Skating on Stilts

Fresh from his launch of the Alperovitch Institute for Cybersecurity Studies, Dmitri Alperovitch kicks off this episode with a hopeful take on the 31-nation US-sponsored videoconference devoted to combatting ransomware. He and Nate Jones both think a coordinated international effort could pay off. I challenge Dmitri to identify one new initiative that this group could enforce, and he rises to the occasion.

Dmitri also previews one of the proposals for regulating Silicon Valley that might yet make it through Congress – a ban on "self-preferencing" by platforms that sell both their own and other people's products. It's all eerily similar to China's even more aggressive use of antitrust remedies against companies like meal delivery giant Meituan.

Tatyana Bolton, meanwhile, identifies a second front in the attack on Big Tech – regulation of algorithms. This leads us into a discussion of freedom of speech versus "freedom of reach" and a WSJ story on the weaknesses of Facebook's AI system for downrating (but only occasionally deleting) "hate speech." I argue that social media will ultimately rely even more heavily on AI-administered restrictions on user reach, if only as a way to make sure the victims of Silicon Valley censorship never realize how much their voices are being squelched.

Microsoft has given up its ambitions for LinkedIn's China operations, Dmitri notes, dropping the social media elements of the service and moving it closer to straight job listings. I argue that the retreat was overdetermined by the Chinese government's extraction of both financial and political concessions from Microsoft.

But if China is slowly poisoning its high-tech sector, why does a former Pentagon official think the U.S. has lost the AI race to China? Nate and I are cautiously skeptical of that view, not least because of the official's, uh, provenance.

In more news about Chinese regulation, it turns out that the Chinese ban on crypto-mining didn't quite reach the crypto miners using state resources.

Tatyana and I dig into WhatsApp's somewhat limited adoption of encrypted backups, and the policy's likely impact on law enforcement and criminals. Later, I also nod to the critique of "client-side scanning" (i.e., Apple's child porn solution) offered by All the Usual Cryptographers.

In comic relief, the governor of Missouri embarrasses himself by threatening criminal prosecution after a state website's security flaws are exposed by a reporter who seems to have done all the right things from a responsible disclosure point of view.

In other quick hits,

• I report on Facebook's appeal of the magistrate opinion unexpectedly gutting the Stored Communications Act for everyone who's ever been deplatformed by social media.  It's a workmanlike effort, but not as persuasive as fans of the SCA might have hoped. This could turn out to be real trouble for the SCA.
• Dmitri breaks down the federal government's plan to issue SD cards to all its employees for network access. It's a good idea, he thinks, but saying it will end phishing of employees is more fond hope than reasonable expectation.

Download the 379th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

I'm always looking for ways to talk about cyberpolicy without being a bore about it. Twenty-page think tank papers have their place, and I once wrote a book with over a thousand footnotes, but I started podcasting to make cyberpolicy a little more accessible.

Now I'm trying something that I hope will be even more fun – occasional cartoons. I was a big comic book fan in my youth, and in college I drew and published a few underground comix, so sooner or later it was inevitable that I'd return to the form as a way to talk about law and policy.  I couldn't draw in college and I still can't, but the Federalist Society's Regulatory Transparency Project (which takes no positions on particular legal and public policy matters) has kindly agreed to an experiment in turning my ideas into comic form. The experiment will last as long as the Project's patience and my enthusiasm do. In the meantime, I hope you enjoy them.

Here's the first, a commentary on Europe's data protection policy and just how neatly the European and Chinese penchants for discretionary punishments coincide.

The theme of this episode is the surge of creativity in the Biden administration as it searches for ways to regulate cybersecurity and cryptocurrency without new legislative authority. Paul Rosenzweig lays out the Department of Homeland Security's entries in the creativity sweepstakes: New (and frankly pretty modest) cybersecurity directives to the rail and air industry plus a much more detailed (and potentially problematic) set of requirements for pipeline companies. Matthew Heiman describes a Justice Department plan for enforcing cybersecurity rules for federal contractors that should chill the hearts of management: an initiative that raises the prospect of whistleblower suits under the False Claims Act for failure to disclose breaches to the government. I suggest that this means the notoriously short tenure of the Chief Information Security Officer (CISO) at large companies will now come with a built-in retirement compensation package.

Creativity in regulating cryptocurrency was signaled both by the White House, which is working on a broader and more coordinated regulatory approach and by the Justice Department, which is planning a major criminal investigative approach to the industry. Nick Weaver gives us the details.

Paul covers a remarkably creative assertion by the Committee on Foreign Investment in the United States (CFIUS) of jurisdiction over a Chinese firm's purchase of Magnachip, a semiconductor company with virtually no ties to the United States. Despite having no obvious skin in the game, CFIUS insisted on a CFIUS filing under President Trump and then vetoed the deal under President Biden. I suggest that the claim of extraterritorial jurisdiction, which in other circumstances might have annoyed South Korea, is in this case a good way for South Korea to avoid taking heat from China.

Paul explains why the Facebook outage was a much bigger deal than Americans realized. If you were living in Costa Rica, the loss of Facebook and WhatsApp, he says, could have greatly complicated every aspect of daily life, including calling the fire department or other emergency services.

Paul digs into the return of "hactivism" – not to mention the return of skepticism about hactivism. I marshal the evidence that the Pandora Papers were the result of hacks, not leaks – and roast the newspapers feasting on the data for their utter hypocrisy. Hey, Marty Baron, top editor at the Washington Post! We haven't forgotten that in reaction to the Democratic National Committee (DNC) leaks of 2016, you said

"Before reporting on the release of hacked or leaked information, there should be a conversation with senior editors about the newsworthiness of the information, its authenticity and whether we can determine its provenance... If a decision is made to publish a story about hacked or leaked information, our coverage should emphasize what we know—or don't know—about the source of the information and how that may fit into a foreign or domestic influence operation. Our stories should prominently explain what we know about the full context of the information we are presenting, including its origins and the motivations of the source, including whether it appears to be an effort to distract from another development."

We're still looking for that "full context" in the Pandora Papers or the Epik leaks.

Nick fills us in on Facebook's extreme reaction to the creation of a tool that allows users to escape the News Feed. I discover that I completely missed the central Facebook experience because I semi-inadvertently disabled the news feed.

Paul offers some surprising news about the limits of Artificial Intelligence (AI). Turns out, it's not that good even at some of the things it should be superb at, like radiology scanning.

Nick and I explore Google's acceptance of warrants seeking access to the identities of people using particular search terms. He thinks that this has gone on under the radar for some time because both government and Google think the public reaction will be bad for business.

Finally, in two quick hits:

• I brag that I now have proof that I'm one of the 14,000 Gmail users feared most by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU): Google caught the Russian spy agency trying to phish me with a doctored Word document.
• And Matthew reveals what the Russian SolarWinds hackers were looking for. Which leads to this bit of good news: U.S. sanctions are really getting under Putin's skin. 

And More!

Download the 378th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Industrial policy is all the rage in Washington, spurred by China's aggressive and sometimes successful use of industrial policy tools. I've lived through a few past enthusiasms for industrial policy, and I'm hoping this time we've learned lessons from the past.  That at least is the premise of my op-ed today in The Hill. Here's the lead:

At the start, we should recognize that letting governments pick economic winners and losers is wasteful, inefficient and corrupting. For the West, and open capital-market economies such as the U.S. and the UK, it’s hard to think of a worse policy — other than the alternative, which is to let China pick winners and losers for the world. 

So, we need a way to counter China without making a politicized mess of everyone’s economy. As they embark on that effort, here are six rules I’d commend to Western governments.

This is the meatiest episode in a long time, as Dmitri Alperovitch, Dave Aitel, and Mark MacCarthy go deep on the substance of a dozen stories or more. 

First up, Dmitri and I speculate on possible outcomes from the newly announced administration plan to convene 30 countries to crack down on ransomware. We also report on what may be the first confirmed death resulting from the equipment failures caused by ransomware – a newborn strangled by its umbilical cord because the hospital's usual electronic warnings weren't operating. 

Dmitri also explains a new cryptocurrency regulatory topic unrelated to its use in ransomware schemes – the move to ensure the financial stability of stablecoins. 

Dave weighs in on two surprising provisions of the House intel authorization bill. The first would respond to the Project Raven incident by imposing new controls on ex-spies working for foreign governments. No one is against the idea, but no one thinks that the problem is limited to alumni of a few intelligence agencies. And the bill’s sweep is far broader than cases like Project Raven. I fear that as written it may criminalize ex-spies giving security advice to Airbus, or perhaps even the Atlantic Council.

The second provision imposes requires reports on U.S. government purchases of computer vulnerabilities from foreign vendors. This leads to a discussion of which nation has the best offensive talent. Dave thinks the old champ has been decisively dethroned. 

In other legislative news, Dmitri covers the three committee drafts on cyber incident reporting, with special emphasis on the recently leaked bill from Senate Intel. It’s a very tough bill, perhaps designed to stake out negotiating room with the Homeland committees. I ask, “What’s the difference between Europe’s staggering fines for General Data Protection Regulation (GDPR) violations and this bill's fines for violating cyber reporting obligations?” The answer: "about two weeks," at which point the maximum fine due to the U.S. will exceed the top European fine.

Mark gives an overview and some prognostication about Google’s effort to overturn the EU’s $5 billion antitrust fine for its handling of Android. 

Dmitri and I find ourselves forced to face up to the growing soft power of Russia and China, now increasingly forcing Silicon Valley companies to project Russian and Chinese power into the West. Russia, having forced Apple and Google to send it hostages in the form of local employees, is trying to use its leverage to control what those companies do in countries like Germany. And Linkedin, the last Western social media company still standing in China, is trying to keep that status by asking Americans to self-censor their accounts.

At Dave’s request, we visit a story we missed last week and explore all the complex equities at work when the FBI decides whether to use ransomware keys for remediation or disruption.

Mark gives an overview of the new Federal Trade Commission, where regulatory ambition is high but practical authority weak, at least until the Senate confirms a third Democratic commissioner. Waiting in the wings for that event is a even more antitrust action, possible new online privacy rules and Commissioner Slaughter’s enthusiasm for imposing racial equity quotas under the guise of algorithmic fairness.

Dmitri offers his best guess about the recent Russian arrest of a cybersecurity executive for treason (that’s the second in five years if you’re counting) and the US decision to send a Russian scammer back to Russia after bitterly fighting to extradite him from Israel.

 In quick hits:

• Dmitri makes a public service announcement about the ways that Two-Factor Authentication (2FA) can be subverted. 

• I celebrate some good news for the U.S.: China is planning to encourage provincial controls on the design and use of social media algorithms. That’s bound to give US companies a new competitive advantage in a field where TikTok has surpassed them.

• Dave and I dissect the guilty plea of former Ethereum developer Virgil Griffith, accused of violating U.S. sanctions by giving a bland speech on cryptocurrency in North Korea.

• I give the highlights of two new and eminently contestable cyberlaw rulings:

• In U.S. v Wilson, the Ninth Circuit decided that law enforcement needs a warrant to open files that it knows from hashes are 99.9% certain to be child porn. The decision would be unfortunate if it weren’t meaningless; the hash itself provides probable cause, so warrants will be quickly and routinely issued. Thanks for the make-work, EFF!

• And a magistrate judge clearly gunning for promotion has written a Stored Communications Act opinion that empowers Silicon Valley’s Trust and Safety operatives to de-platform people and then turn their posts over to law enforcement without the subpoena they usually demand. I would worry more about those consequences if I thought the opinion would survive.  

• And, finally, Dmitri is pleased to find one field where AI is succeeding without controversy, as machine learning declares a famous Peter Paul Rubens painting, Samson and Delilah, to be a fake. But how long, I wonder, before this AI is forced by the FTC to correct its notorious anti-Flemish bias?

And More!

Download the 377th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, we welcome Nick Weaver back for a special appearance thanks to the time-shifting powers of podcast software. He does a sack dance over cryptocurrency, flagging both China's ban on cryptocurrency transactions and the U.S. Treasury's sanctioning of the SUEX crypto exchange.

Maury Shenk then explains the plans that the Biden administration and the EU have for Big Tech and the rest of us. Hint: it involves more content moderation in support of, er, democracy.  

Adam Candeub gives us a tour of the Wall Street Journal's deeply reported series on Facebook's difficulties managing the social consequences of, well, the internet, a responsibility that the press is determined to impose on the company. Among the quasi-scandals turned up by the Journal is the "secret elite" of users protected from Facebook's clunky and clueless content moderation algorithms. But really, in today's world, true power is all about escaping the algorithms otherwise imposed on us by various authorities. Every one of us aspires to join that elite. And perhaps we all can, if Ohio's Attorney General and its latest Senate candidate get their way, with a lawsuit to turn Google into a common carrier. (If that happens, we'll credit Adam, who wrote an amicus brief in support.)

And what's an elite without its hands on the levers of industry? China's embrace of national champions on the world stage has forced a rethinking in the West of industrial policy. Hence, the auto industry's commercial problem (they want cheap, plentiful, and antiquated chips for their cars) is suddenly a matter for White House meetings, and hints that the government might have its own supply allocation plans and powers.

In fact, regulating the private sector is so in vogue, as long as it's a tech-ish part of the private sector, that California barely made news when it imposed a new and almost undefinable regulatory obligation on warehouse companies like Amazon.  The law, requiring notice and imposing vague limits on production quotas, is at bottom, I argue, an attempt to put workers back on top of the algorithm – by demanding that it explain itself.

Maury next takes us to the heart of algorithmic power and our unease with it, explaining that Google now admits that it has no idea how to make AI less toxic.

In quick hits:

• The Washington whispers about Zoom's ties to China have grown louder, as the US government announces a national security review of Zoom's proposed acquisition of Five9 for $15 billion.
• Contrary to my understanding, at least one former intel operative who went to work for the United Arab Emirates in Project Raven landed very much on his feet – as CTO at ExpressVPN, though company employees are now expressing unhappiness about his history.
• And podcast regular Dmitri Alperovitch has an op-ed in the New York Times that (no surprise!) urges much tougher tactics in the fight against ransomware gangs.

Download the 376th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Jordan Schneider rejoins us after too long an absence to summarize the tech policy coming out of Beijing today:  In essence, just about any Chinese government agency with a beef against a tech company has carte blanche to at least try it out. From Didi and others being told to stop accepting new users to cutting off Western IPOs, to forced contributions to common welfare, China's beefs with Big Tech sound a lot like those in the West (well, except for conservative complaints about AI-enabled censorship). What's different is that China has freed its agencies to actually throw a thousand buckets of sand in the gears of technology businesses. Jordan and I explore the downside of empowering agencies in this way. First, it makes the Chinese government responsible for an enormous and hard to govern part of the economy, as the government's problems with the overvalued property sector show. And it creates opportunities for companies that are better at politics than customer service to cripple their competitors.

In the U.S. something similar is afoot. Michael Weiner unpacks the new, amended complaint in FTC v. Facebook and concludes that the FTC has done a plausible job of meeting the objections that led the district court to throw out the first complaint. Then he lists several buckets of sand the Biden administration is dumping into technology merger law in the hope of slowing a massive acquisition boom: no longer granting early termination, insisting on future merger approvals in standard consent agreements, issuing "close at your own peril" letters when agencies haven't finished their review, and replacing the Vertical Merger Guidelines issued in June 2020 with, uh, nothing.

Pete Jeydel takes us on a tour of Project Raven and the deferred prosecution agreements imposed on three former U.S. government hackers who sold their services to the UAE and ended up way outside the bounds of U.S. law. The cases raise several novel legal issues, but one of the mysteries is why the prosecutors ultimately settled the cases without jail time. My guess? Graymail.

In quick hits and updates we note that:

• TikTok faces an Irish General Data Protection Regulation ("GDPR") probe over children's data and – more significantly – its transfers of data to China. What's most remarkable to me is how long TikTok staved off this scrutiny. Who says Donald Trump was bad for Chinese tech companies?
• President Biden has nominated a 5th Federal Trade Commission Commissioner. Alvaro Bedoya is a Georgetown Law professor who writes about privacy and face recognition. There's a lot of dumb stuff out there about AI bias and face recognition, but I'm pleased to say that it doesn't look as though Prof. Bedoya wrote any of it.
• The special prosecutor for Russia-Russia-Russia-gate has indicted a Perkins Coie lawyer for lying to the FBI general counsel while turning over a bunch of bogus evidence of Donald Trump's ties to Russia. Turns out, I know all of the principals in this drama; talk about uncomfortable.
• Captain Obvious, speaking for the FBI, acknowledged that there is "no indication" Russia has cracked down on ransomware gangs after President Biden yelled at Vladimir Putin about them.
• The 4th Circuit has tossed out Wikimedia's money-wasting lawsuit challenging National Security Agency's collection of overseas intelligence in the U.S.
• And Bolsonaro's ban on social media censorship of politicians has been doubly overturned, by both the Brazilian Senate and its Supreme Court, leaving Bolsonaro's decree in the same limbo as Florida's (and, probably soon, Texas's) effort to do something similar.

Download the 375th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The district court has ruled in the lawsuit between Epic and Apple over access to the Apple app store. Apple is claiming victory and Epic is appealing. But Apple's victory is not complete, and may have a worm at its core. Jamil Jaffer explains.

Surprised that ransomware gangs REvil and Groove are back – and thumbing their noses at President Biden? Dmitri Alperovitch isn't. He explains why U.S. ransomware policy has failed so far.

WhatsApp has finally figured out how to let users encrypt their chat backups in the cloud, to the surprise of many users who didn't realize their backups weren't encrypted. Meanwhile, the UK is looking for ways to hammer social media over end-to-end encryption.

Speaking of the encryption debate, Dmitri notes that Proton Mail joined the scrum this week, in a way it no doubt regrets. After all its bragging that mail users' privacy is "protected by Swiss law," Proton Mail disclosed that Swiss law can be surprisingly law enforcement friendly. Responding to a French request through Europol, Swiss authorities ordered the service to collect metadata on a particular account and overrode what had been seen as a Swiss legal requirement that users be notified promptly of such actions.

Is China suffering from GRU envy? I ask and David Kris answers: It sure looks that way, as China has begun trying to rally Chinese in America to support Chinese government positions on things like the origin of COVID. So far, China's record of success is as dismal as Russia's GRU, which has been unable to directly incite social conflict in the US, but I argue that China's effort poses a bigger problem for the body politic and for Chinese American interest groups.

Who'd have guessed? Turns out that the EU's flakey General Data Protection Regulation ("GDPR") prohibition on allowing automated decision making to affect people directly isn't just a twee nostalgia exercise; it's yet another reason that Europe is being left behind in the technology race. Jamil reports on a high-powered UK task force recommendation that the Brits dump the provision in order to allow for the growth of a British AI industry.

Brazilian President Jair Bolsonaro has banned social networks from removing political posts. David and I debate the meaning of the move for global internet governance.

And in a few quick hits:

• I praise the Biden administration (faintly) for finally kicking off serious negotiations with the EU about transatlantic data transfer.
• Dmitri dissects the undiplomatic speech of China's ambassador to the U.S.
• David downloads the inside poop on smart toilets. Among other things, they'll be identifying us with, uh, let's just call it the opposite of facial recognition. Which raises the question: Once they can identify us, how long before "woke" Silicon Valley toilet engineers start canceling those of us who commit the microaggression of leaving the toilet seat up?
• And Dmitri offers his solution for the dual European Community ("EC") encryption story.

And More!

Download the 374th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Back at last from hiatus, the podcast finds a host of hot issues to cover. Matthew Heiman walks us through the many ways that China and the US found to get in each other's way on technology. China's new data security and privacy laws take effect this fall, and in keeping with a longstanding theme of the podcast – that privacy law is mostly about protecting the privilege of the powerful -- we muse on how legal innovations in the West have empowered China's rulers. The SEC is tightening the screws on Chinese companies that want to list on American exchanges. Meanwhile, SenseTime is going forward with a $2 billion IPO in Hong Kong despite being subject to the stiffest possible Commerce Department sanctions. Talk about decoupling!

In Washington, remarkably, a bipartisan breach notification law is moving through both House and Senate. Michael Ellis explains the unorthodox (but hardly unprecedented) path the law is likely to take – a "preconference" followed by incorporation into the defense authorization bill scheduled to pass this fall.

I ask Brian Egan about tech fallout from the fall of the U.S.-backed regime in Afghanistan. All things considered, it's modest. Despite hand-wringing over data left behind, that data may not be really accessible to the Taliban. Google isn't likely to turn over government emails to the new regime, if only because US sanctions make that legally risky. The Taliban's use of WhatsApp is likely to suffer from the same sanctions barrier.  I predict a Taliban complaint that sanctions are forcing it to run a twelfth century regime with twentieth century technology.

Meanwhile, Texas Republicans are on a roll, as Dems forced to return to the State House sit on their hands. Texas has adopted a creative and aggressive antiabortion law, and tech companies have responded by canceling services for pro-life groups and promising to defend gig workers who are caught up in litigation. Texas has kept pace, adopting a bill that limits Silicon Valley censorship of political speech; it raises many of the same issues as the Florida statute, but without Florida's embarrassing prostration before the Disney theme park empire. I ask whether Texas could have used the same tactics for its interpretation of section 230 that it used in the abortion bill – authorizing private suits but not government enforcement. Such tactics work when there is a real possibility that the Supreme Court will overturn some circuit rulings, and section 230 is ripe for exactly that.

Matthew Heiman and I debate whether the Justice Department's dropping of several Chinese visa fraud cases heralds a retrenchment in Justice's China Initiative.

Michael and I dig into the Apple decision to alienate the privacy lobby in an effort to do something about child sex abuse material on iPhones – and Apple's recent decision to alienate the rest of the country by casting doubt on whether it would in fact make an effort to do something about child sex abuse material on its phones.

Finally, in quick hits, Brian doubts the significance of claims that the Israeli government is cracking down on NSO Group over spyware abuse. Michael picks apart the Cyberspace Solarium Commission's report card on Congress's progress implementing the Commission's recommendations. And Brian highlights the UK's new and much tougher version of CFIUS, the National Security and Investment Act 2021. I turn that into career advice for our listeners.

Download the 373rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The CIA's long-time acting general counsel, John Rizzo, died suddenly earlier this month. Lawfare published my tribute to the man, reproduced below.

John Rizzo and I shared a path that goes back more than 50 years. We had parallel careers in the intelligence community and then in private practice at Steptoe & Johnson, but we first met as undergrads at Brown. John used to joke that this accounted for our good working relationship. The 1960s gave us each a bottomless fund of kompromat.

In fact, the real secret was John’s deep reserve of institutional wisdom disguised as tart irony. In this regard, John’s book, “Company Man,” is as true to the man as any memoir ever written. It captures his refusal to take himself too seriously while taking with utmost seriousness his responsibility to apply the law to intelligence operations. For decades he was the last word on what CIA operatives could and could not do within the law. He knew that these judgments were as much about political prognostication as about applying abstract principles of law, and that critics of the American intelligence agencies would always second-guess his conclusions.

So he clearly foresaw the political winds that would prevent his formal promotion to CIA general counsel, though he had probably been the agency’s de facto top lawyer longer than anyone who actually held the title. He knew that using harsh interrogation techniques would sooner or later make the agency vulnerable to claims of lawlessness and torture. He may not have been convinced that the techniques in question would be crucial to preventing another attack or defeating Al-Qaeda, but he was clear that the final call should not be made by lawyers. He threw everything into the effort to give the nation’s leaders room to make the decision, including, it turned out, his own reputation.

I never heard John complain about the outcome of that chapter in his career. He was disappointed but not surprised by the attacks on the agency or on him. I think he was satisfied that he’d done his best to protect his institution from the kind of scandal that had engulfed it so often in the past. And events have largely proved him right.

He brought to that final chapter the same gentle humor that stirred realism into all his legal advice over the years. He even predicted—accurately—that his critics would use his obituary to get in a few last kicks.

John’s irony was a bit like President Truman’s 1948 “Give ’em hell, Harry” campaign. Truman insisted, “I never did give them hell. I just told the truth, and they thought it was hell.” So it was with John Rizzo. He just told the truth, and everyone treated it as humor.

I’m going to miss that. Just days before his death, John and I were exchanging messages about tricky intelligence law issues. His vision of how politics and law would shape the answer was as clear and humor-tinged as ever. But some hard truths cannot be softened by irony. The death of John’s wife, Sharon, in April of this year was one. If the official cause of his death was a heart attack, the more accurate cause was a broken heart. In the end, even knowing that he’d done his duty as he saw it was not enough to keep him going.

That’s true of us all, of course. The British political leader Enoch Powell once said that all political careers end in defeat. Certainly all public lives end in death. What matters is not the ending but the doing. Judged in that light, John’s is a life to be proud of.

The Biden administration’s effort to counter ransomware may not be especially creative, but it is comprehensive. The administration is pushing all the standard buttons on the interagency dashboard, including creation of a high-level task force and a $10 million reward program (but not including hackback authority for victims, despite headlines suggesting otherwise). And all the noise seems to be having some effect, as the REvil ransomware gang's web sites have mysteriously shut down. Nick Weaver reminds us (in song, no less) that the government’s efforts to stop scourges like Trickbot have a distinct whiff of Whac-a-Mole, and the same may be true of REvil.

Our interview is with Josh Steinman, who served as the National Security Council’s Cybersecurity Senior Director for the entire Trump administration. He offers his perspective on the issues and the personalities that drove cybersecurity policy in those chaotic years. As a bonus, Josh and I dig into his public effort to find a suitable startup, an effort we have to cut short as I start getting too close to one of the more promising possibilities.

Maury Shenk covers the Biden administration’s belated but well-coordinated international response to China’s irresponsible Microsoft Exchange hack, including the surprising revelation that China may be back to hacking like it’s 1999 – relying on criminal hackers to serve the government’s ends.

In other China news, Maury Shenk and Pete Jeydel catalog the many ways in which the current Chinese regime is demonstrating its determination to bring China’s tech sector to heel. It’s punishing Didi in particular for launching a U.S. IPO despite go-slow signals from Beijing. It’s imposing cybersecurity reviews on other companies that IPO outside China.  And it seems to be pressing for competition concessions that the big tech companies would have successfully resisted a few years ago.

It was a big week for state-sponsored attacks on secure communications. Nick and I dig in the FBI and Australian federal police coup in selling ANOM phones to criminal gangs. Previewing a forthcoming article for Lawfare, I argue that the Australian police may have to answer tough questions about whether their legal authority for the phone’s architecture really avoided introducing a systemic weakness into the phone’s security.

Law enforcement agencies around the world could face even tougher questions if they’ve been relying on NSO or Candiru, Israeli firms that compromise mobile phones for governments. Both firms have been on the receiving end of harsh forensics analyses from Amnesty International and Citizen Lab. Nick thinks the highly specific and centralized target logs are particularly a problem for NSO’s claims that it doesn’t actually know the details of how its malware is deployed.

Pete Jeydel tells us that the administration is learning to walk and chew gum on cybersecurity at the same time. While coordinating pushes on Chinese and Russian hacks, it also managed to get big chunks of the government to turn in their federal cybersecurity homework on time. Pete talks us through one of those assignments, the NTIA’s paper setting minimum elements for a Software Bill of Materials.

It wouldn’t be the Cyberlaw Podcast without a brief rant on content moderation. The Surgeon General claimed this week that “Misinformation takes away our freedom to make informed decisions about our health.” He didn’t say that administration censorship would give us our freedom back, but that seems to be the administration’s confident view, as the President, no less, accused Facebook of “killing people” by not jumping more quickly to toe the CDC’s official line. (He later walked the accusation back.)

And if you thought the censorship would stop with social media, think again.  The White House is now complaining that telecom carriers also should be screening and suppressing text messages that are hostile to vaccinations.

Finally, just to show that the world has truly turned upside down, Maury reminds me that a German – German! – court has fined American social media for violating freedom of expression by too enthusiastically censoring a lockdown protest video.

Pete tells us what’s in the new Colorado privacy bill. Short version: it joins Virginia in some of hosing down California’s excesses.

And in short takes:

• Maury explains Vietnam's version of China’s fifty-cent army.

• Nick explains why Psiphon is a better tool for evading Cuban censorship that the sleaze-infested Tor system.

• Maury updates me on the European Parliament LIBE committee’s latest proposal for accepting the U.S. intelligence community’s transatlantic surrender on data flows.

• And Pete tells us that the SEC may finally be putting the screws to companies that have been lax about reporting breaches to their investors.

And More!

Download the 371st Episode (mp3)  

Reminder: this is the last regular episode before our August hiatus, although we will do at least one episode on cryptocurrency in coming weeks.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We begin the episode with the Biden administration’s options for responding to continued Russian ransomware outrages. Dmitri Alperovitch reprises his advice in the Washington Post that Putin will only respond to strength and U.S. pressure.  I agree but question whether the U.S. has the tools to enforce another set of red lines, given Putin’s enthusiasm and talent for crossing them. If jumping U.S. red lines were an Olympic sport, Russia would have retired the gold by now. Dmitri further reminds us that Russian cooperation against cybercrime remains a mirage. He also urges that we keep the focus on ransomware and not the more recent attempt to hack the Republican National Committee.

The Biden White House has been busy this week, or at least Tim Wu has. When Wu took a White House job as “Special Assistant to the President for Technology and Competition Policy,” some might have wondered why he did it. Now, Gus Hurwitz tells us, it looks as though Wu was given carte blanche to turn his recent think tank paper into an Executive Order.  It’s a kitchen sink full of proposals, Mark MacCarthy notes, most of them more focused on regulation than competition. That observation leads to a historical diversion into the way a Brandeisian competition policy aimed at breaking industry into smaller competitors ended by creating big regulatory agencies and bigger companies to match.

We had to cover Donald Trump’s class actions against Twitter, Facebook, and Google, but if the time we devoted to writing about the lawsuits was proportionate to their prospects for success, we’d have already stopped.  

Mark gives more time to a House Republican leadership plan to break up Big Tech and stop censorship. But the plan (or, to be fair, the sketch) is hardly a dramatic rebuke to Silicon Valley – and despite that fact it isn’t likely to get far. Divisions in both parties’ caucuses now seem likely to doom any legislative move against Big Tech in this Congress.

The most interesting tech and policy story of the week is the Didi IPO in the U.S., and the harsh reaction to it in Beijing. Dmitri tells us that the government has banned new distributions of Didi’s ride-sharing app and opened a variety of punitive regulatory investigations into the company. This has dropped Didi’s stock price, punishing the U.S. investors who likely pressed Didi to launch the IPO despite negative signals from Beijing.

Meanwhile, more trouble looms for the ride-sharing giant, as Senate conservatives object to Didi benefiting from U.S. investment and China makes clear that Didi will not be allowed to provide the data needed to comply  with U.S. stock exchange rules.

Mark and Gus explain why 37 U.S. states are taking Google to court over its Play Store rules -- and why, paradoxically, Google’s light hand in the Play store could expose it more to antitrust liability than Apple’s famously iron-fisted rule.

Dmitri notes the hand-wringing over the rise of autonomous drone weapons but dismisses the notion that there’s something uniquely new or bad about the weapons (we’ve had autonomous, or at least automatic, submarine weapons, he reminds us, since the invention of naval mines in the fourteenth century).

In quick hits;

• Gus and Dmitri offer dueling perspectives on the Pentagon’s proposal to cancel and subdivide the big DOD cloud contract.
• Gus tells us about the other Fortnite lawsuit against Apple over its app store; this one is in Australia and was recently revived.
• As I suspected, Tucker Carlson has pretty much drained the drama from the tale of having his communications intercepted by NSA. Turns out he’s been seeking an interview with Putin. And no one should be surprised that the NSA might want to listen to Putin.
• The Indian government is telling its courts that Twitter has lost its 230-style liability protection in that country. As a result, it looks as though Twitter is rushing to comply with Indian law requirements that it has blown off so far. Still, the best part of the story is Twitter’s appointment of a “grievance officer.” Really, what could be more Silicon Valley Woke? I predict it’s only a matter of months before the Valley fills with Chief Grievance Officers and the Biden administration appoints one for the United States.
• And, finally, I give the EU Parliament credit for doing the right thing in passing legislation that lets companies look for child abuse on their platforms. Readers may remember that the problem was an EU privacy rule that threatened to prevent social media from monitoring their platforms for abuse, not just in Europe but around the world. To make sure we knew that it is still the same feckless EU Parliament as before, the law was grudgingly adopted only after giving child abusers a six-month holiday from scrutiny and was scheduled to expire in three years, by which time the Parliament seems to think it can stop worrying about the sexual abuse of children and get back to imposing privacy requirements on the United States that none of its Member States observe.

And More!

Download the 370th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We begin the episode with a review of the massive Kaseya ransomware attack. Dave Aitel digs into the technical aspects while Paul Rosenzweig and Matthew Heiman explore the policy and political  implications. But either way, the news is bad.

The news was also bad for Gov. DeSantis's Florida 'deplatforming' law, which a Clinton appointee dispatched in a cursory opinion last week. I've been in a small minority who thinks the law, far from being a joke, is likely to survive (at least in part) if it reaches the Supreme Court. Paul challenges me to put my money where my mouth is. Details to be worked out, but if a portion of the law survives in the top court, Paul will be sending a thousand bucks to Trumpista nonprofit. If not, I'll likely be sending my money to the ACLU. 

Surprisingly, our commentators mostly agree that both NSA and Tucker Carlson could be telling the truth about the claim that NSA has at least a few of Carlson's communications. Sadly, this will disappoint partisans for both, since each thinks that the other must be lying. In the process, NSA gets unaccustomed praise for its … wait for it … agile and savvy response. That's got to be a first.

Paul and I conclude that Maine, having passed in haste the strongest state facial recognition ban yet, will likely find itself repenting at leisure.  

Matthew decodes Margrethe Vestager's warning to Apple against using privacy, security to limit competition.

And I mock Apple for claiming to protect privacy while making employees wear body cams to preserve the element of surprise at the next Apple product unveiling. Not to mention the 2-billion-person asterisk hanging off Apple's commitment to human rights.

Dave praises NSA for its stewardship of a popular open source reverse engineering tool, Ghidra.

And everyone has a view about cops using YouTube's crappy AI takedown engine to keep people from posting videos of their conversations with cops.  

And More!

Download the 369th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode offers an efficient overview of the six antitrust reform bills reported out of the House Judiciary Committee last week. Michael Weiner and Mark MacCarthy give us the top line for all six (though only four would make substantial new policy). We then turn quickly to the odd-couple alliances supporting and opposing the bills, including my brief cameo appearance as an exhibit in Rep. Jim Jordan’s opposition to the bills, on the gratifying ground (ok, among others) that they gave Microsoft a free ride even though Microsoft had never explained its suppression of my recent LinkedIn posts. On the whole, I think Rep. Jordan is right; there’s very little in these bills that will encourage the kind of competition that produces a diversity of political viewpoints on social media.

Nick Weaver trashes the FBI for its prosecution of Anming Hu. I’m more sympathetic to the investigators, but neither of us thinks this will end well for the Bureau or the Justice Department's China Initiative.

Adam Candeub makes his second appearance on the podcast and does a fine job unpacking three recent decisions on the scope of Section 230. The short version: Facebook only partly beat the rap for sex trafficking in the Texas Supreme Court; SnapChat got its head handed to it in the speed filter case; and all the Socials fended off charges of assisting terrorists (but only over persuasive dissents).

The long version: Silicon Valley has sold the courts a bill of goods on Section 230 for reasons that sounded good when the Internet was shiny and democratic and new. Now that disillusion has set in, the sweeping subsidy conferred by 230 and remarkably expanded by the courts is looking a lot less socially valuable. The wheels aren’t coming off Section 230 yet, but the paint is peeling and the lugnuts are loose. Big Tech’s failure to get their reading of the law blessed by the Supreme Court ten years ago is going to cost them sooner or later – mainly because their reading is inconsistent with good policy and basic rules of statutory interpretation.

Nick and I mull over the torture indictments of executives who sold internet wiretapping capabilities to the Qaddafi regime.

Mark is unable to hose down my rant over Canada’s bone-stupid effort to impose Canadian content quotas on the internet and to saddle Canada with an online hate speech law of monumental vagueness.

Finally, in closing, Nick and I bid an appropriately raucous and conflicted adieu to the Hunter Thompson of Cybersecurity,  John McAfee.

And More!

Download the 368th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We could not avoid President Biden’s trip to Europe this week. He made news (and perhaps a little progress) on cybersecurity at every stop. Nick Weaver and I dig into the President’s consultations with Vladimir Putin, which featured veiled threats and a modest agreement on some sort of continuing consultations on protecting critical infrastructure.  Jordan Schneider sums up the G7 and NATO statements aligning with U.S. criticisms of China. And our newest contributor, Michael Ellis, critiques the EU-U.S. consultations on technology, which featured a complete lack of U.S. resolve in seeking an outcome on transatlantic data flows that would preserve US intelligence capabilities.

Michael also recaps the latest fallout from the Colonial Pipeline ransomware shutdown – new regulatory initiatives from TSA and a lot of bipartisan regulatory proposals in Congress. He's not as supportive as I am. In that context, I explain the very unusual (or, maybe, all too usual) meaning given to “bipartisanship” on Capitol Hill.

Nick is not exactly mourning the multiple hits now being suffered by ransomware insurers, from unexpected losses to the ultimate in concentrated loss – gangs that hack the insurer first and then systematically extort all its ransomware insurance customers.

Jordan sums up China’s new data security law. He suggests that, despite Western reporting, which emphasizes a "government control of data" narrative, the motive for the law may be closer to the motive for data protection laws in the West – consumer suspicion over how private data is being used. I’m less convinced, but we have a good discussion of how bureaucratic imperatives and bureaucratic competition work in the Peoples Republic of China.

Michael and Nick dig into the White Paper on FISA applications published by Adam Klein, outgoing chairman of the Privacy and Civil Liberties Oversight Board. Notably, to my mind, the White Paper doesn't support the Justice Inspector General’s suggestion that the FISA process is riddled with error. The paper does call urgently for renewal of the expired FISA section 215 authority, and it suggests several constructive changes to the FISA paperwork flow.

In quick hits, Michael brings us up to date on the FCC’s contribution to U.S. decoupling from China: a unanimous vote to exclude Chinese companies from the U.S. telecom infrastructure and a Fifth Circuit decision upholding the FCC's exclusion of Chinese companies from federal subsidies for U.S. telecom carriers.  Finally, Jordan reminds us just how much progress China has made in exploring space.

And More!

Download the 367th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This week the Business Software Alliance issued a new report on AI bias. Jane Bambauer and I come to much the same conclusion: It is careful, well-written, and a policy catastrophe in the making. The main problem? It tries to turn one of the most divisive issues in American life into a problem to be solved by technology. Apparently because that has worked so well in areas like content suppression. In fact, I argue, the report will be seen by many, especially in the center and on the right, as an effort to impose racial and gender quotas by stealth in a host of contexts that have never been touched by such policies before.

Less controversial, but only a little, is the U.S. government's attempt to make government data available for training more AI algorithms. Jane more or less persuades me that this effort too will end in tears -- or stasis.

In cheerier news, the good guys got a couple of surprising wins this week. While encryption and bitcoin have posed a lot of problems for law enforcement in recent years, the FBI has responded with imagination and elan, at least if we can judge by two of the week's stories. First, Nick Weaver takes us through the laugh-out-loud facts behind a government-run encrypted phone app for criminals complete with influencers, invitation-only membership, and nosebleed pricing to cement the phone's exclusive status. Jane Bambauer unpacks some of the surprisingly complicated legal questions raised by the FBI's creativity.

Paul Rosenzweig lays out the much more obscure facts underlying the FBI's recovery of much of the ransom paid by Colonial Pipeline. There's no doubt that the government surprised everyone by coming up with the private key controlling the bitcoin account. We'd like to celebrate the ingenuity behind the accomplishment, but the FBI isn't saying how it gained the access, probably because it hopes to do the same thing again and can't if it blows the secret. 

The Biden administration is again taking a shaky and impromptu Trump policy and giving it a sober interagency foundation.  This time it's the TikTok and WeChat bans. These were rescinded last week. But a new process has been put in place that could restore and even expand those bans in a matter of months. Paul and I disagree about whether the Biden administration will end up applying the Trump policy to TikTok or WeChat or to a much larger group of Chinese apps.

For comic relief, Nick regales us with Brian Krebs's story of the FSB's weird and counterproductive attempt to secure communications to the FSB's web site.

Jane and I review the latest paper by Bruce Schneier (and Henry Farrell) on how to address the impact of technology on American democracy. We are not persuaded by its suggestion that our partisan divide can best be healed with understanding, civility, and aggressive prosecutions of Republicans.

Finally, everyone confesses to some confusion about the claim that the Trump Justice Department breached norms in pursuing phone and internet records of prominent Democratic congressmen and at least one Trump administration official. Best bet: this flap will turn out to be less interesting the more we learn. But I renew my appeal, this time aimed at outraged Democrats, for more statutory guardrails and safeguards against partisan misuse of national security authorities. Because that's what we'll need if we want to keep those authorities on the books.  

And More!

Download the 366th Episode (mp3)

If you are reading this and wondering why you haven't received episode 366 on your iPhone, it's because Apple's podcast subscription service has melted down. It didn't deliver episode 365 either. Really, it's time to subscribe to The Cyberlaw Podcast using a reliable method, which iTunes is not.  Try  Spotify, Pocket Casts, or one of a dozen other services that work.

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Biden administration is dribbling away one of the United States' most important counterterrorism intelligence programs. At least that's my conclusion from this episode's depressing review of the administration's halting and delusion-filled approach to the transatlantic data crisis. Every day, Silicon Valley companies whose data stores in the US have been a goldmine for counterterrorism are feeling legal pressure to move that data to Europe. Those companies care little whether the US gets good intelligence from its section 702 requests, at least compared to their fear of massive fines and liability in Europe. The EU is standing firm because it thinks time is on its side, and it's ignoring Jamil Jaffer's heartfelt plea to be a better ally in the face of Russian and Chinese pressure.

So, unless the administration creates a countervailing incentive, the other actors will simply present Washington with a fait accompli. The Biden administration, like the Trump administration before it, seems unable to grasp the need for action. When Trump was in charge, we could call him incompetent. When we wake up to what we've lost under Biden, that's what we'll call him, too.

For companies struggling with their role in this global drama, Charles Helleputte has moderately good news. The European Commission, contrary to the dogmatic approach of the data protection agencies, has opened a door for transfers using the new standard corporate clauses. If your data has not been requested by the US under 702 or similar authorities and you can offer good reason to think they won't in future, you can avoid the ban.

In other news, Jamil and I cross swords on whether the Colonial pipeline hack should have ended TSA's light-touch oversight of pipeline cybersecurity.

And Nate Jones and I dig deep into the state laws regulating police access to DNA ancestry databases. After some fireworks, we come close to agreement that some state law on database access is inevitable and workable, but the Maryland law is so hostile to solving brutal crimes with DNA searches that it is hard to distinguish from a ban.

Jamil explains the Biden administration's decision to provide a new foundation for the Trump ban on investment in Chinese military companies. Treasury will take the program away from DOD, which had handled its responsibilities with the delicacy of Edward Scissorhands.

Nate limbers up the DeHype Machine to put in perspective DOJ's claim to be giving ransomware hacks the same priority as terrorism. Jamil takes on autonomous drones and pours cold water on the notion that DOD will be procuring some of its drones from China.

In a moment of weakness I fail to attack or even mock the UN GGE's latest report on norms for cyberconflict, which look pretty anodyne.

And in a series of quick hits:

• Jamil reviews Facebook's latest antitrust problems in the EU and UK
• I remind listeners of the "throuple" Congresswoman, whose failed pivot from abuser of power to victim of revenge porn has just cost her over $100,00  
• In case you haven't heard, Facebook might let Trump come back in January 2023, and his blog page has shut down for good.
• The European Commission has proposed a trusted and secure Digital Identity for all Europeans but Charles thinks there's less there than meets the eye.
• And Nigeria has suspended Twitter after the platform shut down the President's account for obliquely threatening military action against secessionists.
• And More!

Download the 365th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We don't get far into the interview of the authors of a widely publicized Ransomware Task Force report, before I object that most of its recommendations are boring procedural steps that don't directly address the ransomware scourge. That prompts a vigorous dialogue with Philip Reiner, Executive Director of the Institute for Security and Technology (IST), the report's sponsoring organization, with Megan Stifel, of the Global Cyber Alliance, and with Chris Painter, of The Global Forum on Cyber Expertise Foundation. And in the end we in fact find several new and not at all boring recommendations among the nearly 50 put forward in the report.

In the news roundup, Dmitri Alperovitch has an answer to my question, "Is Putin finally getting a handle on U.S. social media?" Not just Putin, he argues, but every other large authoritarian government is finding ways to bring Google, Twitter, and Facebook to heel. In Russia's case, the method is first a token fine, then a gradual throttling of service delivery that makes domestic competitors look better in comparison to the Silicon Valley brand. Silicon Valley may have invented the shadow ban, but Putin is perfecting it.

Mark MacCarthy handicaps the Epic v. Apple lawsuit. The judge is clearly determined to give both sides reason to fear that the case won't go well for them. Our best guess is that Epic might get some form of relief but not the outcome they hoped for.

Dmitri and I marvel at the speed and consensus in Washington around imposing new regulations after the Colonial Pipeline ransomware event. It's likely that the attack will spur mandatory reporting of cyber incidents (and without the pain-easing award of liability protection) as well as aggressive security regulation from the agency with jurisdiction – TSA.  I offer a cynical Washington perspective on why TSA has acted so decisively.  

Mark and I dig into the signing and an immediate lawsuit against Florida's social media regulation attacking common content moderation issues. Florida will face an uphill fight, but neither of us is persuaded by the tech press's claim that the law will be "laughed out of court."  There is a serious case to be made for almost everything in the law, with the exception of the preposterous (and probably severable) exemption for owners of Florida theme parks.

Dmitri revs up the DeHyping Machine for reports that the Russians responded to Biden administration sanctions by delivering another cyberpunch in the form of hijacked USAID emails. It turns out that the attack was garden variety cyberespionage, that the compromise didn't involve access to USAID networks, that it was launched before the latest round of Russia sanctions, and that it wasn't very effective as cyberespionage.

Jordan Schneider explains the surprisingly successful impact of U.S. government policy on China's cellular-equipment industry, and the appeal of Open RAN as a way of end-running the current incumbents.

U.S. industrial policy could be transformed by the shape-shifting Endless Frontier Act. Jordan and Dmitri explain how. I ask whether we're seeing a deep convergence on industrial policy on both sides of the Pacific, now that President XI has given a speech on tech policy that could have been delivered by half a dozen Republican or Democratic senators.  

Finally, Dmitri reviews the bidding on cryptocurrency regulation both at the White House White House and in London.

Finally, in short hits, we cover:

• The European Court of Human Rights decision squeezing but not quite killing GCHQ's mass data interception programs and its cooperation with the U.S. I offer a possible explanation for the court's caution.
• A Justice Department court filing strongly suggesting that the Biden administration will not be abandoning a Trump administration rule that requires visa applicants to register their social media handles with the U.S. government.  I speculate on why.
• A WhatsApp decision not to threaten its users to get them to accept the company's new privacy terms. Instead, I argue, WhatsApp will annoy them into submission.
• And, finally, a festival of EU competition law attacks on Silicon Valley, from Brussels to Germany and France.

And More!

Download the 364th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Paul Rosenzweig kicks off the news roundup by laying out the New York Times's brutal story on the many compromises Tim Cook's Apple has made with an increasingly oppressive Chinese government. There is no way to square Apple's grandstanding opposition to US national security measures with its quiet surrender to much more demanding Chinese measures. I suggest that the disparity can only be explained if Tim Cook is in fact Dorian Gray and storing his portrait behind the Great Firewall. 

Ransomware hasn't stopped making news, Paul tells us, with Irish hospitals the latest to take the fall. Nate Jones assesses the likelihood (low) that governments will effectively ban  payment of ransomware. And Paul points out that, while cryptocurrency may be facilitating crime, at least it's also warming the planet, as an entire American power plant is taken out of mothballs to power cryptocurrency mining operations.

Governments are increasingly cracking down on cryptocurrency, and Paul gives us one week of news in new regulation: China has reiterated its opposition to unregulated access to crypto. The IRS is threatening action against unreported transactions in cryptocurrency. And Hong Kong plans to restrict crypto exchanges to professional investors. 

Another 60+ pages from the FISA court approving the executive branch's section 702 procedures. With Nate on the job, you don't need to read it all, or rely on the ideologically motivated criticism of privacy groups. Nate tells us that in approving the 702 procedures the FISA court has much less leeway than a court usually does in reviewing federal agency action (with a hat tip to a good analysis by NSA alum George Croner).   

Jamil Jaffer bemoans the enthusiasm sweeping Europe for sticking it to US (but not Chinese) tech companies under a variety of competition law theories. Google has been fined just over €100 million by Italy's antitrust watchdog for abuse of a dominant market position in Android auto apps. And Germany is readying big guns for an attack on Amazon's market dominance. I point out that American policyholders seem to share this enthusiasm, at least judging from the questions the presiding judge in Epic v. Apple posed this week to Tim Cook.

Nate and I explore Apple's apparent decision to let Parler back into the app store. (And, given the enthusiasm for regulating such dual-facing markets like the app store on antitrust grounds, that decision would be wise.) But Apple is still demanding that Parler block speech that Parler doesn't think it should be blocking.

We wrap up with a few quick hits:

• Looking for a cheap way to defeat ransomware?  Brian Krebs has a "might not work but what do you have to lose?" idea: install a Russian keyboard layout on your computer (although with my luck, the ransomware will translate all my files into Russian).
• Andy Greenberg has a good retrospective on the OG supply chain hack: the Chinese theft of RSA's core security seeds.
• Dangling the other shoe: The UK's head of MI5 isn't mincing words. Ken McCallum is accusing Facebook of giving a 'free pass' to terrorists by adopting end-to-end crypto for its messaging app. Sooner or later, this is going to end in tears.
• And we all agree that the Biden administration was lucky to persuade Matt Olsen to leave Uber to become head of DOJ's National Security Division.

And More!

Download the 363rd Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview is with Brandon Wales, acting head of the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and Jen Daskal, Deputy General Counsel for Cyber and Technology Law at DHS. We dig deep into the new Executive Order on cybersecurity.  The EO is focused largely on how the federal civilian government protects its networks, and it is just short of revolutionary in overcoming longstanding turf fights, almost all of which are resolved in favor of CISA – to the point where it seems clear that CISA is on its way to being the federal civilian agencies' CISO, or Chief Information Security Office.

This is clearly CISA's moment. It is getting new authorities from the President and new money from Congress. Whether it can meet all the expectations that these things bring is the question.

We also touch on parts of the EO that will affect the private sector, from its determined push for breach and other incident reporting in federal contracts to the formation of a Cyber Safety Review Board to investigate private sector incidents. I predict that the Board will need (and will get) subpoena power soon. Neither Brandon nor Jen takes the other side of that bet.

In the news, we get an update on the Colonial Pipeline ransomware attack from Nick Weaver and first-time news panelist Betsy Cooper. Colonial has paid $5 million in ransom for a bad decryption tool and restarted operations anyway. Since it's likely to end up as the second test case for the Cyber Security Review Board, though, Colonial's biggest regret may be waiting five days to start sharing information with CISA.

Maury Shenk explains the 200-page Irish High Court decision allowing the Irish data protection regulator to begin an inquiry that could cut off Facebook's data exports to the United States. Facebook would love to forestall that day until EU-US talks on a new data export deal are done, but the Biden administration isn't exactly making it a priority to bail out either Facebook or the US intelligence community, which has as much at stake in transatlantic data flows as the companies.

One of the puzzles of recent weeks has been a persistent but vague story that DHS wants more authority to gather information from public postings on social media. Nick, Betsy, and I try to make sense of the story, and we're not helped by the fact that much of the media and politicians have switched from condemning such intelligence operations to demanding them, and vice versa, in the weeks since the Trump administration ended.

Nick can't resist a story that leaves both bitcoin and Tor looking bad, so of course we cover the boom in Tor exit nodes configured to steal the cryptocurrency of Tor users.

Betsy covers the unanimous view of chip making and chip consuming companies that the federal government should subsidize chip making in the US. Industrial policy is making a comeback, we note, but Betsy reminds us there's a reason it went away: *cough*Solyndra*cough*

Betsy seizes on the latest WhatsApp tactic to lament the willingness of data-driven tech companies to annoy us into submission.

Nick and I cross swords over Apple's firing of Antonio García Martínez, author of Chaos Monkeys, in my view one of the funniest and most insightful Silicon Valley books of the last decade. Part of its appeal is Garcia Martinez's relentless burning of every bridge in his past business and personal life.  How, you keep asking, can he recover from telling all those truths about Morgan Stanley, Facebook, Y Combinator, and the adtech business? Turns out, he can't. But it wasn't any of those supposedly potent institutions that nailed him. Instead, it was his claim that the women of Silicon Valley are mostly "soft and weak, cosseted and naïve" and possessed of a "self-regarding entitlement feminism."

That's all it took. Apple employees demanded that they be protected from anyone with those views, and he was summarily fired.  Way to go, Apple employees!  Nothing rebuts a stereotype of female soft weakness and entitlement like demanding to be protected from someone who doesn't share your feminist entitlement. (Nick, in contrast, thinks Garcia Martinez is a walking sexual harassment judgment. He didn't like the book either.) I actually think the more interesting question is whether hiring Garcia Martinez shows just how determined Apple is to replace Facebook as Google's main competition in the business of collecting customer data to sell ads.

In quick hits, I revisit the Bezos camp's claim that a Saudi prince hacked Jeff Bezos's phone and turned his unexpurgated selfies over to the National Enquirer in order to suppress Washington Post publicity over the killing of Jamal Khashoggi. That was all BS, it turns out, apparently designed to turn Bezos from an ordinary tawdry adulterer into a press freedom crusader.

And Nick draws our attention to Counterfit, a promising Microsoft tool for testing AI algorithms to find security flaws.

And More!

Download the 362nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Bruce Schneier joins us to talk about AI hacking in all its forms. He’s particularly interested in ways AI will hack humans, essentially preying on the rough rules of thumb programmed into our wetware – that big-eyed, big-headed little beings are cute and need to have their demands met or that intimate confidences should be reciprocated. AI may not even know what it’s doing, since machines are famous for doing what works unless there’s a rule against it.  Bruce is particularly interested in law-hacking – finding and exploiting unintended consequences buried in the rules in the U.S. Code. If any part of that code will lend itself to AI hacking, Bruce thinks, it’s the tax code (insert your favorite tax lawyer joke here). It’s a bracing view of a possible near-term future.

In the news, Nick Weaver and I dig into the Colonial Pipeline ransomware attack and what it could mean for more aggressive cybersecurity measures than the Biden administration was contemplating just last week as it was pulling together an executive order that focused heavily on regulating government contractors.

Nate Jones and Nick examine the stalking flap that is casting a cloud over Apple’s introduction of AirTags.

Michael Weiner takes us on a quick tour of all the pending U.S. government antitrust lawsuits and investigations against Big Tech. What’s striking to me is how much difference there is in the stakes (and perhaps the prospects for success) depending on the company in the dock. Facebook faces a serious challenge but has a lot of defenses. Amazon and Apple are being attacked on profitable but essentially peripheral business lines. And Google is staring at existential threats aimed squarely at its core business.

Nate and I mull over the Russian proposal for a UN cybercrime proposal. It's bound to be a bad idea. The good news is that stopping progress in the UN is usually even easier than stopping progress in Washington.

Nate and I also puzzle over ambiguous leaks about what DHS wants to do with private firms as it tries to monitor extremist chatter online. My guess: This is mostly about wanting the benefit of anonymity or a fake persona while monitoring public speech.

Next, Michael takes us into the battle between Apple and Fortnite over whether Fortnite can access to the app store without paying the 30% cut demanded by Apple. Michael thinks we’ve mostly seen the equivalent of trash talk at the weigh-in so far, and the real heavyweight fight will begin with the economists’ testimony this week.

Nick indulges a little trash talk of his own about the claim that Apple’s app review process provides a serious benefit to users, citing among other things the litigation-driven disclosure that Apple never sent emails to users of the 125 million buggered apps it discovered a few years back.

Nick and I try to make sense of stories that federal prosecutors in 2020 sought phone records for three Washington Post journalists -- as part of an investigation into the publication of classified information that occurred in 2017. 

I touch quickly on the Facebook Oversight Board’s review of the suspension of President Trump’s account.  To my mind, a telling (and discrediting) portion of the opinion reveals that some board members thought that international human rights law required more limits on Trump’s speech – and they chose to base that on the silly notion that it's racist to call the coronavirus a Chinese virus. Put aside all the "British" and "South African" and "Indian" variants that no one is apologizing for, anyone who has read Nicholas Wade’s careful article knows that there’s lots of evidence the virus leaked from the Wuhan virology lab. Which means that if any virus in the last hundred years deserves to be named for its point of origin, this is it. Nick disagrees.

Nate previews an ambitious task force plan on tackling ransomware. We’ll be having the authors on the podcast soon to dig deeper into its nearly 50 recommendations.

Signal is emerging a Corporate Troll of the Year, if not the decade. Nick explains how, fresh from trolling Cellebrite, Signal took on Facebook by creating a bevy of personalized Instagram ads that take personalization to the Next Level.

Years after the fact, the New York Attorney General has caught up with the three firms that generated fake comments supporting the FCC’s net neutrality rollback. They’ll be paying fines. But I can’t help wondering why anyone ever though it was useful to evaluate proposed rules by counting the number of postcards and emails that shout “yes” or “no” but offer no analysis.

Download the 361st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview is with Kevin Roose, author of Futureproof: 9 Rules for Humans in the Age of Automation. Kevin debunks most of the comforting stories we use to anaesthetize ourselves to the danger that artificial intelligence and digitization pose to our jobs. Luckily, he also offers some practical and very personal ideas for how to avoid being caught in the oncoming robot apocalypse.

 In the news roundup, Dmitri Alperovich and I take a few moments to honor Dan Kaminsky, an extraordinary internet security and even more extraordinarily decent man. He died too young, at 42, as Nicole Perlroth demonstrates in one of her career-best articles. 

 Maury Shenk and Mark MacCarthy lay out the EU’s plan to charge Apple with anti-competitive behaviour in running its app store. Under regulation-friendly EU competition law, rather than the more austere US version, it sure looks as though Apple is going to have trouble escaping unscathed. 

 Mark and I duke it out over Gov. DeSantis’s Florida bill on content moderation reform. We agree that it will be challenged as a violation of the First Amendment and as preempted by federal section 230. Mark thinks it will fail that test. I don’t, especially if the challenge ends up in the Supreme Court, where Justice Thomas at least has already put out the “Welcome” mat.  

 Dmitri and I puzzle over the statement by top White House cyber official Anne Neuberger that the US reprisals against Russia are so far not enough to deter further cyberattacks.  We decide it’s a “Kinsley gaffe” – where a top official inadvertently utters an inconvenient truth.

 This Week in Information Operations: Maury explains that China may be hyping America’s racial tensions not as a tactic to divide us but simply because it’s an irresistible comeback to US criticisms or Chinese treatment of ethnic minorities. And Dmitri explains why we shouldn’t be surprised at Russia’s integrated use of hacking and propaganda. The real question is why the US has been so bad at the same work.

 In shorter pieces:

•  Mark covers the slooow rollout of an EU law forcing one-hour takedowns of terrorist content.
•  Dmitri tells us about the evolution of ransomware into full service doxtortion, as sensitive files of the D.C. Police Department are leaked online 
•  Dmitri also notes the inevitability of more mobile phone adtech tracking scandals, such as the compromise of US military operations  
•  Maury and I discuss the extent to which China’s internet giants find themselves competing, not for consumers, but for government favor, as China uses antitrust law to cement its control of the tech sector 
•  Finally, Dmitri and I unpack the latest delay in DOD’s effort to achieve cybersecurity maturity through regulatory-style compliance, an effort Dmitri believes is doomed 

And more!

Download the 360th Episode (mp3) 

 You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Brian Egan hosts this episode of the podcast, as Stewart Baker is hiking the wilds of New Hampshire with family. Nick Weaver joins the podcast to discuss the week in ransomware, as DOJ gets serious, and the gangs do too. Justice has a new ransomware task force,  and the gangs have asked  for $50 million not to disclose Apple product plans compromised during a breach of Quanta.

Paul Hughes gives us details on the EU's proposal for regulating the deployment of artificial intelligence and facial recognition technology. Brian compares the EU work to the FTC's own principles for achieving truth and fairness while using AI.

Nick finds a lot to like in Sen. Wyden's 'Fourth Amendment Is Not For Sale Act,' which would ban Clearview and government purchases of location data without a warrant.

Brian summarizes the Biden administration's series of cyber initiatives for critical infrastructure sectors. Nick can't resist the high-grade trolling on display in the squabble between Signal and Cellebrite. Brian evaluates the administration's sanctions on Russia for, among other things, the SolarWinds hack.

And Nick covers the ultimate consumer supply chain attack ultimate consumer supply chain attack -- on password managers. Nick's advice: "Amateurs keep their passwords in their drawers. Pros keep their passwords in their wallets."

Download the 359th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview is with Mark Montgomery and John Costello, both staff to the Cyberspace Solarium Commission.  The Commission, which issued its main report more than a year ago, is swinging through the pitch, following up with new white papers, draft legislative language, and enthusiastic advocacy for its legislative recommendations, many of which were adopted last year. That makes it the most successful of the many cybersecurity commissions that have come and gone in Washington. And it's not done yet. Mark and John review several of the most important legislative proposals the Commission will be pursuing this year. I don't agree with all of them, but they are all serious ideas and it's a good bet that a dozen or more could be adopted in this Congress.

In the news roundup, David Kris and I cover the FBI's use of a single search warrant to remove a large number of web shells from computers infected by China's irresponsible use of its access to Microsoft Exchange. Deploying a search warrant (or, more accurately, a seizure warrant)requires a far-reaching interpretation of federal criminal Rule 41. But despite valiant efforts, David is unable to disagree with my earlier expressed view that the tactic is lawful.

Brian Egan outlines what's new in the Biden administration's sanctions on Russia for its SolarWinds exploits. The short version: While some of the sanctions break new ground, as with the restrictions on Russian bonds, they do so cautiously.

Paul Rosenzweig, back from Costa Rica, unpacks a hacking story that has everything – terrorism, the FBI, Apple, private sector hacking, and litigation. Short version: we now know the private firm that saved Apple from being ordered to hack its own phone. The hacking was done instead by an Australian firm named Azimuth that apparently only works for democratic governments but that is nonetheless caught up in Apple's bully-the-cybersecurity-researchers litigation campaign.

Gus Hurwitz talks to us about the seamy side of content moderation (or at least one seamy side) – the fight against "coordinated inauthentic behaviour."  

In quicker takes, Paul gives us a master class in how to read the intel community's Annual Threat Assessment.  David highlights what may be the next Chinese  telecom manufacturing target, at least for the GOP. I highlight the groundbreaking financial industry breach notification rule that has now finished the comment period and is moving toward adoption. And Gus summarizes the state of Silicon Valley antitrust legislation:  Everyone has a bill, so no one is likely to get a bill.

Download the 358th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

I've been warning for years about how social media suppresses views that aren't popular in Silicon Valley. Until recently, though, I hadn't found myself on the receiving end of its power.  Now I have. So this take on Silicon Valley speech suppression is more personal than usual.

Let's start with the Hunter Biden laptop story.

I know. You're probably already scoffing. Certainly my mostly liberal (and even some conservative) friends are convinced the whole thing is bogus, of interest only to denizens of the Trump fever swamp.  They remember that the laptop was never verified, that it was widely suspected of being a product of Russian hacking and disinformation, and even if true, that it was simply a wallow in Hunter Biden's many personal failings that told us nothing about his father's fitness for office.

Most of those widespread views are wrong. They are contradicted by a long and detailed story in the UK's Daily Mail. The "Russian disinformation" claim never stood up to much scrutiny, consisting as it did mainly of assertions that faking a laptop was the kind of thing the Russians would do. Now, however, the Daily Mail has validated the laptop and its contents, both obtaining a former FBI agent's forensic judgment and conducting a detailed examination of the laptop's contents. The sheer volume of material makes it highly unlikely that the laptop itself was a fabrication. There are 103,000 text messages, including many intimate (and heart-breaking) father-son exchanges, 154,00 emails, and over 2,000 photos, including numerous nude or sexual pictures of Biden and others. (That leaves open the possibility that someone, perhaps even Russian intelligence, might have added a few fake documents to the real ones – a possibility that would seem to call for detailed examination of the laptop's contents, something no mainstream media outlet has deigned to conduct.)

As for its relevance to President Biden's fitness, earlier reporting disclosed correspondence suggesting that Hunter's unsavory businesses exploited or even benefited his father. And the Daily Mail claims that Hunter was getting some form of Secret Service protection long after the agency claimed to have ended its work for the Biden family. Maybe these stories will fall apart on examination, but there can be little doubt that they deserve investigation. And little doubt that such an investigation could have influenced the 2020 election campaign, when the laptop first surfaced.

What the laptop story got was the opposite of examination. Relying on the unsupported "Russian hacking" conspiracy theory, Twitter blocked the New York Post article. Indeed it blocked the New York Post's Twitter account for weeks because the Post refused to retract its original tweet about the story. Facebook also limited distribution of the story. The threat was clear enough. Even an established media outlet could lose reach and ad revenue if it reported on the story.  And the threat worked; no mainstream publication followed up on the Post article, except for a New York Times article that put the knife in by reporting on controversy over the story's publication in the Post newsroom. When the story came up during the Presidential debates, candidate Biden was able to dismiss it unchallenged as "a Russian plan [and] a bunch of garbage."

To my mind, this treatment of the Biden laptop story tells us a lot about the role that Silicon Valley intends to play in future elections. Companies like Twitter were so fearful of a second Trump victory that they seized on a dubious hacking claim to suppress the story. That act of censorship may well have changed the outcome of the election. So when the Daily Mail showed that the hacking excuse for suppressing the story was specious, I posted a link to the Daily Mail story on Twitter and Linkedin, with this introduction:

"The social media giants that won't let you say the 2020 election was rigged are the people who did their best to rig it: Hunter Biden laptop was genuine and scandalous - Daily Mail"

Linkedin (but not Twitter) decided that I couldn't say that. It sent me this message:

This is a forbidding message, as it's intended to be. If you follow the "Learn more" link you eventually come to the standards for restricting or removing accounts, which tells you, "If we determine that an account, or content posted to that account, violates the Professional Community Policies or the User Agreement, we may remove the content or place a restriction on your account. Depending on the severity of the violation, your account may be restricted indefinitely." (Emphasis added). In short, Linkedin was telling me that it might lock me out of its service if I repeated my offense.

The Linkedin message worried me.  I've got more than 5000 contacts on Linkedin, and I use it in business almost every day. Losing my account would be a blow.

Nonetheless. I hadn't been bullied by such a clueless authoritarian since high school. So instead of moving on to some less fraught topic I doubled down, posting five variants of my original post. The idea was to see exactly what it was about my original post that triggered Linkedin's antibodies. I began by simply posting "The straight news version: The Hunter Biden laptop was genuine and scandalous, according to the Daily Mail." Then I added a link to the Daily Mail story. Then I added commentary: "Social media suppressed the Hunter Biden laptop story in the middle of the 2020 election campaign. Now we know that the story they suppressed was true." In the fifth post, I was more pointed: "Social media won't let you talk about election interference in 2020. Maybe that's because it was social media that interfered in the election by suppressing a true story that would have hurt Joe Biden." And, finally, I reposted the original, which said the same thing as the fifth, but talked about "rigging" rather than "interfering with" the election.

I thought there was a real possibility that Linkedin would deplatform me for the same reason the vice principal used to discipline me in high school – my palpable lack of respect for authority. But it was a risk I was willing to take in the name of science – trying to figure out exactly what triggered Linkedin's content suppression machinery. To cut to the chase, Linkedin left up all of my posts except the one that repeated the original post. That came down, and I again was warned about Linkedin's professional standards.

What did I learn? First, I am grateful to Linkedin for a chance to recapture my youth, if only for a few hours. Second, Linkedin and its corporate parent, Microsoft, has some explaining to do. (Brad Smith, I'm talking to you.) The most charitable assessment of its policy is that it adopted a lame algorithm that suppresses claims of election rigging of any kind, no matter whether they are charges that Venezuela tampered with our voting machines or arguments that Silicon Valley used its platform power to defeat Trump. The scariest possibility is that, having first joined in suppressing stories that hurt Biden in 2020, Linkedin is now suppressing stories that criticize its role in suppressing stories that hurt Biden.

I'm guessing that a lame algorithm is the real culprit.  But frankly, I and anyone else censored by Linkedin deserves to know how that happened. That's why we need laws requiring social media to provide far more transparency and better appeal procedures when they suppress content. But such laws alone do not seem adequate to the threat.

To be clear, Linkedin, or some algorithm, or some contract employee in Arizona or the Philippines, decided that there were some views about an American Presidential election that I could not express, even to my friends. Really? That's the real offense to American free speech values. Linkedin added insult to injury when it failed to say why it didn't like my speech, but that insult carried an injury of its own: It chilled (or tried to) anything I might say in future on that topic. A prudent man wouldn't have put up any of my followon posts.

That chilling effect probably helps explain why no American media did a story on the Biden laptop after Twitter took down the Post's coverage. Even a reporter or newspaper who thinks there could be a great story in the laptop had to ask what would happen once the story went on line. If Twitter, Facebook, and YouTube suppressed it, the story would go from bombshell to bomb. It would get no reach and attract no ads. The ambiguity raises the already high cost of doing investigative journalism on this topic.

Such suppression is a recent phenomenon, less than ten years old, but Silicon Valley is not done yet.  One of my rules about the Valley is "You won't know how evil a technology can be until the engineers who maintain it begin to fear for their jobs."

Right now, social media is printing money. No one fears for their jobs, or even their yachts. But if the move to rein in social media really gathers steam, I'm confident the content suppression tools that protected Joe Biden will be used with even more enthusiasm to protect Silicon Valley itself.

Of course, at that point it will be foolish to complain. No one will hear you anyway.