digital Social Contract project. It turns out that, despite high hopes, the failure of these apps was overdetermined, mainly by twenty years of privacy scandalmongering and regulation. In essence, Google and Apple set far too strict rules for the apps in an effort to avoid privacy-based political attacks, and the governments that could have reined them in surrendered instead, also in order to avoid privacy-based political attacks. So, we have no one to blame but ourselves, and our delusional valuation of privacy over life itself. Sometimes, privacy really does kill.

In the news roundup, we discover that face recognition suddenly isn't toxic at all, since it can be used to identify pro-Trump protestors.  Dave Aitel explains why face recognition might work even with a mask but still not be very good.  And Jane Bambauer reprises her recent amicus argument that Illinois's biometric privacy law is a violation of the first amendment.

If you heard the part of episode 344 last week about Silicon Valley speech suppression, you might be interested in seeing a further elaboration of proposal I came up with then, now  a Washington Post Op-Ed. Meanwhile, Dave reports that Parler may be back from the dead but dependent on Russian infrastructure. Dave wants to know if that means Parler can be treated by the Biden team like TikTok was treated by the Trump administration.

Dave also brings us up to speed on the latest SolarWinds news. He also casts a skeptical eye on a recent New York Times article pointing fingers at JetBrains as a possible avenue of attack. The story was anonymously sourced and remains conspicuously unconfirmed by other reporting.

Not dead yet, the Trump administration has delivered regulations for the exclusion of risky components from the national IT and communications infrastructure. Maury Shenk explains the basics.

Speaking of which, China is getting ready to strike back at such measures, borrowing the basic blocking statute rubric invented  by the Europeans. Blocking statutes can be effective, but only by putting private companies in a vise between two inconsistent legal duties. Bad news for the companies, more work for lawyers.

I ride one more hobbyhorse, critiquing Mozilla's decision to protect "user privacy" while imposing new burdens and risks on enterprise security. The object of my ire is Firefox's Encrypted Client Hello. Dave corrects my tech but more or less confirms that this is one more nail in the coffin for CISO control of corporate networks.

Matthew Heiman and I dig into the latest ransomware gang tactics -- going after top executive emails to raise the pressure to pay. The answer? I argue for more fake emails

In our concluding quick hits, Maury tells us about the CNIL's decision that privacy law prevents France from using drones to enforce its coronavirus rules. I note a new FDIC cybersecurity rule that isn't (yay!) grounded in personal data protection. Maury explains the recently EU advocate general's opinion, which would probably make Schrems II even less negotiable than it is now.  If it's adopted by the European Court of Justice, which I argue it will be unless the Court can find some resolution that is even more anti-American than the advocate general's proposal. And, finally, Matthew tells us that the State Department has reorganized to deal with cyber issues – a reorganization that may not last longer than a few months.

Download the 345th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Washington Post has published my op-ed on social media speech suppression and what to do about it.  I consider and deprecate the use of section 230 and the antitrust laws, which leads me to using the tax code to induce gatekeeper platforms to break themselves up:

What if the federal government imposed a 40 percent tax on the gross revenue of gatekeeper social media companies that have more than, say, 30 million active users in the United States? Instead of fighting antitrust authorities in the trenches for years, companies faced with such a harsh tax rate would rush to break themselves up. (And if they didn’t, well, the treasury could certainly use the revenue after the bailouts of 2008-09 and 2020-21.) Efforts to avoid the tax would surely spur a proliferation of mainstream social media companies, each serving a broad audience. Some might adopt an editorial stance that leans to the left and others to the right, just as broadcast and other news media already do. But their ability to enforce ideological conformity or pursue a unified business interest would be shattered.

https://www.washingtonpost.com/opinions/2021/01/19/rein-in-big-tech-taxes/ 

In this episode, I interview Zach Dorfman about his excellent reports in Foreign Policy about US-China intelligence competition in the last decade. Zach is a well-regarded national security journalist, a Senior Staff Writer at the Aspen Institute's Cyber and Technology program, and a Senior Fellow at the Carnegie Council for Ethics in International Affairs. We dive deep into his tale of how the CIA achieved remarkable penetration of the Chinese government and then lost it, inspiring China to mirror-image the Agency's techniques and build a far more professional and formidable global intelligence network.

In the news roundup, we touch on the disgraceful demonstration-cum-riot at the Capitol this week and the equally disgraceful Silicon Valley rush to score points on the right in a way they never did with the BLM demonstrations-cum-riots last summer. Nate Jones has a different take, but we manage to successfully predict Parler's shift from platform to (antitrust) plaintiff and to bond over my proposal to impose heavy taxes on social media platforms with more than ten million users. Really, why spend three years in court trying to break 'em up when you can get them to do it themselves and raise money to boot?

SolarWinds keep blowing. Sultan Meghji and Zach Dorfman give us the latest on the attribution to Russia, the fine difference between attack and espionage, and the likelihood of new direct or indirect cybersecurity regulation.

Pete Jeydel and Sultan cover the latest round of penalties imposed by the rapidly dwindling Trump administration on Chinese companies.

Nate dehypes the UK High Court decision supposedly ruling mass hacking illegal. He previews some Biden appointments, and we talk about the surprising rise of career talent in the new administration and why that might be happening. Nate also critiques DNI Grenell after accusations of politicization of intelligence. I'm kinder. But not when I condemn Distributed Denial of Services for joining forces with ransomware gangs to punish victims;  it's hard to believe that anyone could make Julian Assange and Wikileaks look responsible, but DDOS does. Speaking of Julian, he's won another Pyrrhic victory in court – likely extending his imprisonment with another temporizing win.

Download the 344th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Episode 343 of the Cyberlaw Podcast is a long meditation on the ways in which technology is encouraging other nations to exercise soft power inside the United States. I interview Nina Jankowicz,, author of How to Lose the Information War on how Russian disinformation has affected Poland, Ukraine, and the rest of Eastern Europe – and the lessons, if any, those countries can offer a divided United States.

In the news, Bruce Schneier and I dig for more lessons in the rubble left behind by the SolarWinds hack. Nobody comes out looking good. Persistent engagement and defending forward only work if you’re actually, you know, engaged and defending, and Russia’s cyberspies managed (not surprisingly) to hide their campaign from NSA and Cyber Command. More and better defense is another answer (not that it worked during the last 40 years it’s been tried). But whatever solution we pursue, Bruce makes clear, it’s going to be expensive.

Taking a quick break from geopolitics, Michael Weiner gives us a rundown on the new charges and details (mostly redacted) in the Texas case against Google for monopolization and conspiring with competitor Facebook. The scariest thing about the case from Google’s point of view, though, may be where it’s been filed. Not Washington but the Eastern District of Texas, the most notoriously pro-plaintiff, anti-corporate jurisdiction in the country.

Returning to ways in which foreign governments are using our technology against us, David Kris tells the story of the Zoom executive who used pretextual violations of terms of service to take down speech the Chinese government didn’t like, censoring American efforts to hold a Tiananmen memorial. The good news: he was charged criminally by the Justice Department. The bad news: I can’t help suspecting that China learned this trick from the ideologues of Silicon Valley.

Aaand, right on cue, it turns out that China’s been accused of using its 50-cent army to file complaints of racism and video game violence against Americans using the platform to criticize China’s government, a tactic the target claims is getting YouTube to demonetize his videos.

Next, Bruce points us toward a deep and troubling series of Zach Dorfman articles about how effectively China is using technology to vault over US intelligence agencies in the global spying competition.

Finally, in quick succession:

• David Kris explains what’s new and what’s not in Israel’s view of international law and cyberconflict.
• I note that President Trump’s NDAA veto has been overridden, making the cyberczar and DHS’s CISA the biggest winners in the cyber policy arena.
• Bruce and I give a lick and a promise to the FinCen proposed rule regulating cryptocurrency. We’re both inclined to think more reregulation is worth pursuing, but we agree it’s too late for this administration to get anything on the books.
• David Kris notes that Twitter has been fined around $550 thousand over a data breach filing that was a few days late – a fine imposed by the Irish data protection office in a GDPR ruling that is a few years late.
• Apple has lost its bullying copyright battle against security start-up Corellium but the real risk to Corellium may be in the as-yet unresolved claim for violation of the DMCA.
• And the outgoing leadership of DHS is issuing new warnings about the cyber risks of using Chinese technology, this time touching on backdoors in TCL smart TVs and the risk of compromise from Chinese data services

Download the latest episode here.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview is with Alex Stamos, who lays out a complex debate over child sexual abuse that's now roiling Brussels. The application of European privacy standards (and European AI hostility) to internet communications providers has called into question the one tool that has reduced online child sex predation. Scanning for sex abuse images works well, and even scanning for signs of "grooming" is surprisingly effective.  But both depend on automated monitoring of communications content, something that has apparently come as a surprise to European lawmakers hoping to impose more regulation on American tech platforms.  Left unchanged, the new European rules could make it easier to abuse kids all around the world.  Alex explains the rushed effort to head off that disaster – and tells us what Ashton Kutcher has to do with it (a lot, it turns out).

Meanwhile, in the news roundup, Michael Weiner breaks down the FTC's (and 46 states') long-awaited antitrust lawsuit against Facebook. Maybe the government will come up with something as the case moves forward, but its monopolization claims don't strike me as overwhelming.  And, as Mark MacCarthy points out, the likelihood that the lawsuit will do something good on the privacy front is vanishingly small.

Russia's SVR, heir to the KGB, is making headlines with a remarkably sophisticated and well-hidden cyberespionage attack on a lot of institutions that we hoped were better at defense than they turned out to be. Nick Weaver lays out the depressing story, and Alex offers a former CISO's perspective, arguing for a federal breach notification law that goes well beyond personal data and includes after-action reports that aren't locked up in post-litigation gag orders. Jamil Jaffer tells us that won't happen in Congress any time soon.

Jamil also comments on the prospects for the National Defense Authorization Act, which is chock full of cyber provisions but struggling forward under a veto threat. If you're not watching the European Parliament tie itself in knots trying to avoid helping child predators, tune in to watch American legislators tie themselves into knots trying to pass an important defense bill without drawing the ire of the President.

The FCC, in an Ajit Pai farewell, has been hammering Chinese telecom infrastructure companies. In one week, Jamil reports, the FCC launched proceedings to kick China Telecom out of the US phone network, reaffirmed its exclusion of Huawei from the same infrastructure, and adopted a "rip and replace" mandate for US providers who still have Chinese gear  in their networks.

Nick and I clash over the latest move by Apple and Google to show their contempt for US counterterrorism efforts – the banning of a location data company whose real crime was selling the data to (gasp!) the Pentagon.

Mark explains proposals for elaborate new regulation elaborate new regulation of digital intermediaries now working their way through -- where else? – Brussels. I express some cautious interest in regulation of "gatekeeper" platforms, if only to prevent Brussels and the gatekeepers from combining to slam the Overton window on conservatives' fingers.

Mark also reports on the Trump administration's principles for U.S. government use of artificial intelligence, squelching as premature my celebration at the absence of "fairness" and "bias" cant.

Those who listen to the roundup for the porn news won't be disappointed, as Mark and I dig into the details of Pornhub's brush with cancellation at the hands of Visa and Mastercard – and how the site might overcome the attack.

In short hits, Nick and I disagree about Timnit Gebru, the "ethicist" who was let go at Google after threatening to quit and who now is crying racism. I report on the enactment of a modest but useful IoT Cybersecurity law and on the doxxing of the Chinese Communist Party membership rolls as well as the adoption of the most law-enforcement-hostile technology  yet to come out of Big Tech – Amazon's Sidewalk.       

Download the 342nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Did you ever wonder where all those trillion dollar tech valuations come from?  Turns out, a lot of the money comes from online programmatic advertising, an industry that gets little attention even from the companies it's making wealthy, such as Google. That lack of attention is pretty ironic, because lack of attention is what’s going to kill the industry, according to Tim Hwang, former Google policy maven and current research fellow at the Center for Security and Emerging Technology (CSET).  In our interview, Tim Hwang explains the remarkably complex industry and the dynamics that are leaching the value out of its value proposition. Tim thinks we’re in an attention bubble, and the pop will be messy.  I’m persuaded the bubble is real but not that its end will be disastrous outside of Silicon Valley.

But first, in the news roundup Sultan Meghji and I celebrate was seems like excellent news about a practical AI achievement in predicting protein folding. It’s a big deal, and an ideal problem for AI, with one exception.  The parts of the problem that AI hasn’t solved would be a lot easier for humans to work on if AI could tell us how it solved the parts it did figure out.  Explainability, it turns out, is the key to collaborative AI-human work. 

Opening the 'Black Box' of Artificial Intelligence | RealClearScience 

We welcome first time participant and long-time listener Jordan Schneider to the panel. Jordan is the host of the unmissable ChinaTalk podcast. Given his expertise, we naturally ask him about … Australia. 

Actually, it’s a natural, because Australia is now the testing ground for many of China’s efforts to bend independent countries to its will using cyber power along with trade leverage. Among the highlights: Chinese tweets about Australian war crimes, boosted by a hamhanded bot campaign. And in a move that ought to be front an center in future justifications of the Trump administration’s ban on WeChat, the platform refused to carry the Australian prime minister’s criticism of the war-crimes tweet. Tom Cotton and Marco Rubio, call your office!

And this will have to be the Senators' fight, because it looks more and more as though the Trump administration has thrown in the towel. Its claim to be negotiating a TikTok sale after ordering divestment is getting thinner; now the divestment deadline has completely disappeared, as the government simply says that negotiations will continue.   Nick Weaver is on track to win his bet with me that CFIUS won’t make good on its Tiktok order before the mess is shoveled onto Joe Biden’s plate.

Whoever was in charge of beating up WeChat and TikTok may have checked out of the Trump administration early, but the team that’s sticking pins in other Chinese companies is still hard at work. Jordan and Brian talk about the addition of SMIC to the amorphous Defense blacklist. And Congress has passed a law (awaiting Presidential signature) that will make life hard for Chinese firms listed on U.S. exchanges.

China, meanwhile, isn’t taking this lying down, Jordan reports. It is mirror-imaging all the Western laws that it sees as targeting China, including bans on exports of Chinese products and technology. It is racing (on what Jordan thinks is a twenty-year pace) to create its own chip design capabilities.

And with some success. Sultan, the podcast’s resident DeHyper, takes some of the hype out of China’s claims to quantum supremacy.  But even dehyped, China’s achievement should be making those who rely on RSA-style crypto just a bit nervous (and that’s all of us, of course).

Michael Weiner previews the still veiled state antitrust lawsuit against Facebook and promises to come back with details as soon as it’s filed. In quick hits, I explain why we haven’t covered the Iranian claim that their scientist was rubbed out by an Israeli killer robot machine gun: I don’t actually believe them.

Brian explains that another law aimed at China and its use of Xinjian forced labor is attracting lobbyists but likely to pass. Apple, Nike, and Coca-Cola have all taken hits for lobbying on the bill; none of them say they oppose the bill, but it turns out there’s a reason for that. Lobbyists have largely picked the bones clean.

President Trump is leaving office in typical fashion – gesturing in the right direction but uninteresting in actually getting there. In a “Too Much Too Late” negotiating move, the President has threatened to veto the defense authorization act if it doesn’t include a repeal of section 230 of the Communications Decency Act. If he’s yearning to wield the veto, Dems and GOP alike seem willing to give him the chance.  They may even override, or wait until January 20 to pass it again.

Finally I commend to interested listeners the oral argument in the Supreme Court’s Van Buren case, about the Computer Fraud and Abuse Act. The Solicitor General’s footwork in making up quasitextual limitations on the more sweeping readings of the Act is admirable, and it may well be enough to keep van Buren in jail, where he probably belongs for some crime, if not this one. 

Download the 341st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview in this episode is with Michael Daniel, formerly the top cybersecurity adviser in the Obama NSC and currently the CEO of the Cyber Threat Alliance.  Michael lays out CTA’s mission. Along the way he also offers advice to the Biden cyber team – drawing in part on the wisdom of Henry Kissinger.

In the news roundup, Michael joins Jamil Jaffer and Nate Jones to mull the significance of Bruce Reed’s appointment to coordinate technology issues in the Biden White House.  Reed’s tough take on Silicon Valley companies and section 230 may form the basis of a small-ball deal with Republicans on things like child sex abuse material, but none of us thinks a broader reconciliation on content moderating obligations is in the offing.

When it comes to regulating the tech sector, Brussels is a fount of proposals. The latest, unpacked by Jamil and Maury Shenk, is intended to build on the dubious success of GDPR in jumpstarting the EU’s technology industry. If it reminds you of the brilliant success of European regulation in creating a large certification authority industry, you won't be far wrong.

Maury and I puzzle over exactly how a Russian divorcee won a court order allowing access to her estranged son’s Gmail account. Our guess: the court stretched a point to conclude that the son had consented.

Another day, another China-punishing measure from the Trump administration: Jamil explains the administration’s vision of a bloc of countries that will unite in resistance to China’s punitive trade retaliation against inconvenient Western countries, most notably Australia, now getting hit hard by China.

Meanwhile, Maury reports that the administration has identified nearly 90 Chinese companies that are closely tied to the Chinese military for purposes of export control licenses. The only good news for US exporters is that the list eliminates some ambiguity about the status of some companies.

Maury also gives an overview of what most of us think is an oxymoron: Privacy in China. In fact, there is growing attention to protecting privacy at least from commercial companies. But harsh penalties, as always, are going to make observers wonder “who did that company piss off?” before they wonder “what did that company do wrong?”

Maury also reports on the effort to revive Privacy Shield – and on just how little the negotiators have to work with.

Jamil comments on the ever-rising cost of cybersecurity, and the possible implications for bank consolidation.

Nate reviews privacy and security doubts about Amazon’s Sidewalk feature, which turns Alexa devices into neighborhood WiFi networks.

Maury and I note that the deadline for a TikTok sale is a week away and maybe always will be.

Jamil wonders why ZTE asked the FCC to reconsider its exclusion of the company from the US telecoms infrastructure. The FCC order denying the request was not exactly a marketing triumph.

Jamil and I have fun asking how much snooping will go on in a proposed new fiber-optic network linking Saudi Arabia and Israel. Biggest loser? Egypt.

Nate is not surprised that France is pushing its tax for the (US) tech sector, but we debate whether the timing will turn out to be good for France or bad. I claim that White House ADHD will be France’s best friend.

Maury and I try to figure out whether there’s a public policy case in favor of the Rivada plan to take over a bunch of DoD spectrum and rent out whatever is excess to DoD needs. Maybe there is, but we can’t find it.

Download the 340^th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Here's my favorite story from this episode: David Kris told us about a report from the Privacy and Civil Liberties Oversight Board that spelled out the enormous value that European governments have gotten in their fight against terrorism from the same American surveillance programs that European institutions have been trying for twenty years to shut down.  The PCLOB report is a delightful takedown of European virtue-signaling, and I hope the Biden Administration gives the PCLOB a new name and mission in honor of the report.

The news roundup actually begins with a review of the US-China tech relationship and how it might change under a Biden administration. The Justice Department has given itself a glowing report card for its contribution to decoupling – by opening a new China-related counterintelligence case every 10 hours. I ask how long this can go on before China starts arresting American businessmen – something that will surely kick off another round of decoupling.

Speaking of decoupling, the latest legislation aimed at prison labor in China may be getting uncomfortably close to Apple, which is quietly lobbying to water down a bill that is expected to pass soon by overwhelming majorities. Megan Stifel and I conclude that the provision that probably scares Apple most is an obligation to make representations about whether the company’s products include parts made with prison labor. That is increasingly difficult to figure out as China has limited audits for such purposes, putting Apple in a tight spot. Sympathy for Tim Cook, however, is in short supply from our panel.

Speaking of legacy burnishing, the Trump White House has issued its own set of guidelines for federal agencies using artificial intelligence. Nick Weaver thinks they're actually not bad – light touch on most topics – which may be the nicest thing he’s said about a product of this White House in four years. Sticking with AI, Nick comments on the prospect for putting humans in the loop of AI decision making.  He thinks that’s a recipe for lousy AI, and that campaigns to get a “Human in the Loop” for lethal systems have already lost the technology fight. At best, he suggests, we can hope to have our poky old brains “on the loop” in future AI conflicts.

Some good news:  An IOT security bill that Megan and I both like (Megan more than I) has passed both houses of Congress and been sent to the President for signature. It only sets standards for the IOT that the federal government buys, but that’s a good first step.

As a former NSAer, I explain “GCHQ envy” to David, and he provides the latest reason why it should be rampant at the Fort this year, as the agency introduces a new offensive cyber unit to take on organized crime and hostile states.

David also takes on the question whether there’s a legal problem with the U.S. military buying location data from apps companies.  Short answer: Nope.

Megan explains a now-patched Facebook Messenger bug that would have allowed hackers to listen in on users. Nick tells us why the FBI needed to hire robots to retrieve sensitive files. Megan gives us some staggering statistics about the prevalence of ransomware. Hint: if you thought COVID-19 was a pandemic, you ain’t seen nothin’ yet. And I give a quick summary of the TikTok and WeChat ban litigation, where the government is unlimbering a host of new technical arguments.

I take a moment to give a shoutout to Sean Joyce, whose principles led him to walk away from what is probably going to be serious money when Airbnb goes public. The company’s leadership hired him as chief trust officer. Taking trust seriously, he argued for limits on when and how much data about individual users the company gave to the Chinese government.  But the debate reportedly ended when one of the founders declared, “We’re not here to promote American values.” That's not a good look for Airbnb, but the incident says a lot about Joyce, who left the company within weeks because he didn't share its principles.

And, finally, it turns out that the FCC is in its last weeks of Trump legacy burnishing; facing a deadline in January 2020, it had to choose between starting to write regulations about the scope of section 230 and dealing with foreign products in the 5G infrastructure.  It chose 5G.

And more.

Download the 339^th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This week sees yet another Trump administration initiative to hasten America's decoupling from China. As with MIRV warheads, the theory seems to be that if you launch enough of them, the next administration can't shoot them all down.  Brian Egan lays out this week's initiative, which lifts from obscurity a DoD list of Chinese military companies and excludes the companies from U.S. capital markets. 

Our interview is with Frank Cilluffo and Mark Montgomery. Mark is Senior Fellow at the Foundation for Defense of Democracies and Senior Advisor to the congressionally mandated Cyberspace Solarium Commission. Previously, he served as Policy Director for the Senate Armed Services Committee under Senator John S. McCain—and before that served for 32 years in the U.S. Navy as a nuclear trained surface warfare officer, retiring as a Rear Admiral in 2017. Frank is director of Auburn University's Director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security. He served on the Cyberspace Solarium Commission and chaired the Homeland Security Advisory Council's subcommittee on economic security.

We talk about the unexpected rise of the industrial supply chain as a national security issue. Both Frank and Mark were moving forces in two separate reports highlighting the issue, as was I. (See also my op-ed on the same topic.) So, if we seem suspiciously in agreement on supply chain issues, it's because we are suspiciously in agreement on supply chain issues. Still, as an introduction to one of the surprise hot issues of the year, it's not to be missed.

After our interview in episode 336 of a Justice Department official on how to read Schrems II narrowly, you knew it was only a matter of time before we heard from Europe. Charles Helleputte reviews the European Data Protection Board's effort to give more authoritative and less comfortable advice to U.S. companies that want to keep relying on the standard contractual clauses. The Justice Department take on the topic manages to squeak through without a direct hit from the privacy bureaucrats.  Still, the EDPB (and the EDPS even more so) makes clear that anyone following the DOJ's lead is in for an uphill fight. (For those who want more of Charles's thinking on the topic, see this short piece.)

Zoom has been allowed to settle an FTC proceeding for deceptive conduct (claiming that its crypto was end to end when it wasn't, and more). Mark MacCarthy gives us details.  I throw shade on the FTC's failure to ask any serious national security questions about a company that deserves some. 

Brian brings us up to speed on TikTok.  Only one of the Trump administration penalties remains unenjoined. My $50 bet with Nick Weaver -- that CFIUS will overcome the judicial skepticism that IEEPA could not -- is hanging by a thread. Casey Stengel makes a brief appearance to explain why TikTok might win. 

Brian also reminds us that export control policymaking is even slower and less functional on the other side of the Atlantic, as Europe tries, mostly ineffectively, to adopt stricter limits on exports of surveillance tech. 

Mark and I admire the new Aussie critical-infrastructure cybersecurity initiative, for its clarity if not for its likely political appeal. 

Charles explains and I decry the enthusiasm of European courts for telling Americans what they can say and read on line, as an Austrian court tells Facebook to take down worldwide the description of an Austrian politician as belonging to a "fascist party." Apparently, we aren't allowed to say that political censorship is what members of a fascist party tend to advocate; but don't worry about our liability; we can't pronounce the plaintiff's name.  

So, in retrospect, how did the United States do in policing all the new cyberish threats to the 2020 election? 

• Brian gives the government credit for preventing foreign interference. I question the whole narrative of foreign interference, which didn't have much effect in 2016 or 2020 (other than the hack and dump operation against the DNC) but did align conveniently with Democratic messaging in both years (Hillary only lost because of the Russians! Ignore Trump's corruption allegations because they're just more Russian interference!).
• Mark and I wonder what Silicon Valley thinks it's accomplishing with its extended bans on political advertising after the election.  After all, it's almost always election season somewhere (see, e.g., Georgia).
• DHS's CISA did produce a detailed rumor control site that helped correct misunderstandings -- but may have corrected one too many of the President's tweets.  In consequence, Under Secretary Chris Krebs, familiar to Cyberlaw Podcast listeners, may be on the chopping block. That would be a shame for DHS and CISA; for Chris it's probably a badge of honor. Frank Cilluffo and Mark Montgomery weigh in with praise for Chris as well.

And more.

Download the 338th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

An excerpt from my latest Washington Post article:

The report of the Homeland Security Advisory Council will be posted here under Recommendations. The Cyberspace Solarium paper is here.